Phusion Passenger 5.0.6

Version 5.0.6 of the Phusion Passenger application server for Ruby, Python, Node.js and Meteor has been released! With the major file descriptor leaks previously fixed, this release resolves an important memory leak and caching issue, as well as some miscellaneous items. We would like to thank the community for their continued feedback and helpful reporting, which helps us provide fast fixes!

If you hadn't already, be sure to check out the many major improvements that the 5.x series of Passenger introduces. And please be aware that you can enjoy enterprise features and sponsor the open source development directly by buying Phusion Passenger Enterprise.

Memory leak fix

For certain requests Passenger was leaking 512 bytes of memory. While small by itself, the cumulative leak on highly loaded servers could add up to a few hundred megabytes per hour (GH-1455).

Passenger 5 uses pooled memory blocks with reference counters to achieve high speed / low overhead processing. For requests or responses containing multiple identical headers, as well as responses with Set-Cookie headers, the reference counters were not being fully decremented, resulting in the leak of the associated pooled block (512 bytes). This has been fixed, and we've established additional testing tools and procedures to detect these and any other memory leaks.

Issues for Union Station users

Union Station is our upcoming application analytics and performance monitoring SaaS platform. It is opt-in: no data is collected through Passenger unless you turn the feature on.

We discovered one more file descriptor leak in Passenger that occurred only when Union Station was being used. This was fixed (GH-1439). In the process we also fixed some bugs in the data collection.

Turbocache vs. "no-cache" fixed

When a response contains "Cache-Control: no-cache", intermediates such as Passenger are allowed to cache the response, but with the limitation that they must always validate the cache first with the server before serving it.

However, the Passenger turbocache does not support validation at this time and was erroneously returning unvalidated responses. We've fixed this by not caching such responses at all anymore.

Please note that if your application response contains sensitive information that should not be stored in any cache (not just Passenger), you need to use "Cache-Control: no-store" and not "no-cache", because the latter still allows storage.

Miscellaneous bug fixes

  • [Apache] SetEnv variables are now passed as Rack/CGI/request variables. This was also the case in Passenger 4, but not in Passenger 5.0.0-5.0.5. We've restored the old behavior to avoid breaking certain Apache modules such as Shibboleth. Closes GH-1446.

  • Fixes cases of uninitialized memory use discovered through extended profiling. This also uncovered other minor issues such as tiny once-per-startup memory leaks, which will be fixed in followup versions.

  • [Standalone] Relative paths now work for specifying where to put PID and log files.

Improvements

  • More informative error message if a support binary is not found, including a resolution hint. Closes GH-1395.

Installing or upgrading to 5.0.6

If you are on a previous 5.0.x version we recommend moving to 5.0.6 as soon as possible to avoid memory leaks and the caching issue.


OS X

Debian

Ubuntu

Heroku

Docker

Ruby gem

Tarball

If you are upgrading from 4.x, please read the 5.0 upgrade notes to learn about potential upgrade caveats.