Debian Security Advisory(Debian安全报告) DSA-4415-1  passenger security update

Package ： passenger

CVE ID ： CVE-2017-16355

Debian Bug ： 884463

　　在web应用程序服务器passenger中发现了一个任意文件读取漏洞。允许将应用程序部署到passenger的本地用户可以利用这个缺陷，从REVISION文件创建到系统上任意文件的符号链接，并通过passenger-status显示其内容。

　　这个问题在5.0.30-1+deb9u1版本中得到了修复。

　　passenger的详细安全情况请参考其安全跟踪页面:https://securtracker.debian.org/tracker/passenger

-------------------------

Debian Security Advisory DSA-4415-1 passenger security update

Package        : passenger
CVE ID         : CVE-2017-16355
Debian Bug     : 884463

An arbitrary file read vulnerability was discovered in passenger, a web application server. A local user allowed to deploy an application to passenger, can take advantage of this flaw by creating a symlink from the REVISION file to an arbitrary file on the system and have its content displayed through passenger-status.

This problem has been fixed in version 5.0.30-1+deb9u1.

For the detailed security status of passenger please refer to its security tracker page at: https://security-tracker.debian.org/tracker/passenger