Phusion Passenger 4.0.5 released
Phusion Passenger is software that deploys Ruby and Python web apps, by integrating into Apache and Nginx and turning them into a fully-featured application server. It is very fast, stable and robust and thus used by the likes of New York Times, AirBnB, Symantec, Pixar, etc. It comes with many features that make your life easier and your application perform better.
Phusion Passenger is under constant maintenance and development. Version 4.0.5 is a bugfix release.
Phusion Passenger also has an Enterprise version which comes with a wide array of additional features. By buying Phusion Passenger Enterprise you will directly sponsor the development of the open source version.
Recent changes
- [Standalone] Fixed a regression that prevented Passenger Standalone
from starting. Fixes issue #899. - Fixed security vulnerability CVE-2013-2119.
Urgency: low
Scope: local exploit
Summary: denial of service and arbitrary code execution by hijacking temp files
Affected versions: all versions
Fixed versions: 3.0.21 and 4.0.5Description:
Phusion Passenger’s code did not always create temporary files and directories in a secure manner. Temporary files and directories were sometimes created with a predictable filename. A local attacker can pre-create temporary files, resulting in a denial of service. In addition, this vulnerability allows a local attacker to run arbitrary code as another user, by hijacking temporary files.By pre-creating certain temporary files with certain permissions, attackers can prevent Passenger Standalone from starting (denial of service).
By pre-creating certain temporary files with certain other permissions, attackers can trick
passenger startand the build system (which is invoked bypassenger-install-apache2-module/passenger-install-nginx-module) to run arbitrary code. The user that the code is run as, is equal to the user that ranpassenger startor the build system. Attacks of this nature have to be timed exactly right. The attacker must overwrite the file contents right after Phusion Passenger has created the file contents, but right before the file is used. In the context ofpassenger start, the vulnerable window begins right after Passenger Standalone has created the Nginx config file, and ends when Nginx has read the config file. Once Nginx has started and initialized, the system is no longer vulnerable.passenger stopand other Passenger Standalone commands besidesstartare not vulnerable. In the context of the build system, the vulnerable window begins whenpassenger-install-apache2-module/passenger-install-nginx-moduleprints its first dependency checking message, and ends when it prints the first compiler command.Only the
passenger startcommand, thepassenger-install-apache2-modulecommand and thepassenger-install-nginx-modulecommands are vulnerable. Phusion Passenger for Apache and Phusion Passenger for Nginx (once they are installed) are not vulnerable.Fixed versions:
3.0.21 and 4.0.5 have been released to address this issue.Workaround:
You can use this workaround if you are unable to upgrade. Before invoking any Phusion Passenger command, set theTMPDIRenvironment variable to a directory that is not world-writable. Special care must be taken when you use sudo: sudo resets all environment variables, so you should either invoke sudo with-E, or you must set the environment variable after gaining root privileges with sudo.Credits:
Thanks to Kurt Seifried and Michael Scherer from Red Hat for reporting this issue.
Installing 4.0.5
Quick install/upgrade
Phusion Passenger Enterprise users can download the Enterprise version of 4.0.5 from the Customer Area.
Open source users can install the open source version of 4.0.5 with the following commands:
gem install passenger
passenger-install-apache2-module
passenger-install-nginx-module
You can also download the tarball at Google Code. We strongly encourage you to cryptographically verify files after downloading them.
In-depth instructions
In-depth installation and upgrade instructions can be found in the Installation section of the documentation. The documentation covers:
- Detailed tarball installation instructions.
- Detailed upgrade instructions.
- Installation troubleshooting.
- Installation through APT and YUM.
You can view the documentation online here:
Final
If you would like to stay up to date with Phusion news, please fill in your name and email address below and sign up for our newsletter. We won’t spam you, we promise.
-
Hello, we are Phusion. We provide amazing products and services for web apps written in Ruby, Python, Node.js and Meteor.
Featured articles
- Docker-friendly Vagrant boxes
- Duplicity + S3: easy, cheap, encrypted, automated full-disk backups for your servers
- Efficient Substring Searching
- Mail in 2012 from an admin’s perspective
- Making Ruby threadable: properly handling context switching in native extensions
- Objective-C for Ruby developers
- Passing environment variables to Ruby from Phusion Passenger
- Securely store passwords with bcrypt-ruby
- The right way to deal with frozen processes on Unix
- Tuning Phusion Passenger's concurrency settings
- Tutorial: setting up Gitlab on Debian 6
- Why Rails 4 Live Streaming is a big deal
Phusion. All rights reserved.