Phusion white papers Phusion overview

Phusion Blog

Phusion Passenger 4.0.38 released

By Hongli Lai on March 10th, 2014


Phusion Passenger is a fast and robust web server and application server for Ruby, Python, Node.js and Meteor. Passenger takes a lot of complexity out of deploying web apps, and adds powerful enterprise-grade features that are useful in production. High-profile companies such as Apple, New York Times, AirBnB, Juniper, American Express, etc are already using it, as well as over 350.000 websites.

Phusion Passenger is under constant maintenance and development. Version 4.0.38 is a bugfix release.

Phusion Passenger also has an Enterprise version which comes with a wide array of additional features. By buying Phusion Passenger Enterprise you will directly sponsor the development of the open source version.

Recent changes

  • Fixed a symlink-related security vulnerability.

    Urgency: low
    Scope: local exploit
    Summary: writing files to arbitrary directory by hijacking temp directories
    Affected versions: 4.0.37
    Fixed versions: 4.0.38
    CVE-2014-1832

    Description: This issue is related to CVE-2014-1831 (the security issue as mentioned in the 4.0.37 release notes). The previous fix was incomplete, and still has a (albeit smaller) small attack time window in between two filesystem checks. This attack window is now gone.

  • Added support for the new Ruby 2.1.0 out-of-band garbage collector. This can much improve garbage collection performance, and drastically reduce request times.
  • Passenger Standalone is now compatible with IPv6.
  • Fixed some compilation problems on Solaris. See issue #1047.
  • passenger-install-apache2-module and passenger-install-nginx-module now automatically run in `–auto` mode if stdin is not a TTY. Fixes issue #1030.
  • Fixed an issue with non-bundled Meteor apps not correctly running in production mode.
  • The `PassengerPreStart` option is now compatible with IPv6 server sockets.
  • When running Python WSGI apps, `wsgi.run_once` is now set to False. This should improve the performance of certain apps and frameworks.
  • When handling HTTP requests with chunked transfer encoding, the ‘Transfer-Encoding’ header is no longer passed to the application. This is because the web server already buffers and dechunks the request body.
  • Fixed a possible hang in Phusion Passenger for Nginx when Nginx is instructed to reload or reopen log files. Thanks to Feng Gu, pull request #97.
  • The preferred Nginx version has been upgraded to 1.4.6.
  • Fixed a problem with running passenger-install-apache2-module and passenger-install-nginx-module on JRuby. They were not able to accept any terminal input after displaying the programming language menu.

Installing or upgrading to 4.0.38

OS X OS X Debian Debian Ubuntu Ubuntu
Heroku Heroku Ruby gem Ruby gem Tarball Tarball

Final

Phusion Passenger’s core is open source. Please fork or watch us on Github. 🙂

If you would like to stay up to date with Phusion news, please fill in your name and email address below and sign up for our newsletter. We won’t spam you, we promise.



  • http://lightyearsoftware.com/ Steve Madsen

    The release notes say that support for Ruby 2.1’s new OOBGC was added and link to the blog post in January discussing it. The pull request linked there hasn’t been merged and the last comment suggests doing additional testing.

    What’s the latest status on this feature? Is it ready for production use?

    Are the instructions for integration unchanged?

  • http://www.phusion.nl/ Hongli Lai

    The instructions are unchanged.

    There is currently a crasher bug that is under investigation.

  • fdsfdsf

    Is it fixed?

  • http://www.phusion.nl/ Hongli Lai