[DRE-maint] Bug#1098909: passenger: CVE-2025-26803
Salvatore Bonaccorso
carnil at debian.org
Tue Feb 25 21:03:54 GMT 2025
Source: passenger
Version: 6.0.24+ds-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for passenger.
CVE-2025-26803[0]:
| The http parser in Phusion Passenger 6.0.21 through 6.0.25 before
| 6.0.26 allows a denial of service during parsing of a request with
| an invalid HTTP method.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-26803
https://www.cve.org/CVERecord?id=CVE-2025-26803
[1] https://blog.phusion.nl/2025/02/19/passenger-6-0-26/
[2] https://github.com/phusion/passenger/commit/bb15591646687064ab2d578d5f9660b2a4168017
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list