Mailcow-dockerized: Urgent security issue in NGINX/php-fpm

Created on 19 Nov 2019  路  5Comments  路  Source: mailcow/mailcow-dockerized

A new security risk has emerged around NGINX, documented in CVE-2019-11043.
This exploit allows for remote code execution on some NGINX and php-fpm configurations.

In particular, this allows breaking into Nextcloud instances and encrypting the data.

Is there a need for action with regard to Mailcow?

https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/
https://www.php.net/archive/2019.php#2019-10-24-1

picture lotg2020

Most helpful comment

I think we updated the images a few minutes after the updated Docker images were released. :)

picture andryyy on 19 Nov 2019
🚀2

All 5 comments

As you've linked yourself one thing you can do now is changing the nginx.conf.
php-fpm-mailcow already runs 7.3.11

Braintelligence picture Braintelligence on 19 Nov 2019
👍1

Thank you very much for your quick feedback.

So the changes to "nginx.conf" have no effect on Mailcow?

lotg2020 picture lotg2020 on 19 Nov 2019

To be precise: you should change the nextcloud.conf - this shouldn't have any effect on other vhosts if you don't mess up the conf-content.

Braintelligence picture Braintelligence on 19 Nov 2019

I think we updated the images a few minutes after the updated Docker images were released. :)

andryyy picture andryyy on 19 Nov 2019
🚀2

Dupe of https://github.com/mailcow/mailcow-dockerized/issues/3091
Fixed by https://github.com/mailcow/mailcow-dockerized/commit/e101900787f839d11f6dc1d0d62f9b053c0f45a9

MAGICCC picture MAGICCC on 19 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

lgleim picture lgleim  路  3Comments
Braintelligence picture Braintelligence  路  3Comments
RogerSik picture RogerSik  路  3Comments
constin picture constin  路  3Comments
poldixd picture poldixd  路  3Comments