From ${URL} : Description A security issue has been reported in the Phusion Passenger gem for Ruby, which can be exploited by malicious, local users to manipulate certain data. The security issue is caused due to a race condition error when creating a certain temporary directory and can be exploited to e.g. manipulate the content of certain files via symlink attacks. The security issue is reported in versions prior to 4.0.38. Note: The security issue is caused due to an improper fix of CVE-2014-1831. Solution: Update to version 4.0.38. Provided and/or discovered by: Raphael Geissert via the oss-security mailing list. Original Advisory: Phusion Passenger: https://github.com/phusion/passenger/commit/94428057c602da3d6d34ef75c78091066ecac5c0 Raphael Geissert: http://www.openwall.com/lists/oss-security/2014/01/29/6 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
It seems that 4.0.38 is not actually released either as a gem or via github. Given the type of exploit I'd rather wait until there is a proper upstream release for this.
passenger 4.0.40 is now in the tree with a fix for this bug. Vulnerable version will be removed after a testing period.
09 Apr 2014; Hans de Graaff <graaff@gentoo.org> -passenger-4.0.37.ebuild, -passenger-4.0.40.ebuild: Remove versions with vulnerable passenger standalone version. Note that the apache module is not affected by this.
Vulnerable versions have been removed. Security, please vote.
GLSA Vote: No
GLSA vote: no. Closed as [noglsa].
CVE-2014-1832 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1832): Phusion Passenger 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1831.
