[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1399-1] ruby-passenger security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : ruby-passenger
Version        : 4.0.53-1+deb8u1
CVE ID         : CVE-2015-7519 CVE-2018-12029
Debian Bug     : 864651

Two flaws were discovered in ruby-passenger for Ruby Rails and Rack
support that allowed attackers to spoof HTTP headers or exploit a race
condition which made privilege escalation under certain conditions
possible.

CVE-2015-7519
    Remote attackers could spoof headers passed to applications by using
    an underscore character instead of a dash character in an HTTP
    header as demonstrated by an X_User header.

CVE-2018-12029
    A vulnerability was discovered by the Pulse Security team. It was
    exploitable only when running a non-standard
    passenger_instance_registry_dir, via a race condition where after a
    file was created, there was a window in which it could be replaced
    with a symlink before it was chowned via the path and not the file
    descriptor. If the symlink target was to a file which would be
    executed by root such as root's crontab file, then privilege
    escalation was possible. This is now mitigated by using fchown().

For Debian 8 "Jessie", these problems have been fixed in version
4.0.53-1+deb8u1.

We recommend that you upgrade your ruby-passenger packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlsz6AJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQSpxAAklv4ej1DCE6ffp3Rztw1IAMTNdMG79pYWYpdas2/oIyNxu8Jq+a+pEXk
dgW5eUqGsBJrGUiTqZ8hoEWew+icoYpShG2TI3zSCtjgaQCxFjmcwWNaLlqXKrYU
EF7cMp/2CKV0psLSK+JehvdS3t7/31vYvRCBBYr0XxXEnhLnsy1YvBlZYopnfgcI
u8mRJxfhurf076DXRjZEcFSY30TYo0qUr65kB9OJdNSbb8rpXJRPFL7AIEIf9A6D
W18OGxiQ0vlxbITccc1Z7OzYn+9XnLpUgotExU0A2KcMrNQoRngkdcIFl77aN2CJ
LhNL6mWfrVeiFzMMXzZm8REsvTFSF6klLPpBj/eadMeKDCSHP/dr09SB1pK77Zuv
jduO4TqbK1bqmmBgh5/pQ7kDEqDswbHkhmnJP0CqO9VhhVk7uCeULVVoq//8Hdxl
1CoaQMc7A6pWod9sLzHWgsUOuYSQRxMHIQRKiNwbYc9L2RvqjVZsFNYjM+mTc+yw
Q0NWUo4Hk50XMEc/ydId7cZ7s+LSJLPmQ7k57de6/7WRVBxsca7WtngnBqpyeFD5
dmkFoQJ/8JIS+sro/2FZNIi+apo16cuMmcmPx+S2HLgewXnBVyzpROjzsLc9+EGj
QbezCLPz6N9ywZJzh6bD9CzL8NlasseA9HiwhGzb6iae4G3RESo=
=iuEn
-----END PGP SIGNATURE-----


Reply to: