Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2019-11043 CVE-2019-11043

Source

Debian Bug report logs - #943468
php-fpm: CVE-2019-11043: Vulnerability in PHP-FPM Could Lead to Remote Code Execution on nginx

Package: src:php7.3; Maintainer for src:php7.3 is Debian PHP Maintainers <team+pkg-php@tracker.debian.org>;

Reported by: Tobias Frost <tobi@debian.org>

Date: Fri, 25 Oct 2019 07:24:02 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Merged with 943764

Found in version php7.3/7.3.10-1

Fixed in version php7.3/7.3.11-1~deb10u1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian PHP Maintainers <team+pkg-php@tracker.debian.org>:
Bug#943468; Package php7.3-fpm. (Fri, 25 Oct 2019 07:24:05 GMT) (full text, mbox, link).

Acknowledgement sent to Tobias Frost <tobi@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian PHP Maintainers <team+pkg-php@tracker.debian.org>. (Fri, 25 Oct 2019 07:24:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: php7.3-fpm
Severity: normal
Tags: security fixed-upstream

I've got this info via nextcloud notification:
https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/

Some more details are here:
https://de.tenable.com/blog/cve-2019-11043-vulnerability-in-php-fpm-could-lead-to-remote-code-execution-on-nginx

I'm not sure about the severity, please adjust if necessary.

--
tobi


-- System Information:
Debian Release: bullseye/sid
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages php7.3-fpm depends on:
ii  libapparmor1    2.13.3-4
ii  libargon2-1     0~20171227-0.2
ii  libc6           2.28-10
ii  libmagic1       1:5.37-5
ii  libpcre2-8-0    10.32-5
ii  libsodium23     1.0.17-1
ii  libssl1.1       1.1.1d-0+deb10u2
ii  libsystemd0     241-7
ii  libxml2         2.9.4+dfsg1-7+b3
ii  mime-support    3.62
pn  php7.3-cli      <none>
pn  php7.3-common   <none>
pn  php7.3-json     <none>
pn  php7.3-opcache  <none>
ii  tzdata          2019b-1
ii  ucf             3.0038+nmu1
ii  zlib1g          1:1.2.11.dfsg-1

php7.3-fpm recommends no packages.

Versions of packages php7.3-fpm suggests:
pn  php-pear  <none>

Bug 943468 cloned as bug 943502 Request was from Tobias Frost <tobi@debian.org> to control@bugs.debian.org. (Fri, 25 Oct 2019 14:54:03 GMT) (full text, mbox, link).

Bug 943468 cloned as bug 943503 Request was from Tobias Frost <tobi@debian.org> to control@bugs.debian.org. (Fri, 25 Oct 2019 14:54:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <team+pkg-php@tracker.debian.org>:
Bug#943468; Package php7.3-fpm. (Fri, 25 Oct 2019 15:15:04 GMT) (full text, mbox, link).

Acknowledgement sent to Tobias Frost <tobi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <team+pkg-php@tracker.debian.org>. (Fri, 25 Oct 2019 15:15:04 GMT) (full text, mbox, link).

Message #14 received at 943468@bugs.debian.org (full text, mbox, reply):

Severity -1 grave

(Normal severity was not my intention, IMHO this is RC; if you disagree
please downgraded it)

Bug reassigned from package 'php7.3-fpm' to 'src:php7.3'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 03 Nov 2019 14:27:06 GMT) (full text, mbox, link).

Marked as found in versions php7.3/7.3.10-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 03 Nov 2019 14:27:07 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 03 Nov 2019 14:27:07 GMT) (full text, mbox, link).

Severity set to 'grave' from 'normal' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 03 Nov 2019 14:27:08 GMT) (full text, mbox, link).

Marked as fixed in versions php7.3/7.3.11-1~deb10u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 03 Nov 2019 14:27:10 GMT) (full text, mbox, link).

Merged 943468 943764 Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 03 Nov 2019 14:27:11 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Nov 8 19:26:18 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

php-fpm: CVE-2019-11043: Vulnerability in PHP-FPM Could Lead to Remote Code Execution on nginx

Debian Bug report logs - #943468
php-fpm: CVE-2019-11043: Vulnerability in PHP-FPM Could Lead to Remote Code Execution on nginx

Vulmon Search

About

Products

Connect

php-fpm: CVE-2019-11043: Vulnerability in PHP-FPM Could Lead to Remote Code Execution on nginx

Debian Bug report logs - #943468 php-fpm: CVE-2019-11043: Vulnerability in PHP-FPM Could Lead to Remote Code Execution on nginx

Vulmon Search

About

Products

Connect

Debian Bug report logs - #943468
php-fpm: CVE-2019-11043: Vulnerability in PHP-FPM Could Lead to Remote Code Execution on nginx