We are hiring - Come work with us at Phusion to help create awesome server tools to power the modern web. Learn more.

Passenger 5.1.6: new packages for Zesty, Debian Stretch, Nginx

Version 5.1.6 of the Passenger application server for Ruby, Node.js, Meteor and Python has been released. It features updated packages to cover an Nginx security issue. We also supply a dynamic version of the Passenger Nginx module through APT packages where possible, which is currently in the new Debian Stretch packages, as well as in replacement Ubuntu Zesty packages. The release also incorporates a few improvements and fixes, such as graceful shutdown for Passenger Standalone with the Nginx engine.

The 5.1.x series of Passenger brings a plethora of improvements in uptime maximization, security and efficiency. Please be aware that you can enjoy enterprise features and sponsor the open source development directly by buying Phusion Passenger Enterprise.

Ubuntu 17.04 "Zesty": replaced Nginx packages

We've been busy enhancing our APT packaging system to take advantage of the fact that Nginx supports dynamic modules. This enables us to support distribution updates faster in the future, because we no longer have to supply what amounted to a Passenger-enabled copy of the distribution's Nginx package.

The Nginx included in Ubuntu Zesty supports dynamic modules, but unfortunately the packaging support wasn't ready at the time Zesty was released. We've yanked the static module based Passenger package (nginx-extras), and introduced libnginx-mod-http-passenger. Users of the Nginx integration mode can use the following commands to switch to the new dynamic module based integration (and the system Nginx):

sudo apt-get remove nginx-extras  
# or if that fails: sudo dpkg --remove --force-remove-reinstreq nginx-extras
sudo apt-get update  
sudo apt-get install libnginx-mod-http-passenger nginx  

Packages for Debian 9 "Stretch"

We've got packages out for Debian Stretch (GH-1960)! The Passenger / Nginx integration is provided via our new dynamic Nginx module package. We've updated our documentation with installation instructions.

Nginx CVE-2017-7529

An integer overflow vulnerability was discovered in the Nginx range filter module (CVE-2017-7529). We've taken two steps to resolve this:

  • The Passenger source code now prefers Nginx version 1.12.1 (previously 1.10.3), in which the issue is fixed. The preferred version is used by Passenger Standalone + Nginx engine, Passenger RPM packages, and passenger-install-nginx-module.

  • The Passenger APT packages are pinned to Nginx 1.10.3 because the Debian configuration for Nginx includes the lua module, which doesn't have a release yet that is compatible with 1.12.x. In this case we've applied the patch to our Nginx package.

Graceful shutdown (Standalone / Nginx)

Passenger Standalone uses either Nginx or Phusion's builtin engine under the hood. PikachuEXE contributed an improvement (PR-1956) that tells the Nginx engine to shutdown gracefully when Passenger Standalone is stopping.

Fixed memory issue (Standalone / builtin)

The previous Passenger version (5.1.5) featured a major internal refactoring of settings handling under the hood to prepare for supporting settings change without restart. We discovered a refactoring error that lead to a memory corruption issue when running with the builtin engine. This has now been fixed.

Various fixes

  • Fixes a typo that causes a looping crash when long security update information is sent by the server. In practice we will keep the messages shorter to avoid triggering this until there has been ample time to upgrade.
  • Fixes unnecessary process respawn if process was detached while min_instances is set to 0. Closes GH-1735.
  • Fixes WSGI crash with Python 3 and non-ASCII characters in headers or the URL. Closes GH-1935. Thanks to n4nn31355 for the assistance.
  • [Standalone] Cleanup the temp dir before aborting when startup cannot continue, e.g. when Passenger is already running. Closes GH-1953.
  • Adds support for building with MacPorts' OpenSSL. Closes GH-1959.

Installing 5.1.6

Please see the installation guide.

Upgrading to 5.1.6

We strongly advise staying up to date with the latest version.

See also the upgrade notes below!

OS X
OS X
Debian
Debian
Ubuntu
Ubuntu
Heroku
Heroku
Red Hat
Red Hat
CentOS
CentOS
Ruby gem
Ruby gem
Tarball
Tarball
Ruby gem
Docker

If you are upgrading from 4.x, please read the 5.0 upgrade notes to learn about potential upgrade caveats.

Download issue with old gem version

Old versions of gem (below 2.2.0, released in 2013) may fail to download the Passenger Enterprise gem from our rubygem hosting software (Gem in a box).

ERROR: Could not find a valid gem 'passenger-enterprise-server' (= 5.1.4), here is why:  
 Unable to download data from https://..@www.phusionpassenger.com/enterprise_gems/
 - bad response Unauthorized 401 

If this happens, please upgrade to a newer version of gem:

gem install rubygems-update; update_rubygems  

Special notes about capistrano-passenger

If you are using Capistrano and capistrano-passenger, then it may fail with this error:

SSHKit::Runner::ExecuteError: Exception while executing as user@99.99.99.99: undefined method `[]' for nil:NilClass

NoMethodError: undefined method `[]' for nil:NilClass

Tasks: TOP => passenger:restart

This is due to an incompatibility in capistrano-passenger with Passenger 5.0.22 and later. Please upgrade capistrano-passenger to 0.2.0 or later.

Final

Phusion Passenger's core is open source. Please fork or watch us on Github. :)

Passenger logo

Passenger ensures that your Ruby, Python, Node.js and Meteor apps, microservices, and APIs are served with outstanding reliability, performance and control. For additional features and premium support, check out the enterprise edition.

comments powered by Disqus