Passenger 5.1.5: security robustness fix, internal improvements

Version 5.1.5 of the Passenger application server for Ruby, Node.js, Meteor and Python has been released. We've eliminated an Apache configuration pitfall that, if enabled, could inadvertently allow users (who have access to application deployment on the server) to reroute traffic from other apps on that server. A number of other internal improvements were also realized in this version.

The 5.1.x series of Passenger brings a plethora of improvements in uptime maximization, security and efficiency. Please be aware that you can enjoy enterprise features and sponsor the open source development directly by buying Phusion Passenger Enterprise.

Make Apache configuration robust against traffic stealing

It is possible to use Passenger with the Apache integration mode in a shared hosting type setup that gives each user access to their own Directory (to place their app in), but not to the main Passenger configuration nor to other users. In this setup, users can specify a few limited Passenger settings in their own .htaccess file, such as PassengerStartupFile and PassengerAppType.

System administrators could choose to allow users to set additional options in .htaccess like PassengerRuby, PassengerFriendlyErrorPages by configuring Apache with AllowOverride Options. However, this would also allow users to specify PassengerAppGroupName, which is not safe in an environment where users don't trust each other. As documented, Passenger routes requests based on the app group name, so if a malicious user creates an .htaccess with the app group name of a victim user's app, then in some cases (depending on who gets the first request) the victim's traffic would be routed to the malicious user's app.

Although it's unlikely that you use Passenger this way, and you explicitly have to allow the additional options for it to even be possible, we've still decided to remove the possibility of configuring PassengerAppGroupName in .htaccess. Thanks go out to the cPanel Security Team for noticing this pitfall.

Various other

  • Updated Boost to version 1.64.0, which fixed a compilation issue on certain Gentoo based setups. Closes GH-1942.
  • Improved the error message shown when an app fails to start in time.
  • Major internal refactoring of settings handling, to prepare for supporting settings change without restart.

Installing 5.1.5

Please see the installation guide.

Upgrading to 5.1.5

We strongly advise staying up to date with the latest version.

See also the upgrade notes below!


OS X

Debian

Ubuntu

Heroku

Red Hat

CentOS

Ruby gem

Tarball

Docker

If you are upgrading from 4.x, please read the 5.0 upgrade notes to learn about potential upgrade caveats.

Download issue with old gem version

Old versions of gem (below 2.2.0, released in 2013) may fail to download the Passenger Enterprise gem from our rubygem hosting software (Gem in a box).

ERROR: Could not find a valid gem 'passenger-enterprise-server' (= 5.1.4), here is why:
 Unable to download data from https://..@www.phusionpassenger.com/enterprise_gems/
 - bad response Unauthorized 401 

If this happens, please upgrade to a newer version of gem:

gem install rubygems-update; update_rubygems

Special notes about capistrano-passenger

If you are using Capistrano and capistrano-passenger, then it may fail with this error:

SSHKit::Runner::ExecuteError: Exception while executing as user@99.99.99.99: undefined method `[]' for nil:NilClass

NoMethodError: undefined method `[]' for nil:NilClass

Tasks: TOP => passenger:restart

This is due to an incompatibility in capistrano-passenger with Passenger 5.0.22 and later. Please upgrade capistrano-passenger to 0.2.0 or later.