A underflow in env_path_info in PHP-FPM under certain configurations can be exploited to gain remote code execution.
[ 1 ] CVE-2019-11043 https://nvd.nist.gov/vuln/detail/CVE-2019-11043
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201910-01
style>.gentoo_availability{display:block;}
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
Get the latest Linux and open source security news straight to your inbox.
If patching is not feasible, the suggested workaround is to include checks to verify whether or not a file exists before passing to PHP.