CVEs have been assigned for an issue in rubygem-passenger today (January 30): http://openwall.com/lists/oss-security/2014/01/30/3 The above link contains links to the upstream commits to fix the issue. It is not immediately clear whether 3.0.x (Mageia 3) is affected, but it was said in the thread to be related to, but different than, CVE-2013-4136 (Bug 10890). Reproducible: Steps to Reproduce:
CC: (none) => pterjanWhiteboard: (none) => MGA4TOO
I have verified that Mageia 3 is affected. For Mageia 4 and Cauldron, since this is a /tmp symlink issue, I will not worry about this issue. See this comment for more: https://bugs.mageia.org/show_bug.cgi?id=7518#c25 For what it's worth, these issues are fixed upstream in 4.0.38.
Version: Cauldron => 3Whiteboard: MGA4TOO => (none)
Closing due to Mageia 3 EOL: http://blog.mageia.org/en/2014/11/26/lets-say-goodbye-to-mageia-3/
Status: NEW => RESOLVEDResolution: (none) => OLD
Fedora has issued an advisory for this on January 25: https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149032.html
URL: (none) => http://lwn.net/Vulnerabilities/631649/