Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 634452 - <www-apache/passenger-5.1.11: Arbitrary file read vulnerability
Summary: <www-apache/passenger-5.1.11: Arbitrary file read vulnerability
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on: 626988
  Show dependency tree
Reported: 2017-10-16 15:29 UTC by Hans de Graaff
Modified: 2018-01-21 19:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev 2017-10-16 15:29:26 UTC
A short time ago, the cPanel Security Team discovered a vulnerability in Passenger that allows users to list the contents of arbitrary files on the system, if Passenger is running as root (this is usually the case when it is used in the Nginx or Apache integration mode, and not affected by the user_switching option). Users must also have write access to an application (hosted by Passenger) running on the system in order to exploit the vulnerability.

Fixed in Passenger 5.1.11
Comment 1 Hans de Graaff gentoo-dev 2017-10-16 15:29:56 UTC
www-apache/passenger-5.1.11 is now in the tree.
Comment 2 Hans de Graaff gentoo-dev 2017-10-16 15:37:58 UTC
I realize that bug 626988 has not yet been addressed, but given the seriousness of this security issue I'm calling for stabling of passenger 5.1.11 anyway. Note that bug 626988 isn't a regression for the current stable version, which only works with apache.
Comment 3 Thomas Deutschmann gentoo-dev 2017-10-16 16:27:59 UTC
Bug 626988 is blocking stabilization for x86.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-20 02:45:12 UTC
commit 564cc1c8d4992c74f865dd41e139c2d53bd39e6f
Author: Hans de Graaff <>
Date:   Mon Oct 16 17:38:34 2017 +0200

    www-apache/passenger: amd64 stable for bug 634452
Comment 5 Thomas Deutschmann gentoo-dev 2017-10-22 20:34:29 UTC
x86 stable, last arch

@ Maintainer(s): Please cleanup & drop <www-apache/passenger-5.1.11!
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-11-11 15:23:07 UTC
Please clean.
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-20 15:06:44 UTC
CC'ing maintainer for cleanup.
Comment 8 Hans de Graaff gentoo-dev 2018-01-21 17:40:34 UTC
cleanup done
Comment 9 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-21 19:39:52 UTC
(In reply to Hans de Graaff from comment #8)
> cleanup done

Thanks, Hans!