Phusion Passenger is software that deploys Ruby and Python web apps, by integrating into Apache and Nginx and turning them into a fully-featured application server. It is very fast, stable and robust and thus used by the likes of New York Times, AirBnB, Symantec, Pixar, etc. It comes with many features that make your life easier and your application perform better.
Phusion Passenger is under constant maintenance and development. Version 4.0.5 is a bugfix release.
Phusion Passenger also has an Enterprise version which comes with a wide array of additional features. By buying Phusion Passenger Enterprise you will directly sponsor the development of the open source version.
- [Standalone] Fixed a regression that prevented Passenger Standalone
from starting. Fixes issue #899.
- Fixed security vulnerability CVE-2013-2119.
Scope: local exploit
Summary: denial of service and arbitrary code execution by hijacking temp files
Affected versions: all versions
Fixed versions: 3.0.21 and 4.0.5
Phusion Passenger’s code did not always create temporary files and directories in a secure manner. Temporary files and directories were sometimes created with a predictable filename. A local attacker can pre-create temporary files, resulting in a denial of service. In addition, this vulnerability allows a local attacker to run arbitrary code as another user, by hijacking temporary files.
By pre-creating certain temporary files with certain permissions, attackers can prevent Passenger Standalone from starting (denial of service).
By pre-creating certain temporary files with certain other permissions, attackers can trick
passenger startand the build system (which is invoked by
passenger-install-nginx-module) to run arbitrary code. The user that the code is run as, is equal to the user that ran
passenger startor the build system. Attacks of this nature have to be timed exactly right. The attacker must overwrite the file contents right after Phusion Passenger has created the file contents, but right before the file is used. In the context of
passenger start, the vulnerable window begins right after Passenger Standalone has created the Nginx config file, and ends when Nginx has read the config file. Once Nginx has started and initialized, the system is no longer vulnerable.
passenger stopand other Passenger Standalone commands besides
startare not vulnerable. In the context of the build system, the vulnerable window begins when
passenger-install-nginx-moduleprints its first dependency checking message, and ends when it prints the first compiler command.
passenger startcommand, the
passenger-install-apache2-modulecommand and the
passenger-install-nginx-modulecommands are vulnerable. Phusion Passenger for Apache and Phusion Passenger for Nginx (once they are installed) are not vulnerable.
3.0.21 and 4.0.5 have been released to address this issue.
You can use this workaround if you are unable to upgrade. Before invoking any Phusion Passenger command, set the
TMPDIRenvironment variable to a directory that is not world-writable. Special care must be taken when you use sudo: sudo resets all environment variables, so you should either invoke sudo with
-E, or you must set the environment variable after gaining root privileges with sudo.
Thanks to Kurt Seifried and Michael Scherer from Red Hat for reporting this issue.
Open source users can install the open source version of 4.0.5 with the following commands:
gem install passenger passenger-install-apache2-module passenger-install-nginx-module
In-depth installation and upgrade instructions can be found in the Installation section of the documentation. The documentation covers:
- Detailed tarball installation instructions.
- Detailed upgrade instructions.
- Installation troubleshooting.
- Installation through APT and YUM.
You can view the documentation online here:
If you would like to stay up to date with Phusion news, please fill in your name and email address below and sign up for our newsletter. We won’t spam you, we promise.