Here are updated packages in the Yum repository:
- PHP 5.5.12 for RHEL/CentOS 5/6 changelog
- PHP 5.4.28 for RHEL/CentOS 5/6 changelog
- Xdebug 2.2.5 changelog
The PHP releases fix CVE-2014-0185, which was causing PHP-fpm to create a world-writeable unix socket if unix sockets were used and the listen.mode configuration setting not changed. However, this fix, as it reduces the permissions of the unix socket, may cause some server setups that relied on this to fail.
If it’s not important that the unix socket is world-writable on the server (any linux user on the box can connect to the fastcgi server, and effectively run custom code as the php-fpm user, which isn’t unlike using a loopback TCP port anyway), then you can re-enable this by adding to your php-fpm configuration:
There are other, more secure ways of resolving this, which will prevent the potential security issue, such as changing the ‘listen.owner’ or ‘listen.group’ setting, which control the owner/group of the unix socket. For instance, if only Nginx was using php-fpm, you could do the following:
listen.owner = nginx listen.group = nginx
That way, only nginx can talk to php-fpm.