Overview

File _patchinfo of Package patchinfo.6150

<patchinfo incident="6150">
  <issue id="1068874" tracker="bnc">VUL-0: CVE-2017-1000384: rubygem-passenger:  Arbitrary file read vulnerability</issue>
  <issue id="1073255" tracker="bnc">VUL-1: CVE-2017-16355: rubygem-passenger: agent/Core/SpawningKit/Spawner.h, if Passenger isrunning as root, allows for arbitrary file reads in certain configurations</issue>
  <issue id="2017-16355" tracker="cve" />
  <issue id="2017-1000384" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>schubi2</packager>
  <description>This update for rubygem-passenger fixes several issues.

These security issues were fixed:

- CVE-2017-16355: When Passenger was running as root it was possible to list
  the contents of arbitrary files on a system by symlinking a file named REVISION
  from the application root folder to a file of choice and querying
  passenger-status --show=xml (bsc#1073255).
- CVE-2017-1000384: Introduces a new check that logs a vulnerability warning if Passenger is run
  with root permissions while the directory permissions of (parts of) its root dir allow
  modifications by non-root users (bsc#1068874).
</description>
  <summary>Security update for rubygem-passenger</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places