pixelfed

TL;DR Update PHP to 7.3.11+ ASAP, a recent CVE has demonstrated RCE in certain nginx/php-fpm configurations

We have become aware of a new security risk that has emerged within the past few days. This exploit is bad, allowing remote code execution on certain nginx/php-fpm configurations. If you don’t run NGINX, this does not affect you.

We recommend updating to PHP v 7.3.11 or later as soon as possible. If you used our example nginx configuration, please update the following code from:

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

to:

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        try_files $fastcgi_script_name =404;
        fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

If you have any questions, join our #pixelfed channel on Freenode!

— Pixelfed Team