Date: Tue, 21 Nov 2017 17:15:56 -0600 From: John Lightsey <jd@...nel.net> To: Tomas Hoger <thoger@...hat.com> Cc: oss-security@...ts.openwall.com Subject: Re: phusion passenger CVE-2017-1000384 On 11/21/17 4:11 PM, Tomas Hoger wrote: > On Fri, 17 Nov 2017 14:58:43 -0600 John Lightsey wrote: > >>> https://bugs.gentoo.org/634452 >> >> The commit for the arbitrary file read vulnerability mentioned in the >> Gentoo bug report is actually this one: >> >> https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf > > Is passenger-status the only way to obtain the content of the target > file? If so, this problem is mitigated in versions prior to 5.0.10 > where root privileges were required to get the status information. > Yes, that is accurate as far as I'm aware. Download attachment "smime.p7s" of type "application/pkcs7-signature" (3982 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ