Debian PHP security advisory

Discussion in 'ISPConfig 3 Priority Support' started by Norman, Jun 2, 2014.

  1. Norman

    Norman Member

    Code:
    php5 (5.4.4-14+deb7u9) stable; urgency=medium
    
      * The default PHP FPM socket permission has been changed from 0666
        to 0660 to mitigate security vulnerability (CVE-2014-0185) in PHP
        FPM that allowed any local user to run a PHP code under the active
        user of FPM process via crafted FastCGI client.
    
        The default Debian setup now correctly sets the listen.owner and
        listen.group to www-data:www-data in default php-fpm.conf.  If you
        have more FPM instances or a webserver not running under www-data
        user you need to adjust the configuration of FPM pools in
        /etc/php5/fpm/pool.d/ so the accessing process has rights to
        access the socket.
    Will this affect standard ISPconfig 3 virtual hosts ?
    Anything we need to do on our ends?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Just install the update with apt and then restart php-fpm and apache/nginx.
     

Share This Page