Date: Fri, 17 Nov 2017 14:58:43 -0600 From: John Lightsey <jd@...nel.net> To: oss-security@...ts.openwall.com Subject: Re: phusion passenger CVE-2017-1000384 On 11/17/17 2:15 PM, Kurt Seifried wrote: > Assigned CVE-2017-1000384 to > https://github.com/phusion/passenger/commit/a63f1e9cd8148dfaac08b00d74ef2b59bc2c9dd4 > > https://bugs.gentoo.org/634452 > > Please note: you have to have Phusion Passenger in a dir not owned by root, > and then run it as root (hint: that's never a good idea with anything). > The commit for the arbitrary file read vulnerability mentioned in the Gentoo bug report is actually this one: https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf I'm not sure if the other commit was fixing an actual flaw or just intended as hardening. Passenger switches IDs to the user that's supposed to run the passenger application. The problem we reported was that some of the application data was read and stored before the ID switching took place. Download attachment "smime.p7s" of type "application/pkcs7-signature" (3982 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.