Passenger 5.1.5: security robustness fix, internal improvements
Version 5.1.5 of the Passenger application server for Ruby, Node.js, Meteor and Python has been released. We've eliminated an Apache configuration pitfall that, if enabled, could inadvertently allow users (who have access to application deployment on the server) to reroute traffic from other apps on that server. A number of other internal improvements were also realized in this version.
The 5.1.x series of Passenger brings a plethora of improvements in uptime maximization, security and efficiency. Please be aware that you can enjoy enterprise features and sponsor the open source development directly by buying Phusion Passenger Enterprise.
Make Apache configuration robust against traffic stealing
It is possible to use Passenger with the Apache integration mode in a shared hosting type setup that gives each user access to their own Directory (to place their app in), but not to the main Passenger configuration nor to other users. In this setup, users can specify a few limited Passenger settings in their own .htaccess file, such as PassengerStartupFile
and PassengerAppType
.
System administrators could choose to allow users to set additional options in .htaccess like PassengerRuby
, PassengerFriendlyErrorPages
by configuring Apache with AllowOverride Options
. However, this would also allow users to specify PassengerAppGroupName
, which is not safe in an environment where users don't trust each other. As documented, Passenger routes requests based on the app group name, so if a malicious user creates an .htaccess with the app group name of a victim user's app, then in some cases (depending on who gets the first request) the victim's traffic would be routed to the malicious user's app.
Although it's unlikely that you use Passenger this way, and you explicitly have to allow the additional options for it to even be possible, we've still decided to remove the possibility of configuring PassengerAppGroupName
in .htaccess. Thanks go out to the cPanel Security Team for noticing this pitfall.
Various other
- Updated Boost to version 1.64.0, which fixed a compilation issue on certain Gentoo based setups. Closes GH-1942.
- Improved the error message shown when an app fails to start in time.
- Major internal refactoring of settings handling, to prepare for supporting settings change without restart.
Installing 5.1.5
Please see the installation guide.
Upgrading to 5.1.5
We strongly advise staying up to date with the latest version.
See also the upgrade notes below!
OS X |
Debian |
Ubuntu |
Heroku |
Red Hat |
CentOS |
Ruby gem |
Tarball |
Docker |
If you are upgrading from 4.x, please read the 5.0 upgrade notes to learn about potential upgrade caveats.
Download issue with old gem
version
Old versions of gem
(below 2.2.0, released in 2013) may fail to download the Passenger Enterprise gem from our rubygem hosting software (Gem in a box).
ERROR: Could not find a valid gem 'passenger-enterprise-server' (= 5.1.4), here is why:
Unable to download data from https://..@www.phusionpassenger.com/enterprise_gems/
- bad response Unauthorized 401
If this happens, please upgrade to a newer version of gem:
gem install rubygems-update; update_rubygems
Special notes about capistrano-passenger
If you are using Capistrano and capistrano-passenger, then it may fail with this error:
SSHKit::Runner::ExecuteError: Exception while executing as user@99.99.99.99: undefined method `[]' for nil:NilClass
NoMethodError: undefined method `[]' for nil:NilClass
Tasks: TOP => passenger:restart
This is due to an incompatibility in capistrano-passenger with Passenger 5.0.22 and later. Please upgrade capistrano-passenger to 0.2.0 or later.