Phusion white papers Phusion overview

Phusion Passenger 4.0.41 released, OpenSSL Heartbleed security update

By Hongli Lai on April 8th, 2014


Phusion Passenger is a fast and robust web server and application server for Ruby, Python, Node.js and Meteor. Passenger takes a lot of complexity out of deploying web apps, and adds powerful enterprise-grade features that are useful in production. High-profile companies such as Apple, New York Times, AirBnB, Juniper, American Express, etc are already using it, as well as over 350.000 websites.

Phusion Passenger 4.0.41 has been released ahead of time in order to address the OpenSSL heartbleed security issue (CVE-2014-0160). This is an extremely serious vulnerability in OpenSSL which can completely negate the security that it provides. Users are advised to upgrade as soon as possible.

Phusion Passenger’s relationship with the OpenSSL heartbleed vulnerability is as follows.

We provide precompiled binaries for Passenger Standalone. These binaries are statically linked to OpenSSL in order to make them useable on a wide range of operating systems. With 4.0.41, the binaries have been upgraded to link against OpenSSL 1.0.1g, which fixes the heartbleed vulnerability.

You are vulnerable if:

  • You are using Passenger Standalone, with SSL enabled inside Passenger Standalone (that is, passenger start --ssl).

You are not vulnerable (to the Passenger Standalone static linking issue) if:

  • You are not using Passenger Standalone (e.g. if you’re using Phusion Passenger through the Apache or Nginx integration mode).
  • You are using Passenger Standalone, but without SSL.
  • Your Passenger Standalone is behind another SSL-enabled reverse proxy.

Update: Please note that the only thing this Phusion Passenger update fixes, is any potential vulnerabilities in the Passenger Standalone binaries that we provide. Your system as a whole may still be vulnerable because you’re running a vulnerable OpenSSL version. Please check with your vendor for system updates.

There aren’t many other changes in this release:

  • Fixed some issues with printing UTF-8 log files on Heroku.
  • Added a new flag --ignore-app-not-running to passenger-config restart-app.
    When this flag is given, passenger-config restart-app will exit successfully
    when the specified application is not running, instead of exiting with
    an error.

Installing or upgrading to 4.0.41

OS X OS X Debian Debian Ubuntu Ubuntu
Heroku Heroku Ruby gem Ruby gem Tarball Tarball

Final

Phusion Passenger’s core is open source. Please fork or watch us on Github. :)

  • Hans

    Does the out of band GC work yet?