It was reported [1],[2] that Phusion Passenger would reuse existing server instance directories (temporary directories) which could cause Passenger to remove or overwrite files belonging to other instances. This has been corrected in upstream version 4.0.8 [3] via two fixes (the initial fix [4] and a regression fix [5]; both are required to fully fix the issue). This is an issue similar to CVE-2013-2119. [1] http://www.openwall.com/lists/oss-security/2013/07/15/2 [2] https://code.google.com/p/phusion-passenger/issues/detail?id=910 [3] http://blog.phusion.nl/2013/07/09/phusion-passenger-4-0-8-released/ [4] https://github.com/phusion/passenger/commit/5483b3292cc2af1c83033eaaadec20dba4dcfd9b [5] https://github.com/phusion/passenger/commit/9dda49f4a3ebe9bafc48da1bd45799f30ce19566
Created rubygem-passenger tracking bugs for this issue: Affects: fedora-all [bug 985634]
Created attachment 775343 [details] 4.0.8 commits backported to 3.0.21 Both commits to the 4.0.x branch backported fairly well into 3.0.21. This is a combination of both commits into one patch.
rubygem-passenger-3.0.21-4.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-passenger-3.0.21-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-passenger-3.0.21-4.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise 1.2 Via RHSA-2013:1136 https://rhn.redhat.com/errata/RHSA-2013-1136.html
rubygem-passenger-3.0.21-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.