CVE-2019-11043

Published: 24 October 2019

In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

Priority

CVSS 3 base score: 9.8

Status

Package	Release	Status
php5 Launchpad, Ubuntu, Debian	Upstream	Needs triage




	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 ESM (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Released (5.5.9+dfsg-1ubuntu4.29+esm6)
	Patches: Upstream: https://github.com/microsoft/php-src/commit/c69bcb212b37900fd61daaf38762e4974cb4dcc9
php7.0 Launchpad, Ubuntu, Debian	Upstream	Needs triage




	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 ESM (Xenial Xerus)	Released (7.0.33-0ubuntu0.16.04.7)
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
	Patches: Upstream: http://git.php.net/?p=php-src.git;a=commit;h=ab061f95ca966731b1c84cf5b7b20155c0a1c06a (7.1)
php7.2 Launchpad, Ubuntu, Debian	Upstream	Released (7.2.24)




	Ubuntu 18.04 LTS (Bionic Beaver)	Released (7.2.24-0ubuntu0.18.04.1)
	Ubuntu 16.04 ESM (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
	Patches: Upstream: http://git.php.net/?p=php-src.git;a=commit;h=ab061f95ca966731b1c84cf5b7b20155c0a1c06a
php7.3 Launchpad, Ubuntu, Debian	Upstream	Released (7.3.11)




	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 ESM (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
	Patches: Upstream: http://git.php.net/?p=php-src.git;a=commit;h=19e17d3807e6cc0b1ba9443ec5facbd33a61f8fe

Notes

Author	Note
sbeattie	PEAR issues should go against php-pear as of xenial

CVE-2019-11043

Medium

Status

Notes

References

Bugs

Join the discussion

Canonical is offering Extended Security Maintenance

Further reading