Security update for rubygem-passenger
Announcement ID: | SUSE-SU-2016:0042-1 |
Rating: | moderate |
References: | #828005 #919726 #956281 |
Affected Products: |
An update that fixes three vulnerabilities is now available.
Description:
This update fixes the following security issues:
- CVE-2015-7519: Passenger is not filtering environment like apache is
doing (bnc#956281)
- CVE-2013-4136: Fixed security issue Passenger would reuse existing
server instance directories (temporary directories) which could cause
Passenger to remove or
overwrite files belonging to other instances. Solution: If the server
instance directory already exists, it will now be removed first in
order get correct directory permissions. If the directory still exists
after removal, Phusion Passenger aborts to avoid writing to a directory
with unexpected permissions.(bnc#919726)
- CVE-2013-2119: Fixed security issue related with incorrect temporary
file usage (bnc#828005)
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Webyast 1.3:
zypper in -t patch slewyst13-rubygem-passenger-12303=1
- SUSE Studio Onsite 1.3:
zypper in -t patch slestso13-rubygem-passenger-12303=1
- SUSE Lifecycle Management Server 1.3:
zypper in -t patch sleslms13-rubygem-passenger-12303=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Webyast 1.3 (i586 ia64 ppc64 s390x x86_64):
- rubygem-passenger-3.0.14-0.14.1
- rubygem-passenger-nginx-3.0.14-0.14.1
- SUSE Studio Onsite 1.3 (x86_64):
- rubygem-passenger-3.0.14-0.14.1
- rubygem-passenger-nginx-3.0.14-0.14.1
- SUSE Lifecycle Management Server 1.3 (x86_64):
- rubygem-passenger-3.0.14-0.14.1
- rubygem-passenger-apache2-3.0.14-0.14.1
- rubygem-passenger-nginx-3.0.14-0.14.1