Xcode 7.3.1 fixes build & remote code execution

When Apple released version 7.3.0 of Xcode, Passenger users on OSX started experiencing a crash issue after compiling Passenger. Version 7.3.1 no longer exhibits this issue, and also updates git to remove two remote code execution vulnerabilities.

Passenger build

The crash issue manifested whenever Passenger was compiled on a system with Xcode 7.3.0, which happens for example as part of a gem install. Fortunately, Passenger has a builtin Watchdog system that automatically restarts crashed processes and brings the server back up to minimize the impact on the service.

We've tested with Xcode 7.3.1 and confirm the build no longer results in a crashing Passenger!

Git remote code execution

It was discovered that git versions before 2.7.4 contain two serious security issues (CVE-2016-2315, CVE-2016-2324). If git was pointed to a malicious repository, it could not only crash, but also start executing malicious code on your system.

Xcode 7.3.1 includes an upgrade to git 2.7.4, thereby closing the two security holes.

Upgrade

We strongly recommend users to upgrade their Xcode in order to avoid the issues described above.

Note that if you have built Passenger with Xcode 7.3.0, it is not enough to upgrade to 7.3.1. You must perform a new build after the upgrade. This can be accomplished with:

gem uninstall passenger  
gem install passenger

# (when using Nginx)
passenger-install-nginx-module

# (when using Apache)
passenger-install-apache2-module  

[img

Passenger is a web server and application server for Ruby, Node.js, Meteor and Python web apps. Keeps your users happy, saves your business time and money.

The 5.x series introduces many major improvements. The enterprise edition is ideally suited for businesses, and sponsors development of the open source core. Get started with Passenger Enterprise.

[img

Union Station is Phusion's brand new take on Passenger application monitoring and analytics. Union Station aims to help you easily find performance bottlenecks and errors in your application and to help you fix them. Sign up for a free trial today!

comments powered by Disqus