Debian Security Advisory(Debian安全报告) DSA-4415-1 passenger security update
Package : passenger
CVE ID : CVE-2017-16355
Debian Bug : 884463
在web应用程序服务器passenger中发现了一个任意文件读取漏洞。允许将应用程序部署到passenger的本地用户可以利用这个缺陷,从REVISION文件创建到系统上任意文件的符号链接,并通过passenger-status显示其内容。
这个问题在5.0.30-1+deb9u1版本中得到了修复。
passenger的详细安全情况请参考其安全跟踪页面:https://securtracker.debian.org/tracker/passenger
-------------------------
Debian Security Advisory DSA-4415-1 passenger security update
Package : passenger
CVE ID : CVE-2017-16355
Debian Bug : 884463
An arbitrary file read vulnerability was discovered in passenger, a web application server. A local user allowed to deploy an application to passenger, can take advantage of this flaw by creating a symlink from the REVISION file to an arbitrary file on the system and have its content displayed through passenger-status.
This problem has been fixed in version 5.0.30-1+deb9u1.
For the detailed security status of passenger please refer to its security tracker page at: https://security-tracker.debian.org/tracker/passenger