Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 21 Nov 2017 17:15:56 -0600
From: John Lightsey <jd@...nel.net>
To: Tomas Hoger <thoger@...hat.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: phusion passenger CVE-2017-1000384

On 11/21/17 4:11 PM, Tomas Hoger wrote:
> On Fri, 17 Nov 2017 14:58:43 -0600 John Lightsey wrote:
> 
>>> https://bugs.gentoo.org/634452
>>
>> The commit for the arbitrary file read vulnerability mentioned in the
>> Gentoo bug report is actually this one:
>>
>> https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf
> 
> Is passenger-status the only way to obtain the content of the target
> file?  If so, this problem is mitigated in versions prior to 5.0.10
> where root privileges were required to get the status information.
> 

Yes, that is accurate as far as I'm aware.


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3982 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ