634452 – <www-apache/passenger-5.1.11: Arbitrary file read vulnerability

Bug 634452 - <www-apache/passenger-5.1.11: Arbitrary file read vulnerability

Summary: <www-apache/passenger-5.1.11: Arbitrary file read vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://blog.phusion.nl/2017/10/13/pa...
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:	626988
Blocks:
	Show dependency tree

Reported:	2017-10-16 15:29 UTC by Hans de Graaff
Modified:	2018-01-21 19:39 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	www-apache/passenger-5.1.11
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hans de Graaff gentoo-dev

2017-10-16 15:29:26 UTC

A short time ago, the cPanel Security Team discovered a vulnerability in Passenger that allows users to list the contents of arbitrary files on the system, if Passenger is running as root (this is usually the case when it is used in the Nginx or Apache integration mode, and not affected by the user_switching option). Users must also have write access to an application (hosted by Passenger) running on the system in order to exploit the vulnerability.

Fixed in Passenger 5.1.11

Comment 1 Hans de Graaff gentoo-dev

2017-10-16 15:29:56 UTC

www-apache/passenger-5.1.11 is now in the tree.

Comment 2 Hans de Graaff gentoo-dev

2017-10-16 15:37:58 UTC

I realize that bug 626988 has not yet been addressed, but given the seriousness of this security issue I'm calling for stabling of passenger 5.1.11 anyway. Note that bug 626988 isn't a regression for the current stable version, which only works with apache.

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2017-10-16 16:27:59 UTC

Bug 626988 is blocking stabilization for x86.

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2017-10-20 02:45:12 UTC

commit 564cc1c8d4992c74f865dd41e139c2d53bd39e6f
Author: Hans de Graaff <graaff@gentoo.org>
Date:   Mon Oct 16 17:38:34 2017 +0200

    www-apache/passenger: amd64 stable for bug 634452

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2017-10-22 20:34:29 UTC

x86 stable, last arch


@ Maintainer(s): Please cleanup & drop <www-apache/passenger-5.1.11!

Comment 6 Aaron Bauman (RETIRED) gentoo-dev

2017-11-11 15:23:07 UTC

Please clean.

Comment 7 Aaron Bauman (RETIRED) gentoo-dev

2018-01-20 15:06:44 UTC

CC'ing maintainer for cleanup.

Comment 8 Hans de Graaff gentoo-dev

2018-01-21 17:40:34 UTC

cleanup done

Comment 9 Aaron Bauman (RETIRED) gentoo-dev

2018-01-21 19:39:52 UTC

(In reply to Hans de Graaff from comment #8)
> cleanup done

Thanks, Hans!