Bug 10992 - rubygem-passenger new security issue CVE-2013-4136
Summary: rubygem-passenger new security issue CVE-2013-4136
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: Funda Wang
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/561624/
Whiteboard:
Keywords:
Depends on: 10890
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-13 21:39 CEST by David Walser
Modified: 2013-11-22 16:10 CET (History)
0 users

See Also:
Source RPM: rubygem-passenger-3.0.18-4.mga3.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-08-13 21:39:39 CEST 
+++ This bug was initially created as a clone of Bug #10890 +++

Fedora has issued an advisory on July 20:
https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112716.html

The issue is fixed upstream in 4.0.8.

While this issue is similar to CVE-2013-2119, it sounds like the version in Mageia 2 (2.2.x) is probably affected this time as well.  Fedora has a patch for 3.0.21.

Update: Mageia 2 is vulnerable, but I don't see any patches out there for rubygem-passenger 2.2.x.  I'll open this bug report for Mageia 2, and if a patch turns up for it later, use this for a Mageia 2 update.  Otherwise it'll stay open until Mageia 2 EOL.
David Walser 2013-08-13 21:47:49 CEST

Assignee: bugsquad => fundawang

Comment 1 David Walser 2013-11-22 16:10:42 CET 
Closing this now due to Mageia 2 EOL.

http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/

Status: NEW => RESOLVED
Resolution: (none) => OLD
Note You need to log in before you can comment on or make changes to this bug.