Currently we are running the version 6.0.10 in staging and production , that needs to be updated in the web container , because of security issues 👇
[ N 2024-05-02 18:14:55.1738 330/T1 age/Wat/WatchdogMain.cpp:1373 ]: Starting Passenger watchdog...
[ N 2024-05-02 18:14:55.2249 334/T1 age/Cor/CoreMain.cpp:1340 ]: Starting Passenger core...
[ N 2024-05-02 18:14:55.2249 334/T1 age/Cor/CoreMain.cpp:256 ]: Passenger core running in multi-application mode.
[ N 2024-05-02 18:14:55.2323 334/T1 age/Cor/CoreMain.cpp:1015 ]: Passenger core online, PID 334
[Thu May 02 18:14:55.234249 2024] [mpm_event:notice] [pid 301:tid 140207974897536] AH00489: Apache/2.4.52 (Ubuntu) Phusion_Passenger/6.0.10 configured -- resuming normal operations
[Thu May 02 18:14:55.234612 2024] [core:notice] [pid 301:tid 140207974897536] AH00094: Command line: '/usr/sbin/apache2 -D FOREGROUND'
[ N 2024-05-02 18:14:55.6010 306/T1 age/Cor/TelemetryCollector.h:531 ]: Message from Phusion: End time can not be before or equal to begin time
[ N 2024-05-02 18:14:55.6521 306/T1 age/Cor/CoreMain.cpp:1325 ]: Passenger core shutdown finished
App 412 output: WARN: advpng none at /usr/bin/advpng (== none) is of unknown version
[ E 2024-05-02 18:14:57.7417 334/T5 age/Cor/SecurityUpdateChecker.h:521 ]: A security update is available for your version (6.0.10) of Phusion Passenger(R). We strongly recommend upgrading to version 6.0.20.
[ E 2024-05-02 18:14:57.7417 334/T5 age/Cor/SecurityUpdateChecker.h:526 ]: Additional security update check information:
- [Fixed in 6.0.14] [CVE-2018-25032] zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
- [Fixed in 6.0.14] A use after free memory safety issue was introduced in 6.0.12, and fixed in 6.0.14.
- [Fixed in 6.0.19] [CVE-2023-38545] A vulnerability existed in libcurl before 8.4.0 which was the library used for Passenger proxy functionality. Exploiting this vulnerability would require two preconditions. First a SOCKS5 proxy to be configured for Passenger licensing, anonymous telemetry, or security update check which is not the default but is possible. Second the attacker would need to cause Passenger to use an attacker-controlled URL when performing these requests. Causing Passenger to use non-standard urls requires that the attacker already have code execution on the Passenger host, or control of the Passenger config. If exploited this vulnerability could lead to code execution, due to buffer overflow.
-
Currently we are running the version
6.0.10
in staging and production , that needs to be updated in the web container , because of security issues 👇cc @batpad @danrademacher