Debian: DSA-2943-1 Critical: PHP5 Socket Permissions Fix
debian
June 1, 2014
Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development: CVE-2014-0185
Topics Covered
Summary
Several vulnerabilities were found in PHP, a general-purpose scripting
language commonly used for web application development:
CVE-2014-0185
The default PHP FPM socket permission has been changed from 0666
to 0660 to mitigate a security vulnerability (CVE-2014-0185) in PHP
FPM that allowed any local user to run a PHP code under the active
user of FPM process via crafted FastCGI client.
The default Debian setup now correctly sets the listen.owner and
listen.group to www-data:www-data in default php-fpm.conf. If you
have more FPM instances or a webserver not running under www-data
user you need to adjust the configuration of FPM pools in
/etc/php5/fpm/pool.d/ so the accessing process has rights to
access the socket.
CVE-2014-0237 / CVE-2014-0238:
Denial of service in the CDF parser of the fileinfo module.
CVE-2014-2270
Denial of service in the fileinfo module.
For the stable distribution (wheezy), these problems have been fixed in
version 5.4.4-14+deb7u10.
...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: php5
CVE ID: CVE-2014-0185 CVE-2014-0237 CVE-2014-0238 CVE-2014-2270
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!