USN-4166-1: PHP vulnerability

28 October 2019

PHP could be made to run programs if it received specially crafted network traffic.

Releases

Packages

  • php7.0 - HTML-embedded scripting language interpreter
  • php7.2 - HTML-embedded scripting language interpreter
  • php7.3 - HTML-embedded scripting language interpreter

Details

It was discovered that PHP incorrectly handled certain paths when being
used in FastCGI configurations. A remote attacker could possibly use this
issue to execute arbitrary code.

References

Related notices

  • USN-4166-2: php5-cli, php5-fpm, php5-cgi, libapache2-mod-php5, php5