==========================================================================
Ubuntu Security Notice USN-4166-1
October 28, 2019
php7.0, php7.2, php7.3 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 19.10
– Ubuntu 19.04
– Ubuntu 18.04 LTS
– Ubuntu 16.04 LTS
Summary:
PHP could be made to run programs if it received specially crafted network
traffic.
Software Description:
– php7.3: HTML-embedded scripting language interpreter
– php7.2: HTML-embedded scripting language interpreter
– php7.0: HTML-embedded scripting language interpreter
Details:
It was discovered that PHP incorrectly handled certain paths when being
used in FastCGI configurations. A remote attacker could possibly use this
issue to execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.10:
libapache2-mod-php7.3 7.3.11-0ubuntu0.19.10.1
php7.3-cgi 7.3.11-0ubuntu0.19.10.1
php7.3-cli 7.3.11-0ubuntu0.19.10.1
php7.3-fpm 7.3.11-0ubuntu0.19.10.1
Ubuntu 19.04:
libapache2-mod-php7.2 7.2.24-0ubuntu0.19.04.1
php7.2-cgi 7.2.24-0ubuntu0.19.04.1
php7.2-cli 7.2.24-0ubuntu0.19.04.1
php7.2-fpm 7.2.24-0ubuntu0.19.04.1
Ubuntu 18.04 LTS:
libapache2-mod-php7.2 7.2.24-0ubuntu0.18.04.1
php7.2-cgi 7.2.24-0ubuntu0.18.04.1
php7.2-cli 7.2.24-0ubuntu0.18.04.1
php7.2-fpm 7.2.24-0ubuntu0.18.04.1
Ubuntu 16.04 LTS:
libapache2-mod-php7.0 7.0.33-0ubuntu0.16.04.7
php7.0-cgi 7.0.33-0ubuntu0.16.04.7
php7.0-cli 7.0.33-0ubuntu0.16.04.7
php7.0-fpm 7.0.33-0ubuntu0.16.04.7
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4166-1
CVE-2019-11043
Package Information:
https://launchpad.net/ubuntu/+source/php7.3/7.3.11-0ubuntu0.19.10.1
https://launchpad.net/ubuntu/+source/php7.2/7.2.24-0ubuntu0.19.04.1
https://launchpad.net/ubuntu/+source/php7.2/7.2.24-0ubuntu0.18.04.1
https://launchpad.net/ubuntu/+source/php7.0/7.0.33-0ubuntu0.16.04.7
—–BEGIN PGP SIGNATURE—–
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl23NiYACgkQZWnYVadE
vpP8zw/8CmzGFSBnUB7s5TJGAkXNUFgqAIU5F5cB+FSMiR3JkYJZnoUq7s1gOMly
aPujR9kQeRolkIBD83vUiBSS14geaufFKBcYjFmENf/heHD4XHWXSdELkPHUH5Fq
zSxm5PowoCpevimnr6rnVNhq2TLbE9WOQj7doR0WTVJGeSKmhDotuFpXV7mlQDCA
RCtSNnc/ym+1PIX9Xfu1WUalBFvdNAPR9KDrI1KoXwjf6eULfANMtQTl4utMsUo9
Yn3mfBjTNeuqRTgTJ9VZUPO64LzfjUSgEWYwOq//5emI1JAAsleuk6GHTV9CvgaP
RTyrvO49y3Y6yup3nGLAsEfJg3ohvoM5XafHirGqOL/b0d7e4mdYLM/lYwZ6DBpC
l+C/hawJkQUGpVFT5CmdUmwhVJlb0/MHKCHjmOPlG5ZPjVIavc6ulsUdITpvPR67
U/OYaf0I6Iok17N7jhq/kCUIuxtnK9rTriymc+BN2xmbq/s9ZETEGoMm/UrTsvpn
3XcKa5wd46bL7a80c14+NluWDjxx9qhmgbtxG1OsrEY07UC3Pg6ZqHi2oQQ5vq5B
ejzZB1b7dR0Mp5E7gkdQ/K+vNu3emxhICIUNMjDBcWjvLCWi1XPabaHNcNxmjvJn
UGTHnvOF+0a7HeoTuCS0WljJa5s2Ei6/xOj8N7NYKbQWv6p4sPM=
=EbWd
—–END PGP SIGNATURE—–
—