Your message dated Tue, 19 Mar 2019 14:39:17 +0000 with message-id <e1h6ftd-000j70...@fasolo.debian.org> and subject line Bug#884463: fixed in passenger 5.0.30-1.1 has caused the Debian Bug report #884463, regarding passenger: CVE-2017-16355: arbitrary file read to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 884463: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884463 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: passenger Version: 5.0.30-1 Severity: important Tags: patch security upstream fixed-upstrream Hi, the following vulnerability was published for passenger. CVE-2017-16355[0]: | In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed | in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10), if | Passenger is running as root, it is possible to list the contents of | arbitrary files on a system by symlinking a file named REVISION from | the application root folder to a file of choice and querying | passenger-status --show=xml. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-16355 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16355 [1] https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/ [2] https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: passenger Source-Version: 5.0.30-1.1 We believe that the bug you reported is fixed in the latest version of passenger, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 884...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated passenger package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 16 Mar 2019 08:54:26 +0100 Source: passenger Architecture: source Version: 5.0.30-1.1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 884463 921767 Changes: passenger (5.0.30-1.1) unstable; urgency=medium . * Non-maintainer upload. * arbitrary file read via REVISION symlink (CVE-2017-16355) (Closes: #884463) * Fix privilege escalation in the Nginx module (CVE-2018-12029) (Closes: #921767) Checksums-Sha1: f3c73ccc2e44ff6cb2b87360f8d01d5047f8e902 2736 passenger_5.0.30-1.1.dsc 432fe5d87acb14a99bbfad794582d7430489d401 17588 passenger_5.0.30-1.1.debian.tar.xz d76b3b5d7c0723362f66faa7395f5ef9a7435914 7064 passenger_5.0.30-1.1_source.buildinfo Checksums-Sha256: 1dd5d8997cfb0d174b80f869cdc49ecad358ee6eceab1b6f689b5462c99a4c44 2736 passenger_5.0.30-1.1.dsc f347829a1dbfbf470ba8d6ce2e3f4b96c26a087d1a4cedd7393ac0c6bbdd8c48 17588 passenger_5.0.30-1.1.debian.tar.xz d7aafa222fb1161e3b50cf28e3dbdf7446823090a6f90ebdfdd7b89ae4696ba9 7064 passenger_5.0.30-1.1_source.buildinfo Files: 16cda8efa5591927b3c79413e58a2bb9 2736 ruby optional passenger_5.0.30-1.1.dsc 1bc06787da90b78e5ef5abf09492ff7e 17588 ruby optional passenger_5.0.30-1.1.debian.tar.xz 8034b43d1abbedffa82bab75c8e4738a 7064 ruby optional passenger_5.0.30-1.1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlyMrChfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EeL4P/ioZCVTaLXA6SFJ5uujTvNmqxGQUpi6C ojl+F0d+E/VxYay7MNmcwBCUidWAzmNKwgZJJt6hvD75OcCMBg9jKlR05s+HeYs+ AixRJpPhfYM3vfkw+TX9w6vckfw71Ui8POQjRDyL0vQ1w+6wv/zHAjqEsJgAOTZ3 2kEbCsU4he9h9TGVfurn/8xCp+I4VBT+04LVGg5sozlyiPPSqif+xEPb9bcKeU6h ZFQP5PnCOsqIT2EFncHSUas+jRoGNEqQNWu3Hy+h26ioXrwB9IqB1M8Pq1cYRodU CkgLG4FXBzff0Fnoli9vI4lqbNAKofGIkyviHR0k1Gb74rilPGgq7yf7Lk9vG/Ec BbNh+nAU5hMWGuBmkKncidDHrUFc0QDj6xMfRKNRxgZLJ2HF88DHJwaOiaWoY25+ 8bJR78ZRxyWYtEG377R9pLYUZbee2iNcoxjrvSeCump4HUGX7arsuwDRAJECDcsl YLPNV2QqjT19Fp4+6NUjflZiAutyTQD1X7lwlegW2s3J6FT5DSYNljWBGgntk17G fTqMu9y7FBM00X+rp4XiuMXebNSC/+ew40FqVHVfrd3kiMEHYWbD6hE9ExJwiXE1 lvgxdTxme+ox8/gITIJcrls35uHrcSH+UZ2/UYocbkNtLtq1uOVZMJUCJiF3bwBo UwXTRu0fD//x =EYGZ -----END PGP SIGNATURE-----
--- End Message ---
