Bug 12479

Summary: rubygem-passenger new security issues CVE-2014-1831 and CVE-2014-1832
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Funda Wang <fundawang>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: pterjan
Version: 3   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/631649/
Whiteboard:
Source RPM: rubygem-passenger-4.0.19-5.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-01-30 17:51:45 CET 
CVEs have been assigned for an issue in rubygem-passenger today (January 30):
http://openwall.com/lists/oss-security/2014/01/30/3

The above link contains links to the upstream commits to fix the issue.

It is not immediately clear whether 3.0.x (Mageia 3) is affected, but it was said in the thread to be related to, but different than, CVE-2013-4136 (Bug 10890).

Reproducible: 

Steps to Reproduce:
David Walser 2014-01-30 17:52:05 CET

CC: (none) => pterjan
Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2014-07-08 22:06:34 CEST 
I have verified that Mageia 3 is affected.

For Mageia 4 and Cauldron, since this is a /tmp symlink issue, I will not worry about this issue.  See this comment for more:
https://bugs.mageia.org/show_bug.cgi?id=7518#c25

For what it's worth, these issues are fixed upstream in 4.0.38.

Version: Cauldron => 3
Whiteboard: MGA4TOO => (none)

Comment 2 David Walser 2014-11-27 15:55:46 CET 
Closing due to Mageia 3 EOL:
http://blog.mageia.org/en/2014/11/26/lets-say-goodbye-to-mageia-3/

Status: NEW => RESOLVED
Resolution: (none) => OLD

Comment 3 David Walser 2015-02-03 18:44:32 CET 
Fedora has issued an advisory for this on January 25:
https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149032.html

URL: (none) => http://lwn.net/Vulnerabilities/631649/