25024 – php-fpm file for apache is in wrong order

Bug 25024 - php-fpm file for apache is in wrong order

Summary: php-fpm file for apache is in wrong order

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2019-06-30 15:57 CEST by Marc Krämer
Modified:	2019-08-10 02:17 CEST (History)
CC List:	1 user (show)

See Also:
Source RPM:	php-7.3.6-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marc Krämer 2019-06-30 15:57:53 CEST

From dev-ml:

Right now PHP won't work on the webserver because the files are being loaded out of order. This is a possible security issue because the current configuration is leaking out source code for the php files.

The problem is that 00-php-fpm.conf file is being loaded before the modules are loaded. The fix is remaming 00-php-fpm.conf to 10-php-fpm.conf so that it's loaded after the modules are loaded.

Comment 1 Marc Krämer 2019-06-30 16:29:37 CEST

Suggested advisory:
========================
Updated php packages fix apache may expose php code:

Due to bad loading order of apache modules, the webserver may expose php code.

========================

Updated packages in core/updates_testing:
========================
php-ini-7.3.6-2.mga8
apache-mod_php-7.3.6-2.mga8
php-cli-7.3.6-2.mga8
php-cgi-7.3.6-2.mga8
libphp_common7-7.3.6-2.mga8
php-devel-7.3.6-2.mga8
php-openssl-7.3.6-2.mga8
php-zlib-7.3.6-2.mga8
php-doc-7.3.6-2.mga8
php-bcmath-7.3.6-2.mga8
php-bz2-7.3.6-2.mga8
php-calendar-7.3.6-2.mga8
php-ctype-7.3.6-2.mga8
php-curl-7.3.6-2.mga8
php-dba-7.3.6-2.mga8
php-dom-7.3.6-2.mga8
php-enchant-7.3.6-2.mga8
php-exif-7.3.6-2.mga8
php-fileinfo-7.3.6-2.mga8
php-filter-7.3.6-2.mga8
php-ftp-7.3.6-2.mga8
php-gd-7.3.6-2.mga8
php-gettext-7.3.6-2.mga8
php-gmp-7.3.6-2.mga8
php-hash-7.3.6-2.mga8
php-iconv-7.3.6-2.mga8
php-imap-7.3.6-2.mga8
php-interbase-7.3.6-2.mga8
php-intl-7.3.6-2.mga8
php-json-7.3.6-2.mga8
php-ldap-7.3.6-2.mga8
php-mbstring-7.3.6-2.mga8
php-mysqli-7.3.6-2.mga8
php-mysqlnd-7.3.6-2.mga8
php-odbc-7.3.6-2.mga8
php-opcache-7.3.6-2.mga8
php-pcntl-7.3.6-2.mga8
php-pdo-7.3.6-2.mga8
php-pdo_dblib-7.3.6-2.mga8
php-pdo_firebird-7.3.6-2.mga8
php-pdo_mysql-7.3.6-2.mga8
php-pdo_odbc-7.3.6-2.mga8
php-pdo_pgsql-7.3.6-2.mga8
php-pdo_sqlite-7.3.6-2.mga8
php-pgsql-7.3.6-2.mga8
php-phar-7.3.6-2.mga8
php-posix-7.3.6-2.mga8
php-readline-7.3.6-2.mga8
php-recode-7.3.6-2.mga8
php-session-7.3.6-2.mga8
php-shmop-7.3.6-2.mga8
php-snmp-7.3.6-2.mga8
php-soap-7.3.6-2.mga8
php-sockets-7.3.6-2.mga8
php-sodium-7.3.6-2.mga8
php-sqlite3-7.3.6-2.mga8
php-sysvmsg-7.3.6-2.mga8
php-sysvsem-7.3.6-2.mga8
php-sysvshm-7.3.6-2.mga8
php-tidy-7.3.6-2.mga8
php-tokenizer-7.3.6-2.mga8
php-xml-7.3.6-2.mga8
php-xmlreader-7.3.6-2.mga8
php-xmlrpc-7.3.6-2.mga8
php-xmlwriter-7.3.6-2.mga8
php-xsl-7.3.6-2.mga8
php-wddx-7.3.6-2.mga8
php-zip-7.3.6-2.mga8
php-fpm-7.3.6-2.mga8
phpdbg-7.3.6-2.mga8
php-debugsource-7.3.6-2.mga8
php-debuginfo-7.3.6-2.mga8
apache-mod_php-debuginfo-7.3.6-2.mga8
php-cli-debuginfo-7.3.6-2.mga8
php-cgi-debuginfo-7.3.6-2.mga8
libphp_common7-debuginfo-7.3.6-2.mga8
php-openssl-debuginfo-7.3.6-2.mga8
php-zlib-debuginfo-7.3.6-2.mga8
php-bcmath-debuginfo-7.3.6-2.mga8
php-bz2-debuginfo-7.3.6-2.mga8
php-calendar-debuginfo-7.3.6-2.mga8
php-ctype-debuginfo-7.3.6-2.mga8
php-curl-debuginfo-7.3.6-2.mga8
php-dba-debuginfo-7.3.6-2.mga8
php-dom-debuginfo-7.3.6-2.mga8
php-enchant-debuginfo-7.3.6-2.mga8
php-exif-debuginfo-7.3.6-2.mga8
php-fileinfo-debuginfo-7.3.6-2.mga8
php-filter-debuginfo-7.3.6-2.mga8
php-ftp-debuginfo-7.3.6-2.mga8
php-gd-debuginfo-7.3.6-2.mga8
php-gettext-debuginfo-7.3.6-2.mga8
php-gmp-debuginfo-7.3.6-2.mga8
php-hash-debuginfo-7.3.6-2.mga8
php-iconv-debuginfo-7.3.6-2.mga8
php-imap-debuginfo-7.3.6-2.mga8
php-interbase-debuginfo-7.3.6-2.mga8
php-intl-debuginfo-7.3.6-2.mga8
php-json-debuginfo-7.3.6-2.mga8
php-ldap-debuginfo-7.3.6-2.mga8
php-mbstring-debuginfo-7.3.6-2.mga8
php-mysqli-debuginfo-7.3.6-2.mga8
php-mysqlnd-debuginfo-7.3.6-2.mga8
php-odbc-debuginfo-7.3.6-2.mga8
php-opcache-debuginfo-7.3.6-2.mga8
php-pcntl-debuginfo-7.3.6-2.mga8
php-pdo-debuginfo-7.3.6-2.mga8
php-pdo_dblib-debuginfo-7.3.6-2.mga8
php-pdo_firebird-debuginfo-7.3.6-2.mga8
php-pdo_mysql-debuginfo-7.3.6-2.mga8
php-pdo_odbc-debuginfo-7.3.6-2.mga8
php-pdo_pgsql-debuginfo-7.3.6-2.mga8
php-pdo_sqlite-debuginfo-7.3.6-2.mga8
php-pgsql-debuginfo-7.3.6-2.mga8
php-phar-debuginfo-7.3.6-2.mga8
php-posix-debuginfo-7.3.6-2.mga8
php-readline-debuginfo-7.3.6-2.mga8
php-recode-debuginfo-7.3.6-2.mga8
php-session-debuginfo-7.3.6-2.mga8
php-shmop-debuginfo-7.3.6-2.mga8
php-snmp-debuginfo-7.3.6-2.mga8
php-soap-debuginfo-7.3.6-2.mga8
php-sockets-debuginfo-7.3.6-2.mga8
php-sodium-debuginfo-7.3.6-2.mga8
php-sqlite3-debuginfo-7.3.6-2.mga8
php-sysvmsg-debuginfo-7.3.6-2.mga8
php-sysvsem-debuginfo-7.3.6-2.mga8
php-sysvshm-debuginfo-7.3.6-2.mga8
php-tidy-debuginfo-7.3.6-2.mga8
php-tokenizer-debuginfo-7.3.6-2.mga8
php-xml-debuginfo-7.3.6-2.mga8
php-xmlreader-debuginfo-7.3.6-2.mga8
php-xmlrpc-debuginfo-7.3.6-2.mga8
php-xmlwriter-debuginfo-7.3.6-2.mga8
php-xsl-debuginfo-7.3.6-2.mga8
php-wddx-debuginfo-7.3.6-2.mga8
php-zip-debuginfo-7.3.6-2.mga8
php-fpm-debuginfo-7.3.6-2.mga8
phpdbg-debuginfo-7.3.6-2.mga8

Source RPMs: 
php-7.3.6-2.mga8.src.rpm

Assignee: mageia => qa-bugs

Comment 2 Thomas Backlund 2019-08-10 02:17:00 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0218.html

Resolution: (none) => FIXED
CC: (none) => tmb
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.