Version 4.0.60 of the Phusion Passenger application server for Ruby, Python, Node.js and Meteor has been released. This is mainly due to CVE-2015-7519, a medium level security issue discovered by the SUSE security team whereby it was possible, in some cases, for clients to overwrite headers set by the server. 4.0.60 also contains several other minor changes.

We have stopped releasing binaries for the 4.x line, so this is a source-only release. There won't be any newer APT packages for 4.x. If you are using 4.x and you installed it via APT, then we recommend you either upgrade to Passenger 5 or to install 4.0.60 from source.

CVE-2015-7519

It was discovered by the SUSE security team that it was possible, in some cases, for clients to overwrite headers set by the server, resulting in a medium level security issue (CVE-2015-7519). See the detailed blog post for more information. If you are affected, you should upgrade or mitigate the issue as soon as possible.

Internal passwords fixed

For security reasons, Phusion Passenger limits access to internal processes, by using Unix file permissions and randomly generated passwords that only authorized internal processes know. It turns out that this password wasn't set correctly, which has now been fixed. There was no security vulnerability, because the file permissions already provide sufficient security. The password only serves as an extra layer of security just in case there is a problem with the former.

This issue is not at all related to any application-level security or application-level passwords. Any database passwords, keys, or secrets used and generated by applications have got nothing to do with the nature of this issue. This issue only relates to some randomly generated passwords that Passenger uses internally, for its internal operations.

Other changes

  • Adds OS X El Capitan support.
  • Updates preferred Nginx version from 1.6.2 to 1.6.3.