Passenger 5.1.11: support for High Sierra, HTTP/2, new features & fixes

Version 5.1.11 of the Passenger application server for Ruby, Node.js, Meteor and Python has been released. We urgently advise upgrading to fix an arbitrary file read vulnerability that we announced earlier today in a security advisory.

Version 5.1.11 also contains a number of improvements and fixes we've been working on since 5.1.8. It is compatible with the recently released macOS 10.13, has HTTP/2 support turned on by default, and introduces a new feature for Heroku/Enterprise users. We've also taken care of a regression (Apache crash) from 5.1.8.

The 5.1.x series of Passenger brings a plethora of improvements in uptime maximization, security and efficiency. Please be aware that you can enjoy enterprise features and sponsor the open source development directly by buying Phusion Passenger Enterprise.

CVE-2017-16355: Arbitrary file read vulnerability fix

The cPanel Security Team discovered a vulnerability in Passenger that allows users to list the contents of arbitrary files on the system. This has been fixed. See our security advisory for more information.

macOS High Sierra compatibility

We've fixed some compilation issues with Passenger/Apache and the newly released macOS 10.13 High Sierra.

Additionally, High Sierra changed the rules for using Objective-C between fork() and exec(), which led to crashing in some applications hosted by Passenger and other preforking app servers such as Puma and Unicorn.

Although Passenger itself was not affected (since it is carefully written to not perform any non-async-signal-safe operations after fork), we've implemented a workaround to prevent crashing applications. The underlying issue and solutions are being debated by the community; see our detailed writeup for more information and what can be done about the issue.

HTTP/2 support (Standalone)

In the previous Passenger release we were able to upgrade across the board to the latest Nginx stable version. This version supports HTTP/2, so we've enabled that in the default Passenger Standalone configuration template (GH-1945).

Support is active when HTTPS (SSL/TLS) is used, and if a client does not support HTTP/2, Nginx will fall back gracefully. Nginx also supports HTTP/2 over HTTP, but we didn't enable this because we want to avoid any chance of breaking existing setups or intermediates that assume port 80 always means HTTP and would mangle HTTP/2 traffic (also, none of the major browsers support it at this time).

Deferred port binding (Standalone)

A Passenger Standalone Enterprise user reported that requests were timing out during application (slow) startup on Heroku. Passenger binds the networking port immediately and queues incoming requests for the application until it has finished spawning. If the application takes longer than Heroku's request timeout (nonconfigurable, 30 sec) to finish starting and respond, the request is terminated with an error response.

We've added a new feature to Passenger Standalone Enterprise: when --defer-port-binding is set, Passenger does not listen on the given port until the application has finished spawning. Using this option, applications can take up to Heroku's boot timeout to start (configurable between 60 - 120 sec), possibly plus an additional 2 minutes if preboot is used.

New security pitfall check

We've added a check that inspects the Passenger root path permissions. It logs a warning if Passenger runs with root permissions while (parts of) the root path may be changed by non-root users (i.e. tamper with the installation).

Although this is a matter of system administration (same as for any other program), and if you install Passenger with APT, RPM, gem then the permissions will be set correctly, there are still some "gotcha" situations where you may end up with vulnerable permissions.

For example: suppose Passenger is installed via gem by user nonroot, which normally means nonroot can fully modify the Passenger root. Now suppose that Passenger is subsequently integrated with Nginx via sudo passenger-install-nginx-module, and nonroot configures Passenger with an application on their account.

It may not immediately be obvious, but if the nonroot application has a code execution vulnerability, the hacker may obtain root access if nonroot can still modify the Passenger root folder and thus overwrite Passenger files that will be executed as root upon a restart (by Nginx). Passenger will now warn about this, and suggest to change the owner or access rights.

Apache crash on startup fixed (macOS)

In the previous Passenger version we introduced a number of improvements in the logging core. Unfortunately, this also created a race condition (segfault) when the Apache integration module was used GH-1973, because the module is normally loaded twice in quick succession. This issue manifested primarily on macOS hosts.

Various improvements & fixes

  • Adds support for Bundler 2.0's new gems.rb and gems.locked. Learn more about these in Gemfile's new clothes. Closes GH-1982.
  • [Nginx] It is now allowed to specify passenger_enabled in the http context as well.
  • [Nginx] Namespaced Jsoncpp under the Passenger namespace to avoid collisions with Google Pagespeed's copy when linked into Nginx.
  • [Enterprise, Standalone] Fixes duplicate warnings when Passengerfile.json contains errors.
  • [Enterprise, Standalone] passenger start now accepts the --start-timeout configuration option.
  • Removes Debian packages for Ubuntu 12.04 Precise (public support from Canonical ended).

Installing 5.1.11

Please see the installation guide.

Upgrading to 5.1.11

We strongly advise staying up to date with the latest version.

See also the upgrade notes below!


OS X

Debian

Ubuntu

Heroku

Red Hat

CentOS

Ruby gem

Tarball

Docker

If you are upgrading from 4.x, please read the 5.0 upgrade notes to learn about potential upgrade caveats.

Download issue with old gem version

Old versions of gem (below 2.2.0, released in 2013) may fail to download the Passenger Enterprise gem from our rubygem hosting software (Gem in a box).

ERROR: Could not find a valid gem 'passenger-enterprise-server' (= 5.1.4), here is why:
 Unable to download data from https://..@www.phusionpassenger.com/enterprise_gems/
 - bad response Unauthorized 401 

If this happens, please upgrade to a newer version of gem:

gem install rubygems-update; update_rubygems

Special notes about capistrano-passenger

If you are using Capistrano and capistrano-passenger, then it may fail with this error:

SSHKit::Runner::ExecuteError: Exception while executing as user@99.99.99.99: undefined method `[]' for nil:NilClass

NoMethodError: undefined method `[]' for nil:NilClass

Tasks: TOP => passenger:restart

This is due to an incompatibility in capistrano-passenger with Passenger 5.0.22 and later. Please upgrade capistrano-passenger to 0.2.0 or later.