diff options
| author | Arno Töll <arno@debian.org> | 2013-03-14 02:02:32 +0100 |
|---|---|---|
| committer | Arno Töll <arno@debian.org> | 2013-03-14 02:23:38 +0100 |
| commit | 4bf6e58e2d37b669339762a5bc15488ed29141c5 (patch) | |
| tree | 789007656164882ef43f58828a18c65acc81481d | |
| parent | 018d43feb1e0cd33cb92a2b689e1d9bb3af96c67 (diff) | |
| download | lighttpd-4bf6e58e2d37b669339762a5bc15488ed29141c5.tar.gz | |
Fix PHP socket configuration weakness
| -rw-r--r-- | debian/NEWS | 18 | ||||
| -rw-r--r-- | debian/changelog | 7 | ||||
| -rw-r--r-- | debian/conf-available/15-fastcgi-php.conf | 2 |
3 files changed, 24 insertions, 3 deletions
diff --git a/debian/NEWS b/debian/NEWS index 33cb310..69c120b 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,21 @@ +lighttpd (1.4.31-4) unstable; urgency=high + + The default Debian configuration file for PHP invoked from FastCGI was + vulnerable to local symlink attacks and race conditions when an attacker + manages to control the PHP socket file (/tmp/php.socket up to 1.4.31-3) + before the web server started. Possibly the web server could have been + tricked to use a forged PHP. + + The problem lies in the configuration, thus this update will fix the problem + only if you did not modify the file /etc/lighttpd/conf-available/15-fastcgi-php.conf + If you did, dpkg will not overwrite your changes. Please make sure to set + + "socket" => "/var/run/lighttpd/php.socket" + + yourself in that case. + + -- Arno Töll <arno@debian.org> Thu, 14 Mar 2013 01:57:42 +0100 + lighttpd (1.4.30-1) unstable; urgency=medium This releases includes an option to force Lighttpd to honor the cipher order diff --git a/debian/changelog b/debian/changelog index a77da66..231841b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,12 @@ -lighttpd (1.4.31-4) UNRELEASED; urgency=low +lighttpd (1.4.31-4) unstable; urgency=high + * CVE-XXXX-XXXX: Switch the socket path for PHP when using FastCGI. /tmp is + world-writable which may cause security implications if an attacker + manages to control /tmp/php.sock before the web server (re-)starts. * Switch VCS to git * Push standards version (no changes) - -- Arno Töll <arno@debian.org> Wed, 21 Nov 2012 23:13:23 +0100 + -- Arno Töll <arno@debian.org> Thu, 14 Mar 2013 02:20:07 +0100 lighttpd (1.4.31-3) unstable; urgency=high diff --git a/debian/conf-available/15-fastcgi-php.conf b/debian/conf-available/15-fastcgi-php.conf index 60822a9..cea11c2 100644 --- a/debian/conf-available/15-fastcgi-php.conf +++ b/debian/conf-available/15-fastcgi-php.conf @@ -6,7 +6,7 @@ fastcgi.server += ( ".php" => (( "bin-path" => "/usr/bin/php-cgi", - "socket" => "/tmp/php.socket", + "socket" => "/var/run/lighttpd/php.socket", "max-procs" => 1, "bin-environment" => ( "PHP_FCGI_CHILDREN" => "4", |