On 24 September 2014, an important security vulnerability for Bash was published. This vulnerability, dubbed “Shellshock” and with identifiers CVE-2014-6271 and CVE-2014-7169, allows remote code execution.
This vulnerability is not caused by Phusion Passenger, but does affect Phusion Passenger. We strongly advise users to upgrade their systems as soon as possible. Please note that while CVE-2014-6271 has been patched, CVE-2014-7169 isn’t. A fix is still pending.
Update: CVE-2014-7169 has been patched in Debian 7. Other operating system vendors may follow soon.
For details about how Phusion Passenger is related to this vulnerability, please refer to https://news.ycombinator.com/item?id=8369776.
Please refer to your operating system vendor’s upgrade instructions, for example: