Bugzilla – Bug 919726
VUL-0: CVE-2013-4136: rubygem-passenger: insecure temporary directory usage due to reuse of existing server instance directories
Last modified: 2016-01-07 13:16:17 UTC
It was reported [1],[2] that Phusion Passenger would reuse existing server instance directories (temporary directories) which could cause Passenger to remove or overwrite files belonging to other instances. This has been corrected in upstream version 4.0.8 [3] via two fixes (the initial fix [4] and a regression fix [5]; both are required to fully fix the issue). This is an issue similar to CVE-2013-2119. [1] http://www.openwall.com/lists/oss-security/2013/07/15/2 [2] https://code.google.com/p/phusion-passenger/issues/detail?id=910 [3] http://blog.phusion.nl/2013/07/09/phusion-passenger-4-0-8-released/ [4] https://github.com/phusion/passenger/commit/5483b3292cc2af1c83033eaaadec20dba4dcfd9b [5] https://github.com/phusion/passenger/commit/9dda49f4a3ebe9bafc48da1bd45799f30ce19566
bugbot adjusting priority
If have put it to our SPRINT backlog. So I assume I can to it in the next "round"
I have fixed it and have tested with WebYaST. SR : 56468
So, I assume the security team is taking care now :-)
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-06-09. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61808
Releasing for SLE-SLMS_1.3, SLE-STUDIOONSITE_1.3, SLE-WEBYAST_1.3
SUSE-SU-2016:0042-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 828005,919726,956281 CVE References: CVE-2013-2119,CVE-2013-4136,CVE-2015-7519 Sources used: SUSE Webyast 1.3 (src): rubygem-passenger-3.0.14-0.14.1 SUSE Studio Onsite 1.3 (src): rubygem-passenger-3.0.14-0.14.1 SUSE Lifecycle Management Server 1.3 (src): rubygem-passenger-3.0.14-0.14.1