-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 27 Jun 2018 20:13:30 +0200 Source: ruby-passenger Binary: ruby-passenger libapache2-mod-passenger ruby-passenger-doc Architecture: source amd64 all Version: 4.0.53-1+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: libapache2-mod-passenger - Rails and Rack support for Apache2 ruby-passenger - Rails and Rack support ruby-passenger-doc - Rails and Rack support for Apache2 - Documentation Closes: 864651 Changes: ruby-passenger (4.0.53-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2018-12029: CHOWN race vulnerability A vulnerability was discovered by the Pulse Security team. It was exploitable only when running a non-standard passenger_instance_registry_dir, via a race condition where after a file was created, there was a window in which it could be replaced with a symlink before it was chowned via the path and not the file descriptor. If the symlink target was to a file which would be executed by root such as root's crontab file, then privilege escalation was possible. This is now mitigated by using fchown(). * Fix CVE-2015-7519: header spoofing Remote attackers could spoof headers passed to applications by using an underscore character instead of a dash character in an HTTP header as demonstrated by an X_User header. (Closes: #864651) Checksums-Sha1: 0b46807d388a0c834e0e68f069bea1a5bc6aa508 2726 ruby-passenger_4.0.53-1+deb8u1.dsc dce2a83e66abb1fac1cd3cdc2ef284f098bc9390 4447609 ruby-passenger_4.0.53.orig.tar.gz b5e1ff02086d24b30d3c332735214dbd48863c0c 18820 ruby-passenger_4.0.53-1+deb8u1.debian.tar.xz 544c6f5a5d29924e2fbe730701717a1293460233 874956 ruby-passenger_4.0.53-1+deb8u1_amd64.deb 79bd109048ea5f6cdf511ff3cbd7e4d3548fa721 272092 libapache2-mod-passenger_4.0.53-1+deb8u1_amd64.deb b196bcd4f777ccd54d414020ea37003fd7d1d37c 1044430 ruby-passenger-doc_4.0.53-1+deb8u1_all.deb Checksums-Sha256: 42128a5e22e8bb113ed8c19f198954d90057fb02832fc224068839be9abbb7b5 2726 ruby-passenger_4.0.53-1+deb8u1.dsc 0b8d256cd930f93cfe723392aaa12fa3f9d5ddfddc82bbb7ab287673d029e101 4447609 ruby-passenger_4.0.53.orig.tar.gz e4f93d840fa33f03b9db1f796fcb886d49bb0182f5bcc2041e74b55d94be0b55 18820 ruby-passenger_4.0.53-1+deb8u1.debian.tar.xz 7a3a490c693189d7ee36d15a1c5f36ec368b31b5f7bfa59f9f3b98f657633659 874956 ruby-passenger_4.0.53-1+deb8u1_amd64.deb a5313c59e65f683ff9aba656017769be53710154313e12b0922f527f39aba63b 272092 libapache2-mod-passenger_4.0.53-1+deb8u1_amd64.deb c51655be2da16b91f7cd5f206835fb11f98537248c0c2f06ddc11401a689751b 1044430 ruby-passenger-doc_4.0.53-1+deb8u1_all.deb Files: 7cb1a47cd42f4f433aba6ec613bd7582 2726 ruby optional ruby-passenger_4.0.53-1+deb8u1.dsc 3aa0381920b09c93c8ba9cd9261d6167 4447609 ruby optional ruby-passenger_4.0.53.orig.tar.gz 4c436eb06857ee38888a6f11964a634c 18820 ruby optional ruby-passenger_4.0.53-1+deb8u1.debian.tar.xz d0c6fc4441119c7f0845c0c9d3627133 874956 ruby optional ruby-passenger_4.0.53-1+deb8u1_amd64.deb f74bad477ad108d59a503badfbbfab3e 272092 httpd optional libapache2-mod-passenger_4.0.53-1+deb8u1_amd64.deb 27bb0f5641c21a372d89f020c8f56352 1044430 doc optional ruby-passenger-doc_4.0.53-1+deb8u1_all.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlsz2KpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkoakQALEL8lq/FVhC+iqYC2nDxlf8NW8eSGFrbCBn I+20Ud1LGORsTE3cSmTXYAO8hSKky06k8vUp4WPZvG1qK8DaJuk54cYUv8pbbpYJ DMWmgQ4FDSvZW8QH7wR8jqc4hxOuo6HCqT7mI6263hpuxbt/BDIbndrGXCBX0kRv FDOWJs7uEPzvkEVq0rDTAaXdJp1xWDp+OM/N4T/9ba+vXA1y00fDgNcSWZkrYIyy bSbOAu+Nl1mkWu6vZ3o8etapEyNGbW6zXB8K+N35kNQVZathF+iLWg3UPPDgPrUT ZdUzgg2hxJlIZteNHJYoEMi6vacIpQMSpUjqIubSjSJpVlQDVIyyukUyQKqFeegx PUy6qDgsCSvYQLSC4pff7Nz3vby77YKEFE6C75jzOLxriwo/ECzLnvc4kTHnYgP/ d3a6wtdJ9+KVgbbGc0QtInU5cfkyxLIUNiUQFOE6HIqG00nJ95HzGU38OGGhykxL 3DumxcerhOGUH59TCViL18P0xlqtv0LOJrzW4u19+RdMjwfjsYXg0n3AoFYAWxJh i+Nj8KLj/WUbY70GhvpjubmXgVdp9Hbb2TJdT/vWIBxNdBgtho/WpEQHSYdqvIda ri2Z49YrNC8Lb3+ZPON6rN2cpxrhJpypoVA6DXFqmbieRyTmyaVeUY24E59Z607p VgESr9oJ =sFfZ -----END PGP SIGNATURE-----