File: php5-fpm.NEWS

package info (click to toggle)
php5 5.6.7%2Bdfsg-1
  • links: PTS, VCS
  • area: main
  • in suites: jessie-kfreebsd
  • size: 150,376 kB
  • sloc: ansic: 727,510; php: 21,966; sh: 12,356; cpp: 8,763; xml: 6,105; yacc: 1,551; exp: 1,514; makefile: 1,461; pascal: 1,048; awk: 538; perl: 315; sql: 22
file content (16 lines) | stat: -rw-r--r-- 743 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
 
php5 (5.5.12+dfsg-2) unstable; urgency=medium

  * The default PHP FPM socket permission has been changed from 0666
    to 0660 to mitigate security vulnerability (CVE-2014-0185) in PHP
    FPM that allowed any local user to run a PHP code under the active
    user of FPM process via crafted FastCGI client.

    The default Debian setup now correctly sets the listen.owner and
    listen.group to www-data:www-data in default php-fpm.conf.  If you
    have more FPM instances or a webserver not running under www-data
    user you need to adjust the configuration of FPM pools in
    /etc/php5/fpm/pool.d/ so the accessing process has rights to
    access the socket.

 -- Ondřej Surý <ondrej@debian.org>  Mon, 12 May 2014 14:23:05 +0200