File: php5-fpm.NEWS

package info (click to toggle)
php5 5.6.33%2Bdfsg-0%2Bdeb8u1
  • links: PTS, VCS
  • area: main
  • in suites: jessie
  • size: 157,872 kB
  • sloc: ansic: 756,065; php: 22,030; sh: 12,311; cpp: 8,771; xml: 6,179; yacc: 1,564; exp: 1,514; makefile: 1,467; pascal: 1,147; awk: 538; perl: 315; sql: 22
file content (16 lines) | stat: -rw-r--r-- 743 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
 
php5 (5.5.12+dfsg-2) unstable; urgency=medium

  * The default PHP FPM socket permission has been changed from 0666
    to 0660 to mitigate security vulnerability (CVE-2014-0185) in PHP
    FPM that allowed any local user to run a PHP code under the active
    user of FPM process via crafted FastCGI client.

    The default Debian setup now correctly sets the listen.owner and
    listen.group to www-data:www-data in default php-fpm.conf.  If you
    have more FPM instances or a webserver not running under www-data
    user you need to adjust the configuration of FPM pools in
    /etc/php5/fpm/pool.d/ so the accessing process has rights to
    access the socket.

 -- Ondřej Surý <ondrej@debian.org>  Mon, 12 May 2014 14:23:05 +0200