ius-community team mailing list archive

Thread
Date

php{53u,54,55u}-fpm and CVE-2014-0185

To: "ius-community@xxxxxxxxxxxxxxxxxxx" <ius-community@xxxxxxxxxxxxxxxxxxx>
From: Carl George <carl.george@xxxxxxxxxxxxx>
Date: Fri, 9 May 2014 17:06:52 +0000
Accept-language: en-US
Thread-index: Ac9rqRLkqBt5prFVTC6/Zfzkialujw==
Thread-topic: php{53u,54,55u}-fpm and CVE-2014-0185

If you are using php{53u,54,55u}-fpm with socket files, this message is for you.

The default FPM configuration is to listen on a TCP socket.  FPM can also be configured to listen on a socket file.  Recently, upstream patched a CVE [1][2] regarding using socket files.  Previously, the default permissions of the socket file was 0666; it has since been restricted to 0660.  This fix was released with 5.4.28 and 5.5.12.  The fix has not (yet) been applied to the upstream 5.3.

To keep inline with upstream, the IUS team recently pushed new builds of php 5.4 and 5.5.  We also made the decision to backport the CVE fix to 5.3 ourselves.

php53u-5.3.28-3.ius
php54-5.4.28-1.ius
php55u-5.5.12-1.ius

However, we are getting some reports that users are running into issues with fpm after this update.  The most likely cause is a mismatch between the owner of the socket and the user the webserver is running as.  If you are having issues with FPM, please review these settings in your configuration file.

user
group
listen.owner
listen.group
listen.mode

[1] https://access.redhat.com/security/cve/CVE-2014-0185
[2] https://bugs.php.net/bug.php?id=67060

Respectfully,
Carl George
OS Deployment Services, RPMDEV
Rackspace Hosting & IUS Community