New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Yup surprised it took a few days for news to spread though probably folks wanting to keep it low key until vendors/distros released the updated PHP 7.3.11, 7.2.24 and 7.1.33 versions or backported the fixes etc.
Centmin Mod users got notified via community forum + forum mailing and my social media shout outs a few days ago along with backported security fixes to EOL 7.0.33 and 5.6.40 https://community.centminmod.com/threads/php-7-3-11-7-2-24-7-1-33-security-updates-backported-php-7-0-33-5-6-40.18531/
Get updating folks !
@eva2000 I'm glad I got to fix the issue early cause of your email
You're welcome. All relevant Centmin Mod security alerts are always sent to Centmin Mod forum members and Centmin Mod's twitter and Facebook followers ^_^
Ubuntu and Debian still haven't patched it
Debian provide safe defaults for nginx in /etc/nginx/snippets/fastcgi-php.conf that use a
try_files
directiveLong live apache
People still use apache?
I've heard of "nginx" but I'm still trying to figure out how to pronounce it ...
Viva apache
Caddy. Tks.
ENGINE X.
DO YOU FEEL THE POWER?
Caddy looks intriguing, but can it run Nextcloud?
I guess that I should check it out sometime so that I might "feel the power" ... By the way, why "X"?
Never tried. But seems possible.
Definitely intriguing. (I probably wouldn't try to run Nextcloud on it, but as a web server, it looks tempting.)
Anyone not using the try_files approach deserves to be bitten by this.
DO YOU FEEL MY BACKDOOR?
That's a sexually intriguing question
I would be terrified if you would not be offended.
For years I pronounced it N-jinx
Thats why I will stuck with my apache
Nice to see you were so proactive eva. Big companies like Oakley / Plesk who are using
nginx should take it as an example see https://talk.plesk.com/threads/urgent-security-issue-in-nginx-php-fpm.353923/
No reaction on their own forum . Probably they want to keep it low key.....
@dev0 After I saw this stuff the first thing I thought was the ironic timing of me moving off of Plesk onto my own Nginx/PHP stack. Being able to fully control things is so nice.
Yeah I have a dedicated slack channel subscribing to software's github release tracking so the moment PHP new releases get pushed on github, I get a notification in my slack channel. This notification usually is a good 1-5 days before php.net announcements are made. In the past I relied on php.net announcements but they're usually delayed from when actual PHP new releases are pushed on github at https://github.com/php/php-src/releases. For this release, the delay between github release and php.net announcement was ~2-3 days
Great thing these days is php.net downloads are now on CDN unlike their old distributed mirror system, so there is no need to wait for php.net announcements as there is no need to wait for old mirror system to populate when they use a CDN now
I do the same for other software and web apps tracking where possible i.e. wordpress releases/security
Full control is what drove me to developing my own Centmin Mod LEMP stack - not having to wait on other folks so I can patch and backport patches to Nginx and PHP-FPM when I need to etc i.e. playing with Cloudflare's Nginx HTTP/3 patch
I was going to use Centmin but I wanted to use CentOS 8.
Yeah Centmin Mod's CentOS 8 compatibility is work in progress you can follow at https://community.centminmod.com/threads/centmin-mod-centos-8-compatibility-worklog.18372/
Oh yeah, I have, I'm sure many will be happy once things are worked out.
I use Apache. Its engine is very stable.
Yeah, but can't handle many connections, due to not having an event
horizonloop epoll thingie.Apache has a choice of three different models: prefork, worker, and event, where the event model is the most performant. Often, prefork (the slowest model) is set by default and so this is what people tend to use.
Yes, for heavily visited sites, NGINX is (much?) more performant than Apache, but for ordinary sites, Apache works fine.
Just saw that a company, F5 Networks, acquired NGINX in May:
https://www.f5.com/company/news/press-releases/f5-completes-acquisition-of-nginx
https://www.f5.com/company/blog/letter-to-f5-employees-from-ceo-francois-locoh-donou-announcing-nginx-acquisition
https://www.nginx.com/blog/nginx-is-now-officially-part-of-f5/
There's the usual blah-blah about how great this combination (F5 + NGINX) is for everyone.
Frankly, I never had problems with Apache. It is very stable for most use cases. I don't need a Ferrari to send kids to school; an Audi will do.