laradock/php-fpm:2.2-7.2 CVE-2019-11043 Issue about php-fpm HOT 4 CLOSED

Temporarily, if someone needs the updated image, you can find it here (forked from this repo). I set it up in docker hub to rebuild the images automatically if the base image is updated.

from php-fpm.

(I think) Laradock is not exploitable by default.
To be vulnerable you need a specific configuration in nginx, such as:

The full list of preconditions

• Nginx + php-fpm, location ~ [^/].php(/|$) must be forwarded to php-fpm (maybe the regexp can be stricter, see this).
• The fastcgi_split_path_info directive must be there and contain a regexp starting with ^ and ending with $, so we can break it with a newline character.
• There must be a PATH_INFO variable assignment via statement fastcgi_param PATH_INFO $fastcgi_path_info;. Also SCRIPT_FILENAME must be set using fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; (there might be a constant path instead of $document_root). At first, we thought these are always present in the fastcgi_params file, but it's not true.
• No file existence checks like try_files $uri =404 or if (-f $uri). If Nginx drops requests to non-existing scripts before FastCGI forwarding, our requests never reach php-fpm. Adding this is also the easiest way to patch.
• This exploit works only for PHP 7+, but the bug itself is present in earlier versions (see below).

So when looking at the nginx default.conf laradock is not vulnerable, BUT it will be a GOOD idea to update it.

from php-fpm.

Thanks @jrbecart. I agree with your assessment which is why I have left it unpatched at the moment (vs. creating my own base image). But as you said, it would be a good idea to update it anyway. And since from what I can tell, there isn't really any work except to re-run the build, I thought this issue would turnaround quickly.

from php-fpm.

now, auto build and push image to docker hub every week.

https://github.com/laradock/php-fpm/actions

from php-fpm.