Version 5.1.11 of the Passenger application server for Ruby, Node.js, Meteor and Python has been released. We urgently advise upgrading to fix an arbitrary file read vulnerability that we announced earlier today in a security advisory.
Version 5.1.11 also contains a number of improvements and fixes we've been working on since 5.1.8. It is compatible with the recently released macOS 10.13, has HTTP/2 support turned on by default, and introduces a new feature for Heroku/Enterprise users. We've also taken care of a regression (Apache crash) from 5.1.8.
The 5.1.x series of Passenger brings a plethora of improvements in uptime maximization, security and efficiency. Please be aware that you can enjoy enterprise features and sponsor the open source development directly by buying Phusion Passenger Enterprise.
CVE-2017-16355: Arbitrary file read vulnerability fix
The cPanel Security Team discovered a vulnerability in Passenger that allows users to list the contents of arbitrary files on the system. This has been fixed. See our security advisory for more information.
macOS High Sierra compatibility
We've fixed some compilation issues with Passenger/Apache and the newly released macOS 10.13 High Sierra.
Additionally, High Sierra changed the rules for using Objective-C between fork() and exec(), which led to crashing in some applications hosted by Passenger and other preforking app servers such as Puma and Unicorn.
Although Passenger itself was not affected (since it is carefully written to not perform any non-async-signal-safe operations after fork), we've implemented a workaround to prevent crashing applications. The underlying issue and solutions are being debated by the community; see our detailed writeup for more information and what can be done about the issue.
HTTP/2 support (Standalone)
In the previous Passenger release we were able to upgrade across the board to the latest Nginx stable version. This version supports HTTP/2, so we've enabled that in the default Passenger Standalone configuration template (GH-1945).
Support is active when HTTPS (SSL/TLS) is used, and if a client does not support HTTP/2, Nginx will fall back gracefully. Nginx also supports HTTP/2 over HTTP, but we didn't enable this because we want to avoid any chance of breaking existing setups or intermediates that assume port 80 always means HTTP and would mangle HTTP/2 traffic (also, none of the major browsers support it at this time).
Deferred port binding (Standalone)
A Passenger Standalone Enterprise user reported that requests were timing out during application (slow) startup on Heroku. Passenger binds the networking port immediately and queues incoming requests for the application until it has finished spawning. If the application takes longer than Heroku's request timeout (nonconfigurable, 30 sec) to finish starting and respond, the request is terminated with an error response.
We've added a new feature to Passenger Standalone Enterprise: when --defer-port-binding is set, Passenger does not listen on the given port until the application has finished spawning. Using this option, applications can take up to Heroku's boot timeout to start (configurable between 60 - 120 sec), possibly plus an additional 2 minutes if preboot is used.
New security pitfall check
We've added a check that inspects the Passenger root path permissions. It logs a warning if Passenger runs with root permissions while (parts of) the root path may be changed by non-root users (i.e. tamper with the installation).
Although this is a matter of system administration (same as for any other program), and if you install Passenger with APT, RPM, gem then the permissions will be set correctly, there are still some "gotcha" situations where you may end up with vulnerable permissions.
For example: suppose Passenger is installed via
gem by user
nonroot, which normally means
nonroot can fully modify the Passenger root. Now suppose that Passenger is subsequently integrated with Nginx via
sudo passenger-install-nginx-module, and
nonroot configures Passenger with an application on their account.
It may not immediately be obvious, but if the
nonroot application has a code execution vulnerability, the hacker may obtain root access if
nonroot can still modify the Passenger root folder and thus overwrite Passenger files that will be executed as root upon a restart (by Nginx). Passenger will now warn about this, and suggest to change the owner or access rights.
Apache crash on startup fixed (macOS)
In the previous Passenger version we introduced a number of improvements in the logging core. Unfortunately, this also created a race condition (segfault) when the Apache integration module was used GH-1973, because the module is normally loaded twice in quick succession. This issue manifested primarily on macOS hosts.
Various improvements & fixes
- Adds support for Bundler 2.0's new
gems.locked. Learn more about these in Gemfile's new clothes. Closes GH-1982.
- [Nginx] It is now allowed to specify
httpcontext as well.
- [Nginx] Namespaced Jsoncpp under the Passenger namespace to avoid collisions with Google Pagespeed's copy when linked into Nginx.
- [Enterprise, Standalone] Fixes duplicate warnings when Passengerfile.json contains errors.
- [Enterprise, Standalone]
passenger startnow accepts the
- Removes Debian packages for Ubuntu 12.04 Precise (public support from Canonical ended).
Please see the installation guide.
Upgrading to 5.1.11
We strongly advise staying up to date with the latest version.
See also the upgrade notes below!
If you are upgrading from 4.x, please read the 5.0 upgrade notes to learn about potential upgrade caveats.
Download issue with old
Old versions of
gem (below 2.2.0, released in 2013) may fail to download the Passenger Enterprise gem from our rubygem hosting software (Gem in a box).
ERROR: Could not find a valid gem 'passenger-enterprise-server' (= 5.1.4), here is why: Unable to download data from https://..@www.phusionpassenger.com/enterprise_gems/ - bad response Unauthorized 401
If this happens, please upgrade to a newer version of gem:
gem install rubygems-update; update_rubygems
Special notes about capistrano-passenger
If you are using Capistrano and capistrano-passenger, then it may fail with this error:
SSHKit::Runner::ExecuteError: Exception while executing as email@example.com: undefined method `' for nil:NilClass NoMethodError: undefined method `' for nil:NilClass Tasks: TOP => passenger:restart
This is due to an incompatibility in capistrano-passenger with Passenger 5.0.22 and later. Please upgrade capistrano-passenger to 0.2.0 or later.