fastcgi_param HTTP_PROXY "";
Is EasyEngine vulnerable to the exploit above?
@brianjking We have released an update to fix the same.
Please make sure you do sudo ee update in latest possible.
I have executed ee update, however, now I’m shown this message:
Configuration file '/etc/nginx/fastcgi.conf'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
When I execute D to show the changes I am shown the following:
--- /etc/nginx/fastcgi.conf 2016-07-20 08:45:31.435616495 -0400
+++ /etc/nginx/fastcgi.conf.dpkg-new 2016-07-19 07:30:19.000000000 -0400
@@ -24,4 +24,6 @@
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
-fastcgi_param HTTP_PROXY "";
+
+# To fix CGI application vulnerability - https://httpoxy.org
+fastcgi_param HTTP_PROXY "";
Choose Y, to use maintainer’s version.
1 Like
To add the patch for the mentioned vulnerability the default config file has to be changed and hence the message.