Phusion white papers Phusion overview

Phusion Passenger 4.0.5 released

By Hongli Lai on May 29th, 2013


Phusion Passenger is software that deploys Ruby and Python web apps, by integrating into Apache and Nginx and turning them into a fully-featured application server. It is very fast, stable and robust and thus used by the likes of New York Times, AirBnB, Symantec, Pixar, etc. It comes with many features that make your life easier and your application perform better.

Phusion Passenger is under constant maintenance and development. Version 4.0.5 is a bugfix release.

Phusion Passenger also has an Enterprise version which comes with a wide array of additional features. By buying Phusion Passenger Enterprise you will directly sponsor the development of the open source version.

Recent changes

  • [Standalone] Fixed a regression that prevented Passenger Standalone
    from starting. Fixes issue #899.
  • Fixed security vulnerability CVE-2013-2119.

    Urgency: low
    Scope: local exploit
    Summary: denial of service and arbitrary code execution by hijacking temp files
    Affected versions: all versions
    Fixed versions: 3.0.21 and 4.0.5

    Description:
    Phusion Passenger’s code did not always create temporary files and directories in a secure manner. Temporary files and directories were sometimes created with a predictable filename. A local attacker can pre-create temporary files, resulting in a denial of service. In addition, this vulnerability allows a local attacker to run arbitrary code as another user, by hijacking temporary files.

    By pre-creating certain temporary files with certain permissions, attackers can prevent Passenger Standalone from starting (denial of service).

    By pre-creating certain temporary files with certain other permissions, attackers can trick passenger start and the build system (which is invoked by passenger-install-apache2-module/passenger-install-nginx-module) to run arbitrary code. The user that the code is run as, is equal to the user that ran passenger start or the build system. Attacks of this nature have to be timed exactly right. The attacker must overwrite the file contents right after Phusion Passenger has created the file contents, but right before the file is used. In the context of passenger start, the vulnerable window begins right after Passenger Standalone has created the Nginx config file, and ends when Nginx has read the config file. Once Nginx has started and initialized, the system is no longer vulnerable. passenger stop and other Passenger Standalone commands besides start are not vulnerable. In the context of the build system, the vulnerable window begins when passenger-install-apache2-module/passenger-install-nginx-module prints its first dependency checking message, and ends when it prints the first compiler command.

    Only the passenger start command, the passenger-install-apache2-module command and the passenger-install-nginx-module commands are vulnerable. Phusion Passenger for Apache and Phusion Passenger for Nginx (once they are installed) are not vulnerable.

    Fixed versions:
    3.0.21 and 4.0.5 have been released to address this issue.

    Workaround:
    You can use this workaround if you are unable to upgrade. Before invoking any Phusion Passenger command, set the TMPDIR environment variable to a directory that is not world-writable. Special care must be taken when you use sudo: sudo resets all environment variables, so you should either invoke sudo with -E, or you must set the environment variable after gaining root privileges with sudo.

    Credits:
    Thanks to Kurt Seifried and Michael Scherer from Red Hat for reporting this issue.

Installing 4.0.5

Quick install/upgrade

Phusion Passenger Enterprise users can download the Enterprise version of 4.0.5 from the Customer Area.

Open source users can install the open source version of 4.0.5 with the following commands:

gem install passenger
passenger-install-apache2-module
passenger-install-nginx-module

You can also download the tarball at Google Code. We strongly encourage you to cryptographically verify files after downloading them.

In-depth instructions

In-depth installation and upgrade instructions can be found in the Installation section of the documentation. The documentation covers:

  • Detailed tarball installation instructions.
  • Detailed upgrade instructions.
  • Installation troubleshooting.
  • Installation through APT and YUM.

You can view the documentation online here:

Final

If you would like to stay up to date with Phusion news, please fill in your name and email address below and sign up for our newsletter. We won’t spam you, we promise.