SUSE-SU-2016:0042-1: moderate: Security update for rubygem-passenger

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu Jan 7 06:15:08 MST 2016 

   SUSE Security Update: Security update for rubygem-passenger
______________________________________________________________________________

Announcement ID:    SUSE-SU-2016:0042-1
Rating:             moderate
References:         #828005 #919726 #956281 
Cross-References:   CVE-2013-2119 CVE-2013-4136 CVE-2015-7519
                   
Affected Products:
                    SUSE Webyast 1.3
                    SUSE Studio Onsite 1.3
                    SUSE Lifecycle Management Server 1.3
______________________________________________________________________________

   An update that fixes three vulnerabilities is now available.

Description:



   This update fixes the following security issues:

   - CVE-2015-7519: Passenger is not filtering environment like apache is
     doing (bnc#956281)

   - CVE-2013-4136: Fixed security issue   Passenger would reuse existing
     server instance directories (temporary directories) which could cause
     Passenger to remove or
     overwrite files belonging to other instances. Solution: If the server
      instance directory already exists, it will now be removed first in
      order get correct directory permissions. If the directory still exists
      after removal, Phusion Passenger aborts to avoid writing to a directory
      with unexpected permissions.(bnc#919726)

   - CVE-2013-2119: Fixed security issue related with incorrect temporary
     file usage (bnc#828005)


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Webyast 1.3:

      zypper in -t patch slewyst13-rubygem-passenger-12303=1

   - SUSE Studio Onsite 1.3:

      zypper in -t patch slestso13-rubygem-passenger-12303=1

   - SUSE Lifecycle Management Server 1.3:

      zypper in -t patch sleslms13-rubygem-passenger-12303=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Webyast 1.3 (i586 ia64 ppc64 s390x x86_64):

      rubygem-passenger-3.0.14-0.14.1
      rubygem-passenger-nginx-3.0.14-0.14.1

   - SUSE Studio Onsite 1.3 (x86_64):

      rubygem-passenger-3.0.14-0.14.1
      rubygem-passenger-nginx-3.0.14-0.14.1

   - SUSE Lifecycle Management Server 1.3 (x86_64):

      rubygem-passenger-3.0.14-0.14.1
      rubygem-passenger-apache2-3.0.14-0.14.1
      rubygem-passenger-nginx-3.0.14-0.14.1


References:

   https://www.suse.com/security/cve/CVE-2013-2119.html
   https://www.suse.com/security/cve/CVE-2013-4136.html
   https://www.suse.com/security/cve/CVE-2015-7519.html
   https://bugzilla.suse.com/828005
   https://bugzilla.suse.com/919726
   https://bugzilla.suse.com/956281

More information about the sle-security-updates mailing list