Debian Local Security Checks : Debian: Security Advisory (DLA-1399-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.891399

Category: Debian Local Security Checks

Title: Debian: Security Advisory (DLA-1399-1)

Summary: The remote host is missing an update for the Debian 'ruby-passenger' package(s) announced via the DLA-1399-1 advisory.

Description: Summary:
The remote host is missing an update for the Debian 'ruby-passenger' package(s) announced via the DLA-1399-1 advisory.

Vulnerability Insight:
Two flaws were discovered in ruby-passenger for Ruby Rails and Rack support that allowed attackers to spoof HTTP headers or exploit a race condition which made privilege escalation under certain conditions possible.

CVE-2015-7519

Remote attackers could spoof headers passed to applications by using an underscore character instead of a dash character in an HTTP header as demonstrated by an X_User header.

CVE-2018-12029

A vulnerability was discovered by the Pulse Security team. It was exploitable only when running a non-standard passenger_instance_registry_dir, via a race condition where after a file was created, there was a window in which it could be replaced with a symlink before it was chowned via the path and not the file descriptor. If the symlink target was to a file which would be executed by root such as root's crontab file, then privilege escalation was possible. This is now mitigated by using fchown().

For Debian 8 Jessie, these problems have been fixed in version 4.0.53-1+deb8u1.

We recommend that you upgrade your ruby-passenger packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references]

Affected Software/OS:
'ruby-passenger' package(s) on Debian 8.

Solution:
Please install the updated package(s).

CVSS Score:
4.4

CVSS Vector:
AV:L/AC:M/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2015-7519
https://lists.debian.org/debian-lts-announce/2018/06/msg00007.html
http://www.openwall.com/lists/oss-security/2015/12/07/1
http://www.openwall.com/lists/oss-security/2015/12/07/2
SuSE Security Announcement: SUSE-SU-2015:2337 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00024.html
Common Vulnerability Exposure (CVE) ID: CVE-2018-12029
https://security.gentoo.org/glsa/201807-02
https://blog.phusion.nl/passenger-5-3-2
https://pulsesecurity.co.nz/advisories/phusion-passenger-priv-esc

Copyright Copyright (C) 2018 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.891399
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DLA-1399-1)
Summary:	The remote host is missing an update for the Debian 'ruby-passenger' package(s) announced via the DLA-1399-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'ruby-passenger' package(s) announced via the DLA-1399-1 advisory. Vulnerability Insight: Two flaws were discovered in ruby-passenger for Ruby Rails and Rack support that allowed attackers to spoof HTTP headers or exploit a race condition which made privilege escalation under certain conditions possible. CVE-2015-7519 Remote attackers could spoof headers passed to applications by using an underscore character instead of a dash character in an HTTP header as demonstrated by an X_User header. CVE-2018-12029 A vulnerability was discovered by the Pulse Security team. It was exploitable only when running a non-standard passenger_instance_registry_dir, via a race condition where after a file was created, there was a window in which it could be replaced with a symlink before it was chowned via the path and not the file descriptor. If the symlink target was to a file which would be executed by root such as root's crontab file, then privilege escalation was possible. This is now mitigated by using fchown(). For Debian 8 Jessie, these problems have been fixed in version 4.0.53-1+deb8u1. We recommend that you upgrade your ruby-passenger packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references] Affected Software/OS: 'ruby-passenger' package(s) on Debian 8. Solution: Please install the updated package(s). CVSS Score: 4.4 CVSS Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2015-7519 https://lists.debian.org/debian-lts-announce/2018/06/msg00007.html http://www.openwall.com/lists/oss-security/2015/12/07/1 http://www.openwall.com/lists/oss-security/2015/12/07/2 SuSE Security Announcement: SUSE-SU-2015:2337 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00024.html Common Vulnerability Exposure (CVE) ID: CVE-2018-12029 https://security.gentoo.org/glsa/201807-02 https://blog.phusion.nl/passenger-5-3-2 https://pulsesecurity.co.nz/advisories/phusion-passenger-priv-esc
Copyright	Copyright (C) 2018 Greenbone AG