Debian 10260 Published by

Updated ruby-passenger packages has been released for Debian GNU/Linux 7 Extended LTS to fix a CHOWN race vulnerability



Package ruby-passenger
Version 3.0.13debian-1+deb7u3
Related CVE CVE-2018-12029

A vulnerability was discovered by the Pulse Security team. It was exploitable only when running a non-standard passenger_instance_registry_dir, via a race condition where after a file was created, there was a window in which it could be replaced with a symlink before it was chowned via the path and not the file descriptor. If the symlink target was to a file which would be executed by root such as root’s crontab file, then privilege escalation was possible. This is now mitigated by using fchown().

For Debian 7 Wheezy, these problems have been fixed in version 3.0.13debian-1+deb7u3.

We recommend that you upgrade your ruby-passenger packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/