Accepted ruby-passenger 4.0.53-1+deb8u1 (source amd64 all) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 27 Jun 2018 20:13:30 +0200
Source: ruby-passenger
Binary: ruby-passenger libapache2-mod-passenger ruby-passenger-doc
Architecture: source amd64 all
Version: 4.0.53-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libapache2-mod-passenger - Rails and Rack support for Apache2
ruby-passenger - Rails and Rack support
ruby-passenger-doc - Rails and Rack support for Apache2 - Documentation
Closes: 864651
Changes:
ruby-passenger (4.0.53-1+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the LTS team.
* Fix CVE-2018-12029: CHOWN race vulnerability
A vulnerability was discovered by the Pulse Security team. It was
exploitable only when running a non-standard
passenger_instance_registry_dir, via a race condition where after a file
was created, there was a window in which it could be replaced with a
symlink before it was chowned via the path and not the file descriptor. If
the symlink target was to a file which would be executed by root such as
root's crontab file, then privilege escalation was possible. This is now
mitigated by using fchown().
* Fix CVE-2015-7519: header spoofing
Remote attackers could spoof headers passed to applications by using an
underscore character instead of a dash character in an HTTP header as
demonstrated by an X_User header. (Closes: #864651)
Checksums-Sha1:
0b46807d388a0c834e0e68f069bea1a5bc6aa508 2726 ruby-passenger_4.0.53-1+deb8u1.dsc
dce2a83e66abb1fac1cd3cdc2ef284f098bc9390 4447609 ruby-passenger_4.0.53.orig.tar.gz
b5e1ff02086d24b30d3c332735214dbd48863c0c 18820 ruby-passenger_4.0.53-1+deb8u1.debian.tar.xz
544c6f5a5d29924e2fbe730701717a1293460233 874956 ruby-passenger_4.0.53-1+deb8u1_amd64.deb
79bd109048ea5f6cdf511ff3cbd7e4d3548fa721 272092 libapache2-mod-passenger_4.0.53-1+deb8u1_amd64.deb
b196bcd4f777ccd54d414020ea37003fd7d1d37c 1044430 ruby-passenger-doc_4.0.53-1+deb8u1_all.deb
Checksums-Sha256:
42128a5e22e8bb113ed8c19f198954d90057fb02832fc224068839be9abbb7b5 2726 ruby-passenger_4.0.53-1+deb8u1.dsc
0b8d256cd930f93cfe723392aaa12fa3f9d5ddfddc82bbb7ab287673d029e101 4447609 ruby-passenger_4.0.53.orig.tar.gz
e4f93d840fa33f03b9db1f796fcb886d49bb0182f5bcc2041e74b55d94be0b55 18820 ruby-passenger_4.0.53-1+deb8u1.debian.tar.xz
7a3a490c693189d7ee36d15a1c5f36ec368b31b5f7bfa59f9f3b98f657633659 874956 ruby-passenger_4.0.53-1+deb8u1_amd64.deb
a5313c59e65f683ff9aba656017769be53710154313e12b0922f527f39aba63b 272092 libapache2-mod-passenger_4.0.53-1+deb8u1_amd64.deb
c51655be2da16b91f7cd5f206835fb11f98537248c0c2f06ddc11401a689751b 1044430 ruby-passenger-doc_4.0.53-1+deb8u1_all.deb
Files:
7cb1a47cd42f4f433aba6ec613bd7582 2726 ruby optional ruby-passenger_4.0.53-1+deb8u1.dsc
3aa0381920b09c93c8ba9cd9261d6167 4447609 ruby optional ruby-passenger_4.0.53.orig.tar.gz
4c436eb06857ee38888a6f11964a634c 18820 ruby optional ruby-passenger_4.0.53-1+deb8u1.debian.tar.xz
d0c6fc4441119c7f0845c0c9d3627133 874956 ruby optional ruby-passenger_4.0.53-1+deb8u1_amd64.deb
f74bad477ad108d59a503badfbbfab3e 272092 httpd optional libapache2-mod-passenger_4.0.53-1+deb8u1_amd64.deb
27bb0f5641c21a372d89f020c8f56352 1044430 doc optional ruby-passenger-doc_4.0.53-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlsz2KpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkoakQALEL8lq/FVhC+iqYC2nDxlf8NW8eSGFrbCBn
I+20Ud1LGORsTE3cSmTXYAO8hSKky06k8vUp4WPZvG1qK8DaJuk54cYUv8pbbpYJ
DMWmgQ4FDSvZW8QH7wR8jqc4hxOuo6HCqT7mI6263hpuxbt/BDIbndrGXCBX0kRv
FDOWJs7uEPzvkEVq0rDTAaXdJp1xWDp+OM/N4T/9ba+vXA1y00fDgNcSWZkrYIyy
bSbOAu+Nl1mkWu6vZ3o8etapEyNGbW6zXB8K+N35kNQVZathF+iLWg3UPPDgPrUT
ZdUzgg2hxJlIZteNHJYoEMi6vacIpQMSpUjqIubSjSJpVlQDVIyyukUyQKqFeegx
PUy6qDgsCSvYQLSC4pff7Nz3vby77YKEFE6C75jzOLxriwo/ECzLnvc4kTHnYgP/
d3a6wtdJ9+KVgbbGc0QtInU5cfkyxLIUNiUQFOE6HIqG00nJ95HzGU38OGGhykxL
3DumxcerhOGUH59TCViL18P0xlqtv0LOJrzW4u19+RdMjwfjsYXg0n3AoFYAWxJh
i+Nj8KLj/WUbY70GhvpjubmXgVdp9Hbb2TJdT/vWIBxNdBgtho/WpEQHSYdqvIda
ri2Z49YrNC8Lb3+ZPON6rN2cpxrhJpypoVA6DXFqmbieRyTmyaVeUY24E59Z607p
VgESr9oJ
=sFfZ
-----END PGP SIGNATURE-----