Your message dated Fri, 29 Mar 2019 01:20:28 +0000 with message-id <e1h9gc4-0007pq...@fasolo.debian.org> and subject line Bug#884463: fixed in passenger 5.0.30-1+deb9u1 has caused the Debian Bug report #884463, regarding passenger: CVE-2017-16355: arbitrary file read to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 884463: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884463 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: passenger Version: 5.0.30-1 Severity: important Tags: patch security upstream fixed-upstrream Hi, the following vulnerability was published for passenger. CVE-2017-16355[0]: | In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed | in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10), if | Passenger is running as root, it is possible to list the contents of | arbitrary files on a system by symlinking a file named REVISION from | the application root folder to a file of choice and querying | passenger-status --show=xml. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-16355 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16355 [1] https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/ [2] https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: passenger Source-Version: 5.0.30-1+deb9u1 We believe that the bug you reported is fixed in the latest version of passenger, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 884...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated passenger package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 17 Mar 2019 19:40:23 +0100 Source: passenger Architecture: source Version: 5.0.30-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 884463 921767 Changes: passenger (5.0.30-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * arbitrary file read via REVISION symlink (CVE-2017-16355) (Closes: #884463) * Fix privilege escalation in the Nginx module (CVE-2018-12029) (Closes: #921767) Checksums-Sha1: 4f4863eaa709a99e637a7d0c4ca79d9e813579d9 2756 passenger_5.0.30-1+deb9u1.dsc 2b966cb070fe667d02d17fda58a37fee34f3300c 5588130 passenger_5.0.30.orig.tar.gz ce76c486a78f2feef2f9d4d77565e6d50a641fb1 17596 passenger_5.0.30-1+deb9u1.debian.tar.xz 4dbf2c9283c2e1fd5637e607954075416e2d7d53 7084 passenger_5.0.30-1+deb9u1_source.buildinfo Checksums-Sha256: 284b6afb45cc3031707cbb9d6822fc50d4143550b35426bc662fe38a2c235913 2756 passenger_5.0.30-1+deb9u1.dsc f367e0c1d808d7356c3749222194a72ea03efe61a3bf1b682bd05d47f087b4e3 5588130 passenger_5.0.30.orig.tar.gz 5390c495a44bcaaf375ccc1d39b7c88aa27ed314b6b1aa0c4ef1295803aaa9be 17596 passenger_5.0.30-1+deb9u1.debian.tar.xz 0150bcc13e39059823a3457777c7845e8117b13507693d016a2a85c5a0d83e66 7084 passenger_5.0.30-1+deb9u1_source.buildinfo Files: 95c1fd6d274790b06f61206417681b65 2756 ruby optional passenger_5.0.30-1+deb9u1.dsc 7ed9ebc8996368176789d92c1805fd1e 5588130 ruby optional passenger_5.0.30.orig.tar.gz d5233a964a592e8648b563d491506ca5 17596 ruby optional passenger_5.0.30-1+deb9u1.debian.tar.xz b2322c0a958578e14fb743e0442c1b14 7084 ruby optional passenger_5.0.30-1+deb9u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlyOlSRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EUw4P/iu2CVXgLtDgHr8Esg9YIbRgBAB5V0vu g9m6CGmpUsKGc06s9QdiQaPtP+Ux9LLXeHsvcn58JXZF8f+U4y692zzKRUcUCgIr SJs8yKQQNLqZDZv+98E7AQr9I7C9NaijyqTI4x/WYjPUZoOQIozR/WpwVficKQyV ztAorQ4ijwq9C5OlQAbexRtynpeTTup3IbqbMCmovmIddXw4ciXfV7pF9egRgWpM ioMzcB74cyjIEdblg5Fr04+DLKKXZUDSPrrNJvSq8v4mUIDse8lrugN+4OKyu0KT 1byA+dlyAxmmpEj6ZmMojGMNoGlt/l9ku9p8yGq4IPVr+RTHIUmBOtj79hsL90C6 GJQCk96Ebbi7AhOXuhXV4IqshObqsWMqBMQZVzmpYmZcFTKaBRMV9LHYqNJugJIG 2la/Dpv8saZXxEBqGlm6z7a9DDhTg6K3inXmppqzPEd2tvCuG/JwP+BNGBf4eTCz 0Zn4opr+zOAHuXBtRjXxzLP8iaMoOISaAtC1HhVC2AVM4vC6VbbGLCTWwDlgSI3Q Wj7hle5ZLJdQ0TSEithSdSs6zr2FP5nzuOvAn4lwz9a/cNKyt3O6/Ti0GBMXhjCo eUgymTJpUW0TCY8ZaTTYZyqf2Uu2q/GOKHa/ijt8801df50gxD5lDHHjH+u/5FCO aXyGyCUjm+w9 =KX3C -----END PGP SIGNATURE-----
--- End Message ---
