Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 634452

Summary: <www-apache/passenger-5.1.11: Arbitrary file read vulnerability
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: graaff
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/
Whiteboard: B3 [noglsa]
Package list:
www-apache/passenger-5.1.11
 Runtime testing required: ---
Bug Depends on: 626988    
Bug Blocks:    

Description Hans de Graaff gentoo-dev Security 2017-10-16 15:29:26 UTC 
A short time ago, the cPanel Security Team discovered a vulnerability in Passenger that allows users to list the contents of arbitrary files on the system, if Passenger is running as root (this is usually the case when it is used in the Nginx or Apache integration mode, and not affected by the user_switching option). Users must also have write access to an application (hosted by Passenger) running on the system in order to exploit the vulnerability.

Fixed in Passenger 5.1.11
Comment 1 Hans de Graaff gentoo-dev Security 2017-10-16 15:29:56 UTC 
www-apache/passenger-5.1.11 is now in the tree.
Comment 2 Hans de Graaff gentoo-dev Security 2017-10-16 15:37:58 UTC 
I realize that bug 626988 has not yet been addressed, but given the seriousness of this security issue I'm calling for stabling of passenger 5.1.11 anyway. Note that bug 626988 isn't a regression for the current stable version, which only works with apache.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-16 16:27:59 UTC 
Bug 626988 is blocking stabilization for x86.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2017-10-20 02:45:12 UTC 
commit 564cc1c8d4992c74f865dd41e139c2d53bd39e6f
Author: Hans de Graaff <graaff@gentoo.org>
Date:   Mon Oct 16 17:38:34 2017 +0200

    www-apache/passenger: amd64 stable for bug 634452
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-22 20:34:29 UTC 
x86 stable, last arch


@ Maintainer(s): Please cleanup & drop <www-apache/passenger-5.1.11!
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2017-11-11 15:23:07 UTC 
Please clean.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2018-01-20 15:06:44 UTC 
CC'ing maintainer for cleanup.
Comment 8 Hans de Graaff gentoo-dev Security 2018-01-21 17:40:34 UTC 
cleanup done
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2018-01-21 19:39:52 UTC 
(In reply to Hans de Graaff from comment #8)
> cleanup done

Thanks, Hans!