Bug 10992

Summary: rubygem-passenger new security issue CVE-2013-4136
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Funda Wang <fundawang>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: major    
Priority: Normal    
Version: 2   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/561624/
Whiteboard:
Source RPM: rubygem-passenger-3.0.18-4.mga3.src.rpm CVE:
Status comment:
Bug Depends on: 10890    
Bug Blocks:    

Description David Walser 2013-08-13 21:39:39 CEST 
+++ This bug was initially created as a clone of Bug #10890 +++

Fedora has issued an advisory on July 20:
https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112716.html

The issue is fixed upstream in 4.0.8.

While this issue is similar to CVE-2013-2119, it sounds like the version in Mageia 2 (2.2.x) is probably affected this time as well.  Fedora has a patch for 3.0.21.

Update: Mageia 2 is vulnerable, but I don't see any patches out there for rubygem-passenger 2.2.x.  I'll open this bug report for Mageia 2, and if a patch turns up for it later, use this for a Mageia 2 update.  Otherwise it'll stay open until Mageia 2 EOL.
David Walser 2013-08-13 21:47:49 CEST

Assignee: bugsquad => fundawang

Comment 1 David Walser 2013-11-22 16:10:42 CET 
Closing this now due to Mageia 2 EOL.

http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/

Status: NEW => RESOLVED
Resolution: (none) => OLD