When Apple released version 7.3.0 of Xcode, Passenger users on OSX started experiencing a crash issue after compiling Passenger. Version 7.3.1 no longer exhibits this issue, and also updates git to remove two remote code execution vulnerabilities.
The crash issue manifested whenever Passenger was compiled on a system with Xcode 7.3.0, which happens for example as part of a gem install. Fortunately, Passenger has a builtin Watchdog system that automatically restarts crashed processes and brings the server back up to minimize the impact on the service.
We've tested with Xcode 7.3.1 and confirm the build no longer results in a crashing Passenger!
Git remote code execution
It was discovered that git versions before 2.7.4 contain two serious security issues (CVE-2016-2315, CVE-2016-2324). If git was pointed to a malicious repository, it could not only crash, but also start executing malicious code on your system.
Xcode 7.3.1 includes an upgrade to git 2.7.4, thereby closing the two security holes.
We strongly recommend users to upgrade their Xcode in order to avoid the issues described above.
Note that if you have built Passenger with Xcode 7.3.0, it is not enough to upgrade to 7.3.1. You must perform a new build after the upgrade. This can be accomplished with:
gem uninstall passenger gem install passenger # (when using Nginx) passenger-install-nginx-module # (when using Apache) passenger-install-apache2-module
Passenger is a web server and application server for Ruby, Node.js, Meteor and Python web apps. Keeps your users happy, saves your business time and money.
The 5.x series introduces many major improvements. The enterprise edition is ideally suited for businesses, and sponsors development of the open source core. Get started with Passenger Enterprise.
Union Station is Phusion's brand new take on Passenger application monitoring and analytics. Union Station aims to help you easily find performance bottlenecks and errors in your application and to help you fix them. Sign up for a free trial today!