CVE-2019-11043: PHP-FPM arbitrary code execution vulnerability

[ntimo]

There is a new PHP/nginx vulnerability that might affect docker-bookstack.

PHP bugtracker: https://bugs.php.net/bug.php?id=78599 Exploit PoC: https://github.com/neex/phuip-fpizdam An example vulnerable docker-compose env: https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043

The solution according to this article is:

On October 24, PHP 7.3.11 (current stable) and PHP 7.2.24 (old stable) were released to address this vulnerability along with other scheduled bug fixes. Those using nginx with PHP-FPM are encouraged to upgrade to a patched version as soon as possible.

If patching is not feasible, the suggested workaround is to include checks to verify whether or not a file exists. This is achieved either by including the try_files directive or using an if statement, such as if (-f $uri).

This is how Nextcloud handles the issue: https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/

[j0nnymoe]

Already tracking it here: https://github.com/linuxserver/docker-nextcloud/issues/115.

Once the package has been backported to 3.10, the container will get updated.

[ntimo]

@j0nnymoe the new php alpine package is available.