CVE-2019-11043 PHP+Nginx remote code execution

Question

CVE-2019-11043 PHP+Nginx remote code execution

fletchto99 opened this issue 5 years ago · 2 comments

Hi, I was wondering, is this docker vulnerable to CVE-2019-11043?

It looks like PHP 7.3.11 patches it (released today). As well as a few nginx config changes. Nextcloud wrote up a good article about the issue as well as fixes for it: https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/

I just wanted to make sure YOURLS isn't also vulnerable. This wouldn't be a bug in YOURLs necessarily but rather the way the container is setup (I haven't had time to investigate myself yet).

Thanks!

Answer 1 · 2019-10-25T10:05:28.000Z

Thanks for opening this issue @fletchto99.

That said, as the article explains, the vulnerability comes from nginx with fpm.
YOURLS docker images don't deliver nginx themselves.

The based php image is automatically updated on the Docker hub.

Answer 2 · 2019-10-25T19:19:22.000Z

Great! Thanks for the swift response. Glad to hear the yourls container isn't affected.