Latest Updates, PHP 5.5.12, PHP 5.4.28, Xdebug 2.2.5

Here are updated packages in the Yum repository:

The PHP releases fix CVE-2014-0185, which was causing PHP-fpm to create a world-writeable unix socket if unix sockets were used and the listen.mode configuration setting not changed. However, this fix, as it reduces the permissions of the unix socket, may cause some server setups that relied on this to fail.

If it’s not important that the unix socket is world-writable on the server (any linux user on the box can connect to the fastcgi server, and effectively run custom code as the php-fpm user, which isn’t unlike using a loopback TCP port anyway), then you can re-enable this by adding to your php-fpm configuration:

listen.mode=0666

There are other, more secure ways of resolving this, which will prevent the potential security issue, such as changing the ‘listen.owner’ or ‘listen.group’ setting, which control the owner/group of the unix socket. For instance, if only Nginx was using php-fpm, you could do the following:

listen.owner = nginx
listen.group = nginx

That way, only nginx can talk to php-fpm.

Published by

Andy Thompson

Senior Technical Consultant on enterprise web projects, with interests in open-source development, a little bit of finance, and poker.

Leave a Reply

Your email address will not be published. Required fields are marked *