Phusion Passenger versions 3.0.0 through 5.3.1 are vulnerable to a file system access race condition in the Nginx module that allows for local privilege escalation. The vulnerability was exploitable only when running a non-standard passenger_instance_registry_dir, via a race condition where after a file was created, there was a window in which it could be replaced with a symlink before it was chowned via the path and not the file descriptor. If the symlink target was to a file which would be executed by root such as root's crontab file, then privilege escalation was possible. External References: https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/ https://pulsesecurity.co.nz/advisories/phusion-passenger-priv-esc Upstream Patch: https://github.com/phusion/passenger/commit/207870f5b7f5cc240587ab0977d6046782ae1d86
Created passenger tracking bugs for this issue: Affects: epel-7 [bug 1592614] Affects: fedora-all [bug 1592613]
Red Hat Ceph Storage 1.3 shipped rubygem-passenger as dependency to support rhcs-installer which was shipped as Tech Preview only.