Fedora has issued an advisory on July 20: https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112716.html The issues is fixed upstream in 4.0.8. While this issue is similar to CVE-2013-2119, it sounds like the version in Mageia 2 (2.2.x) is probably affected this time as well. Fedora has a patch for 3.0.21. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
I tried to update Cauldron to 4.0.8 and got this: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20130811135605.luigiwalser.valstar.2868/log/rubygem-passenger-4.0.8-1.mga4/build.0.20130811135702.log WTF does this mean (especially since rake is installed in the chroot)? Could not find 'rake' (>= 0) among 0 total gem(s) (Gem::LoadError)
RedHat's patch for 3.0.21 is committed to Mageia 3 SVN. It's not clear how to backport the fix to Mageia 2.
Pascal Terjan reverted the broken ruby-RubyGems in Cauldron that was causing the previous build error. Now it still doesn't build; perhaps an issue with boost: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20130813140232.luigiwalser.valstar.18646/log/rubygem-passenger-4.0.8-1.mga4/build.0.20130813140304.log
Fixed in Cauldron in rubygem-passenger-4.0.8-1.mga4 by Pascal Terjan.
Version: Cauldron => 3Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO
Blocks: (none) => 10992
I've cloned this to Bug 10992 for the issue in Mageia 2, for which there is no patch available currently. Pushing the Mageia 3 update to QA. Note to QA: as with the previous update (Bug 10497), please just test the Apache module. Advisory: ======================== Updated rubygem-passenger package fixes security vulnerability: It was reported that Phusion Passenger would reuse existing server instance directories (temporary directories) which could cause Passenger to remove or overwrite files belonging to other instances (CVE-2013-4136). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4136 https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112716.html ======================== Updated packages in core/updates_testing: ======================== rubygem-passenger-3.0.21-2.1.mga3 from rubygem-passenger-3.0.21-2.1.mga3.src.rpm
CC: (none) => fundawangAssignee: fundawang => qa-bugsWhiteboard: MGA2TOO => (none)
Testing procedure: Install package, run httpd -M, verify that mod_passenger is loaded.
Whiteboard: (none) => has_procedure
Not loaded. I'll try to find out why.
There are two problems IINM /etc/httpd/modules.d/mod_passenger.conf should be in /etc/httpd/conf/modules.d/ instead. Once cp'd there it fails with .. # httpd -M | grep pas httpd: Syntax error on line 55 of /etc/httpd/conf/httpd.conf: Syntax error on line 7 of /etc/httpd/conf/modules.d/mod_passenger.conf: Cannot load extramodules/mod_passenger.so into server: /etc/httpd/extramodules/mod_passenger.so: cannot open shared object file: No such file or directory mod_passenger.conf is trying to load from an incorrect path.. LoadModule passenger_module extramodules/mod_passenger.so # urpmf rubygem-passenger | grep mod_passenger.so rubygem-passenger:/usr/lib64/apache-extramodules/mod_passenger.so rubygem-passenger:/usr/lib/apache-extramodules/mod_passenger.so Once changed in the cp'd /etc/httpd/conf/modules.d/mod_passenger.conf to.. <IfModule !mod_passenger.c> LoadModule passenger_module /usr/lib64/apache-extramodules/mod_passenger.so </IfModule> # httpd -M | grep pas passenger_module (shared)
Whiteboard: has_procedure => has_procedure feedback
Thanks Claire. I guess there really is nobody using this package. I wonder why we even still have it. *Sigh* Anyway, it just means that this package was never updated with the new paths for apache 2.4 in Mageia 3. This is easy to fix. Will be up soon.
Whiteboard: has_procedure feedback => has_procedure
Advisory: ======================== Updated rubygem-passenger package fixes security vulnerability: It was reported that Phusion Passenger would reuse existing server instance directories (temporary directories) which could cause Passenger to remove or overwrite files belonging to other instances (CVE-2013-4136). Additionally, the package has been fixed so that the Apache module should load. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4136 https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112716.html ======================== Updated packages in core/updates_testing: ======================== rubygem-passenger-3.0.21-2.2.mga3 from rubygem-passenger-3.0.21-2.2.mga3.src.rpm
Yeah, that's better David, thanks. # httpd -M | grep pass passenger_module (shared) Testing complete mga3 64
Whiteboard: has_procedure => has_procedure mga3-64-ok
Testing complete mga2 32 Validating. Advisory from comment 10 uploaded. Could sysadmin please push from 3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-okCC: (none) => sysadmin-bugs
mga3 32* ..above, not mga2.
Update pushed: http://advisories.mageia.org/MGASA-2013-0253.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED