Version 5.0.14 of the Phusion Passenger application server for Ruby, Python, Node.js and Meteor has been released. This is a hotfix due to the CVE-2015-1793 vulnerability discovered in OpenSSL, which affects some specific deployments of Passenger.
If you hadn't already, be sure to check out the many major improvements that the 5.x series of Passenger introduces. And please be aware that you can enjoy enterprise features and sponsor the open source development directly by buying Phusion Passenger Enterprise.
Impact of CVE-2015-1793
The vulnerability exists in OpenSSL versions 1.0.2b, 1.0.2c, 1.0.1n and 1.0.1o. It allows a man-in-the-middle to impersonate a legitimate secure server. This affects the client side of a secure connection, and not the server side, meaning Passenger and other servers are largely unaffected.
Nevertheless, we strongly recommend checking your entire system and upgrading any affected components as soon as possible. In case of Passenger, the following use cases are affected and fixed by the 5.0.14 release:
Union Station. Data exporting to Union Station is turned off by default, but if you have enabled it, Passenger initiates client connections. The data could end up in the wrong place if a man-in-the-middle would impersonate a Union Station endpoint.
Passenger Standalone + Nginx + certificate verification. If you are using Passenger Standalone with the Nginx engine (default), and you have installed it as a gem or from the source tarball on a linux (x86/x64) system, then we supply a statically linked Nginx. For example, this is the case on Heroku. If you have also configured client certificate verification or upstream server certificate validation (see: Protecting NGINX), then this validation may be circumvented by a man-in-the-middle attack.
As mentioned, you should definitely inspect your system and upgrade any other affected components (certainly the system's OpenSSL library). For example, Apache with mod_ssl and client certificate verification configured is also vulnerable and will not be automatically fixed if you upgrade Passenger.
We immediately scheduled a release when the impact of the OpenSSL vulnerability became clear, so the list of fixes & improvements is limited to the following items:
--disable-turbocachingnow works with the Nginx engine.
[Standalone] Relative path handling has been improved. In previous versions, relative paths were not handled in a consistent manner. Relative paths are now handled consistently according to the following rules:
- If a relative path is given via a command line option, then it is relative to the current working directory.
- If a relative path is given via Passengerfile.json, then it is relative to Passengerfile.json.
Installing or upgrading to 5.0.14
Although the scope of the OpenSSL vulnerability is limited, and in some cases you don't need a new Passenger version to get the fix, we recommend upgrading anyway just to be absolutely sure.
If you are upgrading from 4.x, please read the 5.0 upgrade notes to learn about potential upgrade caveats.