PublicDateAtUSN: 2019-10-24
Candidate:CVE-2019-11043
PublicDate: 2019-10-28 15:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11043
 https://github.com/neex/phuip-fpizdam/
 https://ubuntu.com/security/notices/USN-4166-1
 https://ubuntu.com/security/notices/USN-4166-2
Description:
 In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below
 7.3.11 in certain configurations of FPM setup it is possible to cause FPM
 module to write past allocated buffers into the space reserved for FCGI
 protocol data, thus opening the possibility of remote code execution.
Ubuntu-Description:
Notes:
 sbeattie> PEAR issues should go against php-pear as of xenial
Mitigation: 
Bugs: 
 https://bugs.php.net/bug.php?id=78599
 https://bugs.launchpad.net/ubuntu/+source/php-defaults/+bug/1849620
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]

Patches_php5:
 upstream: https://github.com/microsoft/php-src/commit/c69bcb212b37900fd61daaf38762e4974cb4dcc9
upstream_php5: needs-triage
precise/esm_php5: released (5.3.10-1ubuntu3.40)
trusty_php5: ignored (out of standard support)
trusty/esm_php5: released (5.5.9+dfsg-1ubuntu4.29+esm6)
xenial_php5: DNE
bionic_php5: DNE
disco_php5: DNE
eoan_php5: DNE
devel_php5: DNE

Patches_php7.0:
 upstream: http://git.php.net/?p=php-src.git;a=commit;h=ab061f95ca966731b1c84cf5b7b20155c0a1c06a (7.1)
upstream_php7.0: needs-triage
precise/esm_php7.0: DNE
trusty_php7.0: DNE
trusty/esm_php7.0: DNE
xenial_php7.0: released (7.0.33-0ubuntu0.16.04.7)
esm-infra/xenial_php7.0: released (7.0.33-0ubuntu0.16.04.7)
bionic_php7.0: DNE
disco_php7.0: DNE
eoan_php7.0: DNE
devel_php7.0: DNE

Patches_php7.2:
 upstream: http://git.php.net/?p=php-src.git;a=commit;h=ab061f95ca966731b1c84cf5b7b20155c0a1c06a
upstream_php7.2: released (7.2.24)
precise/esm_php7.2: DNE
trusty_php7.2: DNE
trusty/esm_php7.2: DNE
xenial_php7.2: DNE
bionic_php7.2: released (7.2.24-0ubuntu0.18.04.1)
disco_php7.2: released (7.2.24-0ubuntu0.19.04.1)
eoan_php7.2: DNE
devel_php7.2: DNE

Patches_php7.3:
 upstream: http://git.php.net/?p=php-src.git;a=commit;h=19e17d3807e6cc0b1ba9443ec5facbd33a61f8fe
upstream_php7.3: released (7.3.11)
precise/esm_php7.3: DNE
trusty_php7.3: DNE
trusty/esm_php7.3: DNE
xenial_php7.3: DNE
bionic_php7.3: DNE
disco_php7.3: DNE
eoan_php7.3: released (7.3.11-0ubuntu0.19.10.1)
devel_php7.3: released (7.3.11-0ubuntu1)