[DRE-maint] Bug#884463: passenger: CVE-2017-16355: arbitrary file read
Martin Chase
outofculture at gmail.com
Sun Mar 10 23:07:30 GMT 2019
Hey,
It looks like version 5.0.30 is not impacted by the CVE[1], and to the
best of my abilities, I couldn't reproduce the insecure behavior.
I didn't try to read through the source to see if a fix patch *might*
still do something useful. Commit
4043718264095cde6623c2cbe8c644541036d7bf[2] does merge cleanly, build
and run, but I could not test that it fixes anything (being unable to
repro the bug). I've included a debdiff, if you want to include it
anyway (I only did a cursory test of the new package, so we would
maybe want to do more extensive verification that the patch doesn't
break anything).
Regards,
Martin
1: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16355
2: https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debdiff
Type: application/octet-stream
Size: 2975 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20190310/ee9103c7/attachment.obj>
More information about the Pkg-ruby-extras-maintainers
mailing list