Version 5.1.6 of the Passenger application server for Ruby, Node.js, Meteor and Python has been released. It features updated packages to cover an Nginx security issue. We also supply a dynamic version of the Passenger Nginx module through APT packages where possible, which is currently in the new Debian Stretch packages, as well as in replacement Ubuntu Zesty packages. The release also incorporates a few improvements and fixes, such as graceful shutdown for Passenger Standalone with the Nginx engine.
The 5.1.x series of Passenger brings a plethora of improvements in uptime maximization, security and efficiency. Please be aware that you can enjoy enterprise features and sponsor the open source development directly by buying Phusion Passenger Enterprise.
Ubuntu 17.04 "Zesty": replaced Nginx packages
We've been busy enhancing our APT packaging system to take advantage of the fact that Nginx supports dynamic modules. This enables us to support distribution updates faster in the future, because we no longer have to supply what amounted to a Passenger-enabled copy of the distribution's Nginx package.
The Nginx included in Ubuntu Zesty supports dynamic modules, but unfortunately the packaging support wasn't ready at the time Zesty was released. We've yanked the static module based Passenger package (
nginx-extras), and introduced
libnginx-mod-http-passenger. Users of the Nginx integration mode can use the following commands to switch to the new dynamic module based integration (and the system Nginx):
sudo apt-get remove nginx-extras # or if that fails: sudo dpkg --remove --force-remove-reinstreq nginx-extras sudo apt-get update sudo apt-get install libnginx-mod-http-passenger nginx
Packages for Debian 9 "Stretch"
We've got packages out for Debian Stretch (GH-1960)! The Passenger / Nginx integration is provided via our new dynamic Nginx module package. We've updated our documentation with installation instructions.
An integer overflow vulnerability was discovered in the Nginx range filter module (CVE-2017-7529). We've taken two steps to resolve this:
The Passenger source code now prefers Nginx version 1.12.1 (previously 1.10.3), in which the issue is fixed. The preferred version is used by Passenger Standalone + Nginx engine, Passenger RPM packages, and
The Passenger APT packages are pinned to Nginx 1.10.3 because the Debian configuration for Nginx includes the lua module, which doesn't have a release yet that is compatible with 1.12.x. In this case we've applied the patch to our Nginx package.
Graceful shutdown (Standalone / Nginx)
Passenger Standalone uses either Nginx or Phusion's builtin engine under the hood. PikachuEXE contributed an improvement (PR-1956) that tells the Nginx engine to shutdown gracefully when Passenger Standalone is stopping.
Fixed memory issue (Standalone / builtin)
The previous Passenger version (5.1.5) featured a major internal refactoring of settings handling under the hood to prepare for supporting settings change without restart. We discovered a refactoring error that lead to a memory corruption issue when running with the builtin engine. This has now been fixed.
- Fixes a typo that causes a looping crash when long security update information is sent by the server. In practice we will keep the messages shorter to avoid triggering this until there has been ample time to upgrade.
- Fixes unnecessary process respawn if process was detached while
min_instancesis set to 0. Closes GH-1735.
- Fixes WSGI crash with Python 3 and non-ASCII characters in headers or the URL. Closes GH-1935. Thanks to n4nn31355 for the assistance.
- [Standalone] Cleanup the temp dir before aborting when startup cannot continue, e.g. when Passenger is already running. Closes GH-1953.
- Adds support for building with MacPorts' OpenSSL. Closes GH-1959.
Please see the installation guide.
Upgrading to 5.1.6
We strongly advise staying up to date with the latest version.
See also the upgrade notes below!
If you are upgrading from 4.x, please read the 5.0 upgrade notes to learn about potential upgrade caveats.
Download issue with old
Old versions of
gem (below 2.2.0, released in 2013) may fail to download the Passenger Enterprise gem from our rubygem hosting software (Gem in a box).
ERROR: Could not find a valid gem 'passenger-enterprise-server' (= 5.1.4), here is why: Unable to download data from https://..@www.phusionpassenger.com/enterprise_gems/ - bad response Unauthorized 401
If this happens, please upgrade to a newer version of gem:
gem install rubygems-update; update_rubygems
Special notes about capistrano-passenger
If you are using Capistrano and capistrano-passenger, then it may fail with this error:
SSHKit::Runner::ExecuteError: Exception while executing as firstname.lastname@example.org: undefined method `' for nil:NilClass NoMethodError: undefined method `' for nil:NilClass Tasks: TOP => passenger:restart
This is due to an incompatibility in capistrano-passenger with Passenger 5.0.22 and later. Please upgrade capistrano-passenger to 0.2.0 or later.