CVE-2019-11043

Published: 24 October 2019

In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

Notes

Author	Note
sbeattie	PEAR issues should go against php-pear as of xenial

Priority

CVSS 3 base score: 9.8

Status

Package	Release	Status
php5 Launchpad, Ubuntu, Debian	bionic	Does not exist
	disco	Does not exist
	eoan	Does not exist
	precise	Released (5.3.10-1ubuntu3.40)
	trusty	Released (5.5.9+dfsg-1ubuntu4.29+esm6)
	upstream	Needs triage
	xenial	Does not exist
	Patches: upstream: https://github.com/microsoft/php-src/commit/c69bcb212b37900fd61daaf38762e4974cb4dcc9
php7.0 Launchpad, Ubuntu, Debian	bionic	Does not exist
	disco	Does not exist
	eoan	Does not exist
	precise	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Released (7.0.33-0ubuntu0.16.04.7)
	Patches: upstream: http://git.php.net/?p=php-src.git;a=commit;h=ab061f95ca966731b1c84cf5b7b20155c0a1c06a (7.1)
php7.2 Launchpad, Ubuntu, Debian	bionic	Released (7.2.24-0ubuntu0.18.04.1)
	disco	Released (7.2.24-0ubuntu0.19.04.1)
	eoan	Does not exist
	precise	Does not exist
	trusty	Does not exist
	upstream	Released (7.2.24)
	xenial	Does not exist
	Patches: upstream: http://git.php.net/?p=php-src.git;a=commit;h=ab061f95ca966731b1c84cf5b7b20155c0a1c06a
php7.3 Launchpad, Ubuntu, Debian	bionic	Does not exist
	disco	Does not exist
	eoan	Released (7.3.11-0ubuntu0.19.10.1)
	precise	Does not exist
	trusty	Does not exist
	upstream	Released (7.3.11)
	xenial	Does not exist
	Patches: upstream: http://git.php.net/?p=php-src.git;a=commit;h=19e17d3807e6cc0b1ba9443ec5facbd33a61f8fe

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›