Fedora has issued an advisory on June 1: https://lists.fedoraproject.org/pipermail/package-announce/2013-June/108443.html The issue is fixed upstream in 3.0.21. Mageia 2 and Mageia 3 are also affected. Reproducible: Steps to Reproduce:
CC: (none) => dmorganec, fundawang, mageiaWhiteboard: (none) => MGA3TOO, MGA2TOO
Funda has fixed this in Cauldron in rubygem-passenger-4.0.5-1.mga4. An update candidate for Mageia 3 has been built, one for Mageia 2 is needed. rubygem-passenger-3.0.21-2.mga3 is the current update candidate.
Version: Cauldron => 3Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO
Nevermind, Mageia 2 has 2.2.9, which doesn't appear to be vulnerable.
Whiteboard: MGA2TOO => (none)
Advisory: ======================== Updated rubygem-passenger package fixes security vulnerability: Phusion Passengerâs code did not always create temporary files and directories in a secure manner. Temporary files and directories were sometimes created with a predictable filename. A local attacker can pre-create temporary files, resulting in a denial of service. In addition, this vulnerability allows a local attacker to run arbitrary code as another user, by hijacking temporary files (CVE-2013-2119). The rubygem-passenger package has been upgraded to version 3.0.21, which fixes this issue, as well as many others. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2119 http://blog.phusion.nl/2013/05/29/phusion-passenger-3-0-21-released/ http://blog.phusion.nl/2013/05/29/phusion-passenger-4-0-5-released/ https://lists.fedoraproject.org/pipermail/package-announce/2013-June/108443.html ======================== Updated packages in core/updates_testing: ======================== rubygem-passenger-3.0.21-2.mga3 from rubygem-passenger-3.0.21-2.mga3.src.rpm
Assignee: bugsquad => qa-bugs
Testing mga3 64 Sorry for the long comment. Tells users to use 'yum install' to install missing devel dependencies and errors when they have been installed. See further down.. -------------------------------------------------- # passenger start Nginx core 1.2.4 isn't installed Phusion Passenger Standalone will automatically install it into: /var/lib/passenger-standalone/natively-packaged/nginx-1.2.4 This will only be done once. Please sit back and relax while installation is in progress. Checking for required software... * GNU C++ compiler... found at /bin/g++ * GNU make... found at /bin/gmake * A download tool like 'wget' or 'curl'... found at /bin/wget * Ruby development headers... mkmf.rb can't find header files for ruby at /usr/share/include/ruby.h not found * OpenSSL support for Ruby... found * RubyGems... found * Rake... found at /usr/bin/rake * rack... found * Curl development headers with SSL support... not found * OpenSSL development headers... not found * Zlib development headers... found * daemon_controller >= 1.0.0... found * Mizuho... not found Some required software is not installed. But don't worry, this installer will tell you how to install them. Press Enter to continue, or Ctrl-C to abort. -------------------------------------------- Installation instructions for required software * To install Ruby development headers: Please run yum install ruby-devel as root. <===== Here * To install Curl development headers with SSL support: Please run yum install curl-devel as root. <===== Here * To install OpenSSL development headers: Please run yum install openssl-devel as root. <===== Here * To install Mizuho: Please install RubyGems first, then run /usr/bin/gem install mizuho If the aforementioned instructions didn't solve your problem, then please take a look at the Users Guide: /usr/share/doc/phusion-passenger/Users guide Standalone.html -------------------------------------------------- Once installed with urpmi and 'gem install mizuho', also installed and started nginx. It reports nginx as missing, tries to build it from source and fails. # rpm -q nginx nginx-1.2.9-1.1.mga3 # service nginx start Redirecting to /bin/systemctl start nginx.service -------------------------------------------------- # passenger start Nginx core 1.2.9 isn't installed Phusion Passenger Standalone will automatically install it into: /var/lib/passenger-standalone/natively-packaged/nginx-1.2.9 This will only be done once. Please sit back and relax while installation is in progress. Checking for required software... * GNU C++ compiler... found at /bin/g++ * GNU make... found at /bin/gmake * A download tool like 'wget' or 'curl'... found at /bin/wget * Ruby development headers... found * OpenSSL support for Ruby... found * RubyGems... found * Rake... found at /usr/bin/rake * rack... found * Curl development headers with SSL support... found * OpenSSL development headers... found * Zlib development headers... found * daemon_controller >= 1.0.0... found * Mizuho... found at /bin/mizuho Downloading Passenger binaries for your platform, if available... # wget -O /tmp/passenger.20130628-21062-hmex56/support.tar.gz http://standalone-binaries.modrails.com/natively-packaged/support.tar.gz --2013-06-28 11:34:53-- http://standalone-binaries.modrails.com/natively-packaged/support.tar.gz Resolving standalone-binaries.modrails.com (standalone-binaries.modrails.com)... 97.107.130.55 Connecting to standalone-binaries.modrails.com (standalone-binaries.modrails.com)|97.107.130.55|:80... connected. HTTP request sent, awaiting response... 404 Not Found 2013-06-28 11:34:53 ERROR 404: Not Found. Looks like it's not. But don't worry, the necessary binaries will be compiled from source instead. Downloading Nginx binaries for your platform, if available... # wget -O /tmp/passenger.20130628-21062-hmex56/nginx-1.2.9.tar.gz http://standalone-binaries.modrails.com/natively-packaged/nginx-1.2.9.tar.gz --2013-06-28 11:34:53-- http://standalone-binaries.modrails.com/natively-packaged/nginx-1.2.9.tar.gz Resolving standalone-binaries.modrails.com (standalone-binaries.modrails.com)... 97.107.130.55 Connecting to standalone-binaries.modrails.com (standalone-binaries.modrails.com)|97.107.130.55|:80... connected. HTTP request sent, awaiting response... 404 Not Found 2013-06-28 11:34:54 ERROR 404: Not Found. Looks like it's not. But don't worry, the necessary binaries will be compiled from source instead. Downloading Nginx... # wget -O /tmp/passenger.20130628-21062-hmex56/nginx-1.2.9.tar.gz http://nginx.org/download/nginx-1.2.9.tar.gz --2013-06-28 11:34:54-- http://nginx.org/download/nginx-1.2.9.tar.gz Resolving nginx.org (nginx.org)... 206.251.255.63 Connecting to nginx.org (nginx.org)|206.251.255.63|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 725829 (709K) [application/octet-stream] Saving to: â/tmp/passenger.20130628-21062-hmex56/nginx-1.2.9.tar.gzâ 100%[===================================================================================================>] 725,829 230KB/s in 3.1s 2013-06-28 11:34:57 (230 KB/s) - â/tmp/passenger.20130628-21062-hmex56/nginx-1.2.9.tar.gzâ saved [725829/725829] Installing Phusion Passenger Standalone... /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/runtime_installer.rb:414:in `chdir': No such file or directory - /usr/share/phusion-passenger/source (Errno::ENOENT) from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/runtime_installer.rb:414:in `install_passenger_support_files' from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/runtime_installer.rb:146:in `install!' from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/abstract_installer.rb:63:in `start' from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/start_command.rb:318:in `install_runtime' from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/start_command.rb:339:in `ensure_nginx_installed' from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/start_command.rb:59:in `run' from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/main.rb:93:in `block in run_command' from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/main.rb:48:in `block in each_command' from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/main.rb:43:in `each' from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/main.rb:43:in `each_command' from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/main.rb:91:in `run_command' from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/main.rb:62:in `run!' from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/main.rb:39:in `run!' from /usr/share/ruby/gems/gems/passenger-3.0.21/bin/passenger:32:in `<top (required)>' from /bin/passenger:23:in `load' from /bin/passenger:23:in `<main>' --------------------------------------------------
Whiteboard: (none) => feedback
Assigning Funda as discussed. Please reassign to QA when you've had a chance to look Funda. Thanks!
CC: (none) => qa-bugsAssignee: qa-bugs => fundawang
Well, passenger tends to be used as apache module, rather than work with nginx. I would suggest get security problem fixed asap. Regarding whether it is usable, lets start another report.
Please let's not make a habit of this, consider it a favour. There is little point in pushing sec updates for broken packages. Bug 10728 created for this not working. Validating. Advisory from comment 3 uploaded with a note about other issues being handled in bug 10728. Could sysadmin please push from 3 core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateAssignee: fundawang => qa-bugsWhiteboard: feedback => (none)CC: (none) => sysadmin-bugs
Everything I read suggested the opposite regarding nginx btw and it does default to using it.
Update pushed: http://advisories.mageia.org/MGASA-2013-0205.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED