Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-mail-logging domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the health-check domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the ninja-forms domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the updraftplus domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the rocket domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/wp-includes/functions.php on line 6114
Urgent security issue in NGINX/php-fpm - Nextcloud

Urgent security issue in NGINX/php-fpm

Dear system administrators,
In the last 24 hours, a new security risk has emerged around NGINX, documented in CVE-2019-11043. This exploit allows for remote code execution on some NGINX and php-fpm configurations. If you do not run NGINX, this exploit does not effect you.

Unfortunately the default Nextcloud NGINX configuration is also vulnerable to this attack. We recommend all system administrators take immediate actions:

  1. Upgrade your php packages to the latest version. A new release that fixes the issue is to be released on the 24th of October. See https://www.php.net/archive/2019.php#2019-10-24-1 Upstream php packages with the fix are:

    1. 7.1.33

    2. 7.2.24

    3. 7.3.11

  2. Update your nginx config file. We have updated the configuration in our documentation.

Since there are only two changes in the nginx configuration we highlight them here:

    location / {
                rewrite ^ /index.php$request_uri;
            }
        

Should become

    location / {
                rewrite ^ /index.php;
            }
        

Note the removal of $request_uri

And

     location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
                fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PATH_INFO $path_info;
                fastcgi_param HTTPS on;
                # Avoid sending the security headers twice
                fastcgi_param modHeadersAvailable true;
                # Enable pretty urls
                fastcgi_param front_controller_active true;
                fastcgi_pass php-handler;
                fastcgi_intercept_errors on;
                fastcgi_request_buffering off;
            }
        

Should become:

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
                fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
                try_files $fastcgi_script_name =404;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PATH_INFO $path_info;
                fastcgi_param HTTPS on;
                # Avoid sending the security headers twice
                fastcgi_param modHeadersAvailable true;
                # Enable pretty urls
                fastcgi_param front_controller_active true;
                fastcgi_pass php-handler;
                fastcgi_intercept_errors on;
                fastcgi_request_buffering off;
            }
        

Note the addition of the $try_files $fastcgi_script_name =404;

Then restart your webserver and the issue is mitigated. See our full documentation here.

If you are running the docker containers from https://hub.docker.com/_/nextcloud those will also receive updates with new php-fpm versions when available.

If you are a Nextcloud customer, you should already have been notified of this issue. If you need any assistance, contact our support team through our portal.

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.