205104 – www/rubygem-passenger: update to 5.0.22 (CVE-2015-7519)

Bug 205104 - www/rubygem-passenger: update to 5.0.22 (CVE-2015-7519)

Summary: www/rubygem-passenger: update to 5.0.22 (CVE-2015-7519)

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Sergey A. Osokin

URL:	https://blog.phusion.nl/2015/12/07/cv...
Keywords:	needs-patch, security

Depends on:
Blocks:

Reported:	2015-12-07 23:21 UTC by Jason Unovitch
Modified:	2015-12-09 12:08 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (osa) junovitch: merge-quarterly?

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jason Unovitch freebsd_committer

2015-12-07 23:21:46 UTC

See URL

Comment 1 commit-hook freebsd_committer

2015-12-07 23:22:52 UTC

A commit references this bug:

Author: junovitch
Date: Mon Dec  7 23:22:25 UTC 2015
New revision: 403243
URL: https://svnweb.freebsd.org/changeset/ports/403243

Log:
  Document client controlled header overwriting in Phusion Passenger

  PR:		205104
  Security:	CVE-2015-7519
  Security:	https://vuxml.FreeBSD.org/freebsd/84fdd1bb-9d37-11e5-8f5c-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml

Comment 2 Jason Unovitch freebsd_committer

2015-12-07 23:24:24 UTC

Also see:
http://www.openwall.com/lists/oss-security/2015/12/07/1
http://www.openwall.com/lists/oss-security/2015/12/07/2

Comment 3 Kubilay Kocak freebsd_committer

2015-12-08 03:55:06 UTC

vuxml done, needs port update + mfh

Comment 4 commit-hook freebsd_committer

2015-12-08 23:09:02 UTC

A commit references this bug:

Author: osa
Date: Tue Dec  8 23:08:12 UTC 2015
New revision: 403349
URL: https://svnweb.freebsd.org/changeset/ports/403349

Log:
  Security update from 5.0.21 to 5.0.22:

  o) www/rubygem-passenger;
  o) third-party passenger modules for www/nginx and www/nginx-devel.

  Please note: third-party passenger module is disabled by default for
  www/nginx and www/nginx-devel ports.

  Security:	CVE-2015-7519
  PR:		205104

Changes:
  head/www/nginx/Makefile
  head/www/nginx/distinfo
  head/www/nginx/files/extra-patch-passenger-build-nginx.rb
  head/www/nginx-devel/Makefile
  head/www/nginx-devel/distinfo
  head/www/nginx-devel/files/extra-patch-passenger-build-nginx.rb
  head/www/rubygem-passenger/Makefile
  head/www/rubygem-passenger/distinfo

Comment 5 commit-hook freebsd_committer

2015-12-09 12:07:53 UTC

A commit references this bug:

Author: osa
Date: Wed Dec  9 12:06:50 UTC 2015
New revision: 403377
URL: https://svnweb.freebsd.org/changeset/ports/403377

Log:
  Security update to 5.0.22:

  o) www/rubygem-passenger;
  o) third-party passenger modules for www/nginx and www/nginx-devel.

  Please note: third-party passenger module is disabled by default for
  www/nginx and www/nginx-devel ports.

  Security:	CVE-2015-7519
  PR:		205104
  Approved by:	ports-secteam

Changes:
  branches/2015Q4/www/nginx/Makefile
  branches/2015Q4/www/nginx/distinfo
  branches/2015Q4/www/nginx/files/extra-patch-passenger-build-nginx.rb
  branches/2015Q4/www/nginx-devel/Makefile
  branches/2015Q4/www/nginx-devel/distinfo
  branches/2015Q4/www/nginx-devel/files/extra-patch-passenger-build-nginx.rb
  branches/2015Q4/www/rubygem-passenger/Makefile
  branches/2015Q4/www/rubygem-passenger/distinfo