A vulnerability was discovered by the Pulse Security team. It was exploitable only when running a non-standard passenger_instance_registry_dir, via a race condition where after a file was created, there was a window in which it could be replaced with a symlink before it was chowned via the path and not the file descriptor. If the symlink target was to a file which would be executed by root such as root’s crontab file, then privilege escalation was possible. This is now mitigated by using fchown().
For Debian 7 Wheezy, these problems have been fixed in version 3.0.13debian-1+deb7u3.
We recommend that you upgrade your ruby-passenger packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.