Incoming details.
In certain php-fpm configurations, a underflow in env_path_info() from fpm_main.c could lead to RCE. See $URL for details.
since this issue impact nextCloud and probably ownCloud instances, can we get to making it stable? [note, working properly on amd64, unmasked]
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1a96c94f084d79006c5e245bd870acb362c1a4dc commit 1a96c94f084d79006c5e245bd870acb362c1a4dc Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-10-24 23:35:14 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-10-24 23:35:27 +0000 dev-libs/oniguruma: security cleanup Bug: https://bugs.gentoo.org/698452 Package-Manager: Portage-2.3.78, Repoman-2.3.17 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-libs/oniguruma/oniguruma-6.9.3-r1.ebuild | 34 ---------------------------- 1 file changed, 34 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aff9ca0ff462c2583d1b6fb02aa6866f0d1946fa commit aff9ca0ff462c2583d1b6fb02aa6866f0d1946fa Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-10-24 23:34:40 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-10-24 23:35:26 +0000 dev-libs/oniguruma: move stable keywords Bug: https://bugs.gentoo.org/698452 Package-Manager: Portage-2.3.78, Repoman-2.3.17 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-libs/oniguruma/oniguruma-6.9.3-r2.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
amd64 stable
This issue was resolved and addressed in GLSA 201910-01 at https://security.gentoo.org/glsa/201910-01 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architectures.
x86 stable
ppc stable
ppc64 stable
sparc stable
hppa stable
arm stable
Please correct the GLSA as PHP 5 series is not affected.
(In reply to Tomek L from comment #13) > Please correct the GLSA as PHP 5 series is not affected. Php 5 is EOL and should not be used.
PHP 5 _is_ affected -- GLSA is correct. There's a backport https://github.com/microsoft/php-src/commit/c69bcb212b37900fd61daaf38762e4974cb4dcc9 ... but I don't think Gentoo will do another PHP 5 release. It's scheduled for removal.
arm64 stable
ia64 stable. Maintainer(s), please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3bb9c52d57dd7694ae6695b844d3bb16fb1bc733 commit 3bb9c52d57dd7694ae6695b844d3bb16fb1bc733 Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2019-11-14 19:50:29 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2019-11-14 19:50:29 +0000 dev-lang/php: Security cleanup for vulnerable versions Bug: https://bugs.gentoo.org/698452 Package-Manager: Portage-2.3.79, Repoman-2.3.18 Signed-off-by: Brian Evans <grknight@gentoo.org> dev-lang/php/Manifest | 3 - dev-lang/php/php-7.1.32.ebuild | 736 ---------------------------------------- dev-lang/php/php-7.2.22.ebuild | 748 ---------------------------------------- dev-lang/php/php-7.3.9.ebuild | 749 ----------------------------------------- 4 files changed, 2236 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=46ffc05beb6a90b4207adab9f5b7d989fdc2b5c9 commit 46ffc05beb6a90b4207adab9f5b7d989fdc2b5c9 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-11-19 10:34:33 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-11-19 10:44:37 +0000 dev-lang/php: security bump Bug: https://bugs.gentoo.org/698452 Package-Manager: Portage-2.3.79, Repoman-2.3.18 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-lang/php/Manifest | 2 +- dev-lang/php/{php-5.6.40-r6.ebuild => php-5.6.40-r7.ebuild} | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
All done, repository is clean!