From ${URL} : A file overwrite vulnerability was found in passenger caused by a predictable temporary file being written by passenger-install-nginx-module. With access to the system, a user could plant a symlink in /tmp that resulted in a chosen-file overwrite attempt whenever passenger-install-nginx-module was run, using the access rights of the executing user, potentially even with chosen content. Upstream patch: https://github.com/phusion/passenger/commit/e5b4b0824d6b648525b4bf63d9fa37e5beeae441 External References: https://blog.phusion.nl/2017/01/10/passenger-5-1-1/ @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
We can stable the latest version, passenger 5.1.2, now.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Maintainer(s), Thank you for your work. GLSA Vote: No Maintainer(s), please drop the vulnerable version(s).
(In reply to Yury German from comment #4) > Maintainer(s), please drop the vulnerable version(s). Done.
Thank you all for you work. Closing as [noglsa].