Phusion Passenger 4.0 beta 1 and 2: arbitrary file deletion vulnerability
The Phusion Passenger 4.0 betas contain a vulnerability which allows arbitrary files to be deleted on the system. The vulnerability is local and cannot be exploited remotely. The vulnerability can only be triggered during application startup (e.g. during evaluation of config.ru). Environments that are at risk include, but may not be limited to:
- Environments that host arbitrary untrusted applications, e.g. shared hosting environments.
- Applications which contain vulnerabilities that allow their own code to be modified.
- Environments in which untrusted non-root users can modify application code.
Affected users are advised to upgrade to 4.0.0 RC 4.
Affected versions
- Phusion Passenger open source 4.0.0 beta 1
- Phusion Passenger open source 4.0.0 beta 2
- Phusion Passenger Enterprise 4.0.0 beta 1
- Phusion Passenger Enterprise 4.0.0 beta 2
Unaffected versions
- Phusion Passenger open source 3.x and earlier
- Phusion Passenger open source 4.0.0 RC 1 and later
- Phusion Passenger Enterprise 3.x and earlier
- Phusion Passenger Enterprise 4.0.0 RC 1 and later
-
Hello, we are Phusion. We provide amazing products and services for web apps written in Ruby, Python, Node.js and Meteor.
Featured articles
- Docker-friendly Vagrant boxes
- Duplicity + S3: easy, cheap, encrypted, automated full-disk backups for your servers
- Efficient Substring Searching
- Mail in 2012 from an admin’s perspective
- Making Ruby threadable: properly handling context switching in native extensions
- Objective-C for Ruby developers
- Passing environment variables to Ruby from Phusion Passenger
- Securely store passwords with bcrypt-ruby
- The right way to deal with frozen processes on Unix
- Tuning Phusion Passenger's concurrency settings
- Tutorial: setting up Gitlab on Debian 6
- Why Rails 4 Live Streaming is a big deal
Phusion. All rights reserved.