Bugzilla – Bug 1154999
VUL-0: CVE-2019-11043: php5,php72,php7,php53: env_path_info underflow in fpm_main.c can lead to RCE
Last modified: 2021-09-14 12:51:03 UTC
CVE-2019-11043 env_path_info underflow in fpm_main.c can lead to RCE References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11043 https://bugs.php.net/bug.php?id=78599 https://bugs.php.net/patch-display.php?bug_id=78599&patch=0001-Fix-bug-78599-env_path_info-underflow-can-lead-to-RC.patch&revision=latest
Tracked as affected: php72 php7 php53 in SLE11-SP3 php5 in SLE12 php5 in SLE11-SP1 and SLE10-SP3 ASFAICS do not ship the php-fpm In comment 0 the upstream bug report and the fix are available.
Packages submitted for: 15/php7,12/php72,12/php7,11sp3/php53.
Fixed also in devel:languages:php:php56/php5.
SUSE-SU-2019:2809-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1154999 CVE References: CVE-2019-11043 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): php7-7.0.7-50.88.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): php7-7.0.7-50.88.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-50.88.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2819-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1154999 CVE References: CVE-2019-11043 Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src): php7-7.2.5-4.46.1 SUSE Linux Enterprise Module for Web Scripting 15 (src): php7-7.2.5-4.46.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src): php7-7.2.5-4.46.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): php7-7.2.5-4.46.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): php7-7.2.5-4.46.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:2441-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1154999 CVE References: CVE-2019-11043 Sources used: openSUSE Leap 15.1 (src): php7-7.2.5-lp151.6.13.1, php7-test-7.2.5-lp151.6.13.1
SUSE-SU-2019:2909-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1154999 CVE References: CVE-2019-11043 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): php72-7.2.5-1.29.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): php72-7.2.5-1.29.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php72-7.2.5-1.29.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:2457-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1154999 CVE References: CVE-2019-11043 Sources used: openSUSE Leap 15.0 (src): php7-7.2.5-lp150.2.29.2, php7-test-7.2.5-lp150.2.29.2
Submitted also for 12/php5.
SUSE-SU-2020:0522-1: An update that solves 9 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1145095,1146360,1154999,1159922,1159923,1159924,1159927,1161982,1162629,1162632 CVE References: CVE-2019-11041,CVE-2019-11042,CVE-2019-11043,CVE-2019-11045,CVE-2019-11046,CVE-2019-11047,CVE-2019-11050,CVE-2020-7059,CVE-2020-7060 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): php5-5.5.14-109.68.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-109.68.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done
This is an autogenerated message for OBS integration: This bug (1154999) was mentioned in https://build.opensuse.org/request/show/802846 Factory / php7
This is an autogenerated message for OBS integration: This bug (1154999) was mentioned in https://build.opensuse.org/request/show/802978 Factory / php7
This is an autogenerated message for OBS integration: This bug (1154999) was mentioned in https://build.opensuse.org/request/show/804946 Factory / php7
This is an autogenerated message for OBS integration: This bug (1154999) was mentioned in https://build.opensuse.org/request/show/805287 Factory / php7