Описание
Security update for rubygem-passenger
This update for rubygem-passenger fixes several issues.
These security issues were fixed:
- CVE-2017-16355: When Passenger was running as root it was possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from the application root folder to a file of choice and querying passenger-status --show=xml (bsc#1073255).
- CVE-2017-1000384: Introduces a new check that logs a vulnerability warning if Passenger is run with root permissions while the directory permissions of (parts of) its root dir allow modifications by non-root users (bsc#1068874).
Список пакетов
SUSE Linux Enterprise Module for Containers 12
Ссылки
- Link for SUSE-SU-2018:0262-1
- E-Mail link for SUSE-SU-2018:0262-1
- SUSE Security Ratings
- SUSE Bug 1068874
- SUSE Bug 1073255
- SUSE CVE CVE-2017-1000384 page
- SUSE CVE CVE-2017-16355 page
Описание
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-16355. Reason: This candidate is a reservation duplicate of CVE-2017-16355. Notes: All CVE users should reference CVE-2017-16355 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage
Затронутые продукты
Ссылки
- CVE-2017-1000384
- SUSE Bug 1068874
Описание
In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10), if Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from the application root folder to a file of choice and querying passenger-status --show=xml.
Затронутые продукты
Ссылки
- CVE-2017-16355
- SUSE Bug 1073255