Security advisory: Phusion Passenger and the CVE-2014-6271 Bash vulnerability
On 24 September 2014, an important security vulnerability for Bash was published. This vulnerability, dubbed “Shellshock” and with identifiers CVE-2014-6271 and CVE-2014-7169, allows remote code execution.
This vulnerability is not caused by Phusion Passenger, but does affect Phusion Passenger. We strongly advise users to upgrade their systems as soon as possible. Please note that while CVE-2014-6271 has been patched, CVE-2014-7169 isn’t. A fix is still pending.
Update: CVE-2014-7169 has been patched in Debian 7. Other operating system vendors may follow soon.
For details about how Phusion Passenger is related to this vulnerability, please refer to https://news.ycombinator.com/item?id=8369776.
Please refer to your operating system vendor’s upgrade instructions, for example:
- Ubuntu Linux: http://www.ubuntu.com/usn/usn-2362-1/
- Debian Linux: https://www.debian.org/security/2014/dsa-3032
- RedHat Linux: https://access.redhat.com/articles/1200223
- Amazon Linux: https://alas.aws.amazon.com/ALAS-2014-418.html
-
Hello, we are Phusion. We provide amazing products and services for web apps written in Ruby, Python, Node.js and Meteor.
Featured articles
- Docker-friendly Vagrant boxes
- Duplicity + S3: easy, cheap, encrypted, automated full-disk backups for your servers
- Efficient Substring Searching
- Mail in 2012 from an admin’s perspective
- Making Ruby threadable: properly handling context switching in native extensions
- Objective-C for Ruby developers
- Passing environment variables to Ruby from Phusion Passenger
- Securely store passwords with bcrypt-ruby
- The right way to deal with frozen processes on Unix
- Tuning Phusion Passenger's concurrency settings
- Tutorial: setting up Gitlab on Debian 6
- Why Rails 4 Live Streaming is a big deal
Phusion. All rights reserved.