Summary: | <www-apache/passenger-3.0.21-r1 : Insecure temp files usage in phusion passenger (CVE-2013-4136) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2013/07/15/2 | ||
See Also: | https://bugzilla.redhat.com/show_bug.cgi?id=985633 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-07-20 08:21:58 UTC
passenger-4.x has a lot of packaging issues (I've already been working on it in the past weeks), and we certainly can't just stable it for our current users due to all the changes involved. It's not clear to me that passenger-3.x is involved, but if it is then these fixes should be backported, preferably by upstream. All right, we'll wait and see whether this affects 2/3. If you could poke upstream about this, that would be helpful. Passenger 4.0.10 has now been added to the tree, but this version needs significant testing before it can be a stable candidate. (In reply to Hans de Graaff from comment #3) > Passenger 4.0.10 has now been added to the tree, but this version needs > significant testing before it can be a stable candidate. How are we with testing 4.0.10? Alternatively, the Red Hat bug in see also contains a patch to backport to 3.0.21. I've just added passenger 4.0.18 which has bug fixes compared to 4.0.10, so I'd rather test 4.0.18 first and not stable 4.0.10. I'll also have a look at the 3.x patches, that sounds like a saner route. I have now added a new revision with the backported fix from the redhat bug. Let's stable this revision and mark the 4.0.x series stable in its own time. =www-apache/passenger-3.0.21-r1 amd64 stable x86 stable CVE-2013-4136 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4136): ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a directory with a predictable name in /tmp/. Thanks for your work GLSA vote: no GLSA vote: no. closing noglsa. |