Security update for rubygem-passenger

Announcement ID:	SUSE-SU-2016:0042-1
Rating:	moderate
References:	bsc#828005 bsc#919726 bsc#956281
Cross-References:	CVE-2013-2119 CVE-2013-4136 CVE-2015-7519
CVSS scores:
Affected Products:	SLES for SAP Applications 11-SP4 SUSE Studio Onsite 1.3 WebYaST for SLE-11 1.3

An update that solves three vulnerabilities can now be installed.

Description:

This update fixes the following security issues:

• CVE-2015-7519: Passenger is not filtering environment like apache is doing (bnc#956281)

• CVE-2013-4136: Fixed security issue Passenger would reuse existing server instance directories (temporary directories) which could cause Passenger to remove or overwrite files belonging to other instances. Solution: If the server instance directory already exists, it will now be removed first in order get correct directory permissions. If the directory still exists after removal, Phusion Passenger aborts to avoid writing to a directory with unexpected permissions.(bnc#919726)

• CVE-2013-2119: Fixed security issue related with incorrect temporary file usage (bnc#828005)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Studio Onsite 1.3
  zypper in -t patch slestso13-rubygem-passenger-12303=1
• WebYaST for SLE-11 1.3
  zypper in -t patch slewyst13-rubygem-passenger-12303=1
• SLES for SAP Applications 11-SP4
  zypper in -t patch slewyst13-rubygem-passenger-12303=1

Package List:

• SUSE Studio Onsite 1.3 (x86_64)
  • rubygem-passenger-3.0.14-0.14.1
  • rubygem-passenger-nginx-3.0.14-0.14.1
• WebYaST for SLE-11 1.3 (s390x x86_64 i586 ppc64 ia64)
  • rubygem-passenger-3.0.14-0.14.1
  • rubygem-passenger-nginx-3.0.14-0.14.1
• SLES for SAP Applications 11-SP4 (ppc64 x86_64)
  • rubygem-passenger-3.0.14-0.14.1
  • rubygem-passenger-nginx-3.0.14-0.14.1

References:

• https://www.suse.com/security/cve/CVE-2013-2119.html
• https://www.suse.com/security/cve/CVE-2013-4136.html
• https://www.suse.com/security/cve/CVE-2015-7519.html
• https://bugzilla.suse.com/show_bug.cgi?id=828005
• https://bugzilla.suse.com/show_bug.cgi?id=919726
• https://bugzilla.suse.com/show_bug.cgi?id=956281