A short time ago, the cPanel Security Team discovered a vulnerability in Passenger that allows users to list the contents of arbitrary files on the system, if Passenger is running as root (this is usually the case when it is used in the Nginx or Apache integration mode, and not affected by the user_switching option). Users must also have write access to an application (hosted by Passenger) running on the system in order to exploit the vulnerability.
Fixed in Passenger 5.1.11
www-apache/passenger-5.1.11 is now in the tree.
I realize that bug 626988 has not yet been addressed, but given the seriousness of this security issue I'm calling for stabling of passenger 5.1.11 anyway. Note that bug 626988 isn't a regression for the current stable version, which only works with apache.
Bug 626988 is blocking stabilization for x86.
Author: Hans de Graaff <email@example.com>
Date: Mon Oct 16 17:38:34 2017 +0200
www-apache/passenger: amd64 stable for bug 634452
x86 stable, last arch
@ Maintainer(s): Please cleanup & drop <www-apache/passenger-5.1.11!
CC'ing maintainer for cleanup.
(In reply to Hans de Graaff from comment #8)
> cleanup done