Debian Bug report logs -
#921767
CVE-2018-12029
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Fri, 8 Feb 2019 21:51:20 UTC
Severity: minor
Tags: patch, security, upstream
Found in version passenger/5.0.30-1
Fixed in versions passenger/5.0.30-1.1, passenger/5.0.30-1+deb9u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#921767; Package src:passenger.
(Fri, 08 Feb 2019 21:51:23 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Fri, 08 Feb 2019 21:51:23 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: passenger
Severity: grave
Tags: security
This was assigned CVE-2018-12029:
https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/
https://github.com/phusion/passenger/commit/207870f5b7f5cc240587ab0977d6046782ae1d86
Cheers,
Moritz
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 09 Feb 2019 04:39:02 GMT) (full text, mbox, link).
Marked as found in versions passenger/5.0.30-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 09 Feb 2019 04:39:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#921767; Package src:passenger.
(Sat, 16 Mar 2019 08:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Sat, 16 Mar 2019 08:45:05 GMT) (full text, mbox, link).
Message #14 received at 921767@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Fri, Feb 08, 2019 at 10:50:41PM +0100, Moritz Muehlenhoff wrote:
> Source: passenger
> Severity: grave
> Tags: security
>
> This was assigned CVE-2018-12029:
> https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/
> https://github.com/phusion/passenger/commit/207870f5b7f5cc240587ab0977d6046782ae1d86
I think this issue should be lowered to minor or normal as it to fix
the issue specifically in the nginx module, which AFAICS is not build
in the Debian build.
Do I miss something?
I have a NMU for the current two passenger issues, which still
includes the changes for CVE-2018-12029.
Regards,
Salvatore
[passenger_5.0.30-1.1.debdiff (text/plain, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 884463-submit@bugs.debian.org.
(Sun, 17 Mar 2019 14:12:03 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 884463-submit@bugs.debian.org.
(Sun, 17 Mar 2019 14:12:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#921767; Package src:passenger.
(Sun, 17 Mar 2019 14:12:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Sun, 17 Mar 2019 14:12:07 GMT) (full text, mbox, link).
Message #23 received at 921767@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 884463 + pending
Control: tags 921767 + patch
Control: tags 921767 + pending
Dear maintainer,
I've prepared an NMU for passenger (versioned as 5.0.30-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Note that for 921767 unless I miss something the issue should not be
RC, as the nginx module is not build, and the package only affected at
source level. I have included the commit in the debdiff for people
building from Debian package.
Regards,
Salvatore
[passenger-5.0.30-1.1-nmu.diff (text/x-diff, attachment)]
Severity set to 'minor' from 'grave'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 17 Mar 2019 18:21:02 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Tue, 19 Mar 2019 14:42:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Tue, 19 Mar 2019 14:42:06 GMT) (full text, mbox, link).
Message #30 received at 921767-close@bugs.debian.org (full text, mbox, reply):
Source: passenger
Source-Version: 5.0.30-1.1
We believe that the bug you reported is fixed in the latest version of
passenger, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 921767@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated passenger package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 16 Mar 2019 08:54:26 +0100
Source: passenger
Architecture: source
Version: 5.0.30-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 884463 921767
Changes:
passenger (5.0.30-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* arbitrary file read via REVISION symlink (CVE-2017-16355)
(Closes: #884463)
* Fix privilege escalation in the Nginx module (CVE-2018-12029)
(Closes: #921767)
Checksums-Sha1:
f3c73ccc2e44ff6cb2b87360f8d01d5047f8e902 2736 passenger_5.0.30-1.1.dsc
432fe5d87acb14a99bbfad794582d7430489d401 17588 passenger_5.0.30-1.1.debian.tar.xz
d76b3b5d7c0723362f66faa7395f5ef9a7435914 7064 passenger_5.0.30-1.1_source.buildinfo
Checksums-Sha256:
1dd5d8997cfb0d174b80f869cdc49ecad358ee6eceab1b6f689b5462c99a4c44 2736 passenger_5.0.30-1.1.dsc
f347829a1dbfbf470ba8d6ce2e3f4b96c26a087d1a4cedd7393ac0c6bbdd8c48 17588 passenger_5.0.30-1.1.debian.tar.xz
d7aafa222fb1161e3b50cf28e3dbdf7446823090a6f90ebdfdd7b89ae4696ba9 7064 passenger_5.0.30-1.1_source.buildinfo
Files:
16cda8efa5591927b3c79413e58a2bb9 2736 ruby optional passenger_5.0.30-1.1.dsc
1bc06787da90b78e5ef5abf09492ff7e 17588 ruby optional passenger_5.0.30-1.1.debian.tar.xz
8034b43d1abbedffa82bab75c8e4738a 7064 ruby optional passenger_5.0.30-1.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlyMrChfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EeL4P/ioZCVTaLXA6SFJ5uujTvNmqxGQUpi6C
ojl+F0d+E/VxYay7MNmcwBCUidWAzmNKwgZJJt6hvD75OcCMBg9jKlR05s+HeYs+
AixRJpPhfYM3vfkw+TX9w6vckfw71Ui8POQjRDyL0vQ1w+6wv/zHAjqEsJgAOTZ3
2kEbCsU4he9h9TGVfurn/8xCp+I4VBT+04LVGg5sozlyiPPSqif+xEPb9bcKeU6h
ZFQP5PnCOsqIT2EFncHSUas+jRoGNEqQNWu3Hy+h46ioXrwB9IqB1M8Pq1cYRodU
CkgLG4FXBzff0Fnoli9vI4lqbNAKofGIkyviHR0k1Gb74rilPGgq7yf7Lk9vG/Ec
BbNh+nAU5hMWGuBmkKncidDHrUFc0QDj6xMfRKNRxgZLJ2HF88DHJwaOiaWoY25+
8bJR78ZRxyWYtEG377R9pLYUZbee2iNcoxjrvSeCump4HUGX7arsuwDRAJECDcsl
YLPNV2QqjT19Fp4+6NUjflZiAutyTQD1X7lwlegW2s3J6FT5DSYNljWBGgntk17G
fTqMu9y7FBM00X+rp4XiuMXebNSC/+ew40FqVHVfrd3kiMEHYWbD6hE9ExJwiXE1
lvgxdTxme+ox8/gITIJcrls35uHrcSH+UZ2/UYocbkNtLtq1uOVZMJUCJiF3bwBo
UwXTRu0fD//x
=EYGZ
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 29 Mar 2019 01:21:07 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Fri, 29 Mar 2019 01:21:07 GMT) (full text, mbox, link).
Message #35 received at 921767-close@bugs.debian.org (full text, mbox, reply):
Source: passenger
Source-Version: 5.0.30-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
passenger, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 921767@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated passenger package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 17 Mar 2019 19:40:23 +0100
Source: passenger
Architecture: source
Version: 5.0.30-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 884463 921767
Changes:
passenger (5.0.30-1+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* arbitrary file read via REVISION symlink (CVE-2017-16355)
(Closes: #884463)
* Fix privilege escalation in the Nginx module (CVE-2018-12029)
(Closes: #921767)
Checksums-Sha1:
4f4863eaa709a99e637a7d0c4ca79d9e813579d9 2756 passenger_5.0.30-1+deb9u1.dsc
2b966cb070fe667d02d17fda58a37fee34f3300c 5588130 passenger_5.0.30.orig.tar.gz
ce76c486a78f2feef2f9d4d77565e6d50a641fb1 17596 passenger_5.0.30-1+deb9u1.debian.tar.xz
4dbf2c9283c2e1fd5637e607954075416e2d7d53 7084 passenger_5.0.30-1+deb9u1_source.buildinfo
Checksums-Sha256:
284b6afb45cc3031707cbb9d6822fc50d4143550b35426bc662fe38a2c235913 2756 passenger_5.0.30-1+deb9u1.dsc
f367e0c1d808d7356c3749222194a72ea03efe61a3bf1b682bd05d47f087b4e3 5588130 passenger_5.0.30.orig.tar.gz
5390c495a44bcaaf375ccc1d39b7c88aa27ed314b6b1aa0c4ef1295803aaa9be 17596 passenger_5.0.30-1+deb9u1.debian.tar.xz
0150bcc13e39059823a3457777c7845e8117b13507693d016a2a85c5a0d83e66 7084 passenger_5.0.30-1+deb9u1_source.buildinfo
Files:
95c1fd6d274790b06f61206417681b65 2756 ruby optional passenger_5.0.30-1+deb9u1.dsc
7ed9ebc8996368176789d92c1805fd1e 5588130 ruby optional passenger_5.0.30.orig.tar.gz
d5233a964a592e8648b563d491506ca5 17596 ruby optional passenger_5.0.30-1+deb9u1.debian.tar.xz
b2322c0a958578e14fb743e0442c1b14 7084 ruby optional passenger_5.0.30-1+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlyOlSRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EUw4P/iu2CVXgLtDgHr8Esg9YIbRgBAB5V0vu
g9m6CGmpUsKGc06s9QdiQaPtP+Ux9LLXeHsvcn58JXZF8f+U4y692zzKRUcUCgIr
SJs8yKQQNLqZDZv+98E7AQr9I7C9NaijyqTI4x/WYjPUZoOQIozR/WpwVficKQyV
ztAorQ4ijwq9C5OlQAbexRtynpeTTup3IbqbMCmovmIddXw4ciXfV7pF9egRgWpM
ioMzcB74cyjIEdblg5Fr04+DLKKXZUDSPrrNJvSq8v4mUIDse8lrugN+4OKyu0KT
1byA+dlyAxmmpEj6ZmMojGMNoGlt/l9ku9p8yGq4IPVr+RTHIUmBOtj79hsL90C6
GJQCk96Ebbi7AhOXuhXV4IqshObqsWMqBMQZVzmpYmZcFTKaBRMV9LHYqNJugJIG
2la/Dpv8saZXxEBqGlm6z7a9DDhTg6K3inXmppqzPEd2tvCuG/JwP+BNGBf4eTCz
0Zn4opr+zOAHuXBtRjXxzLP8iaMoOISaAtC1HhVC2AVM4vC6VbbGLCTWwDlgSI3Q
Wj7hle5ZLJdQ0TSEithSdSs6zr2FP5nzuOvAn4lwz9a/cNKyt3O6/Ti0GBMXhjCo
eUgymTJpUW0TCY8ZaTTYZyqf2Uu2q/GOKHa/ijt8801df50gxD5lDHHjH+u/5FCO
aXyGyCUjm+w9
=KX3C
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 27 Apr 2019 07:26:51 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:06:19 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon