Version 5.1.5 of the Passenger application server for Ruby, Node.js, Meteor and Python has been released. We've eliminated an Apache configuration pitfall that, if enabled, could inadvertently allow users (who have access to application deployment on the server) to reroute traffic from other apps on that server. A number of other internal improvements were also realized in this version.
The 5.1.x series of Passenger brings a plethora of improvements in uptime maximization, security and efficiency. Please be aware that you can enjoy enterprise features and sponsor the open source development directly by buying Phusion Passenger Enterprise.
Make Apache configuration robust against traffic stealing
It is possible to use Passenger with the Apache integration mode in a shared hosting type setup that gives each user access to their own Directory (to place their app in), but not to the main Passenger configuration nor to other users. In this setup, users can specify a few limited Passenger settings in their own .htaccess file, such as
System administrators could choose to allow users to set additional options in .htaccess like
PassengerFriendlyErrorPages by configuring Apache with
AllowOverride Options. However, this would also allow users to specify
PassengerAppGroupName, which is not safe in an environment where users don't trust each other. As documented, Passenger routes requests based on the app group name, so if a malicious user creates an .htaccess with the app group name of a victim user's app, then in some cases (depending on who gets the first request) the victim's traffic would be routed to the malicious user's app.
Although it's unlikely that you use Passenger this way, and you explicitly have to allow the additional options for it to even be possible, we've still decided to remove the possibility of configuring
PassengerAppGroupName in .htaccess. Thanks go out to the cPanel Security Team for noticing this pitfall.
- Updated Boost to version 1.64.0, which fixed a compilation issue on certain Gentoo based setups. Closes GH-1942.
- Improved the error message shown when an app fails to start in time.
- Major internal refactoring of settings handling, to prepare for supporting settings change without restart.
Please see the installation guide.
Upgrading to 5.1.5
We strongly advise staying up to date with the latest version.
See also the upgrade notes below!
If you are upgrading from 4.x, please read the 5.0 upgrade notes to learn about potential upgrade caveats.
Download issue with old
Old versions of
gem (below 2.2.0, released in 2013) may fail to download the Passenger Enterprise gem from our rubygem hosting software (Gem in a box).
ERROR: Could not find a valid gem 'passenger-enterprise-server' (= 5.1.4), here is why: Unable to download data from https://..@www.phusionpassenger.com/enterprise_gems/ - bad response Unauthorized 401
If this happens, please upgrade to a newer version of gem:
gem install rubygems-update; update_rubygems
Special notes about capistrano-passenger
If you are using Capistrano and capistrano-passenger, then it may fail with this error:
SSHKit::Runner::ExecuteError: Exception while executing as firstname.lastname@example.org: undefined method `' for nil:NilClass NoMethodError: undefined method `' for nil:NilClass Tasks: TOP => passenger:restart
This is due to an incompatibility in capistrano-passenger with Passenger 5.0.22 and later. Please upgrade capistrano-passenger to 0.2.0 or later.
Phusion Passenger's core is open source. Please fork or watch us on Github. :)
Passenger ensures that your Ruby, Python, Node.js and Meteor apps, microservices, and APIs are served with outstanding reliability, performance and control. For additional features and premium support, check out the enterprise edition.