Hey, It looks like version 5.0.30 is not impacted by the CVE[1], and to the best of my abilities, I couldn't reproduce the insecure behavior.
I didn't try to read through the source to see if a fix patch *might* still do something useful. Commit 4043718264095cde6623c2cbe8c644541036d7bf[2] does merge cleanly, build and run, but I could not test that it fixes anything (being unable to repro the bug). I've included a debdiff, if you want to include it anyway (I only did a cursory test of the new package, so we would maybe want to do more extensive verification that the patch doesn't break anything). Regards, Martin 1: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16355 2: https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf
debdiff
Description: Binary data