| Summary: | rubygem-passenger new security issue CVE-2013-4136 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | fundawang, sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/561624/ | ||
| Whiteboard: | has_procedure mga3-64-ok mga3-32-ok | ||
| Source RPM: | rubygem-passenger-3.0.18-4.mga3.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 10992 | ||
|
Description
David Walser
2013-07-31 19:45:37 CEST
David Walser
2013-07-31 19:45:43 CEST
Whiteboard:
(none) =>
MGA3TOO, MGA2TOO I tried to update Cauldron to 4.0.8 and got this: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20130811135605.luigiwalser.valstar.2868/log/rubygem-passenger-4.0.8-1.mga4/build.0.20130811135702.log WTF does this mean (especially since rake is installed in the chroot)? Could not find 'rake' (>= 0) among 0 total gem(s) (Gem::LoadError) RedHat's patch for 3.0.21 is committed to Mageia 3 SVN. It's not clear how to backport the fix to Mageia 2. Pascal Terjan reverted the broken ruby-RubyGems in Cauldron that was causing the previous build error. Now it still doesn't build; perhaps an issue with boost: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20130813140232.luigiwalser.valstar.18646/log/rubygem-passenger-4.0.8-1.mga4/build.0.20130813140304.log Fixed in Cauldron in rubygem-passenger-4.0.8-1.mga4 by Pascal Terjan. Version:
Cauldron =>
3
David Walser
2013-08-13 21:39:39 CEST
Blocks:
(none) =>
10992 I've cloned this to Bug 10992 for the issue in Mageia 2, for which there is no patch available currently. Pushing the Mageia 3 update to QA. Note to QA: as with the previous update (Bug 10497), please just test the Apache module. Advisory: ======================== Updated rubygem-passenger package fixes security vulnerability: It was reported that Phusion Passenger would reuse existing server instance directories (temporary directories) which could cause Passenger to remove or overwrite files belonging to other instances (CVE-2013-4136). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4136 https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112716.html ======================== Updated packages in core/updates_testing: ======================== rubygem-passenger-3.0.21-2.1.mga3 from rubygem-passenger-3.0.21-2.1.mga3.src.rpm CC:
(none) =>
fundawang Testing procedure: Install package, run httpd -M, verify that mod_passenger is loaded. Whiteboard:
(none) =>
has_procedure Not loaded. I'll try to find out why. There are two problems IINM
/etc/httpd/modules.d/mod_passenger.conf should be in /etc/httpd/conf/modules.d/ instead.
Once cp'd there it fails with ..
# httpd -M | grep pas
httpd: Syntax error on line 55 of /etc/httpd/conf/httpd.conf: Syntax error on line 7 of /etc/httpd/conf/modules.d/mod_passenger.conf: Cannot load extramodules/mod_passenger.so into server: /etc/httpd/extramodules/mod_passenger.so: cannot open shared object file: No such file or directory
mod_passenger.conf is trying to load from an incorrect path..
LoadModule passenger_module extramodules/mod_passenger.so
# urpmf rubygem-passenger | grep mod_passenger.so
rubygem-passenger:/usr/lib64/apache-extramodules/mod_passenger.so
rubygem-passenger:/usr/lib/apache-extramodules/mod_passenger.so
Once changed in the cp'd /etc/httpd/conf/modules.d/mod_passenger.conf to..
<IfModule !mod_passenger.c>
LoadModule passenger_module /usr/lib64/apache-extramodules/mod_passenger.so
</IfModule>
# httpd -M | grep pas
passenger_module (shared)Whiteboard:
has_procedure =>
has_procedure feedback Thanks Claire. I guess there really is nobody using this package. I wonder why we even still have it. *Sigh* Anyway, it just means that this package was never updated with the new paths for apache 2.4 in Mageia 3. This is easy to fix. Will be up soon. Whiteboard:
has_procedure feedback =>
has_procedure Advisory: ======================== Updated rubygem-passenger package fixes security vulnerability: It was reported that Phusion Passenger would reuse existing server instance directories (temporary directories) which could cause Passenger to remove or overwrite files belonging to other instances (CVE-2013-4136). Additionally, the package has been fixed so that the Apache module should load. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4136 https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112716.html ======================== Updated packages in core/updates_testing: ======================== rubygem-passenger-3.0.21-2.2.mga3 from rubygem-passenger-3.0.21-2.2.mga3.src.rpm Yeah, that's better David, thanks. # httpd -M | grep pass passenger_module (shared) Testing complete mga3 64 Whiteboard:
has_procedure =>
has_procedure mga3-64-ok Testing complete mga2 32 Validating. Advisory from comment 10 uploaded. Could sysadmin please push from 3 core/updates_testing to updates Thanks! Keywords:
(none) =>
validated_update mga3 32* ..above, not mga2. Update pushed: http://advisories.mageia.org/MGASA-2013-0253.html Status:
NEW =>
RESOLVED |