Phusion Blog

A few hours ago we’ve been notified of a serious bug in Phusion Passenger 4. If the web app does not supply a Date header, then Phusion Passenger normally adds one in order to comply to the HTTP standard. Unfortunately due to the use of the wrong date format string, December 30 2013 and December 31 2013 are formatted as December 30 2014 and December 31 2014, respectively. As a result, cookies that expire before 2014 would expire on December 30 2013 and December 31 2013. Details can be found at Github pull request 93.

This issue only affects Phusion Passenger for Nginx and Phusion Passenger Standalone. The following are not affected:

• Phusion Passenger for Apache.
• Phusion Passenger versions older than 4.0.0 are also not affected because those versions did not try to set the Date header.
• Web apps that set a Date header themselves.
• Cookies that expire after 2014.

We’ve taken immediate action and we’ve released version 4.0.30 which addresses this issue. You should upgrade immediately.

You can work around this problem in your application by setting a Date header. For example, in Rails you can do:

before_filter { response.date = Time.now.utc }

Many thanks to Jeff Michael Dean (zilkey), Adam Becker and many others for bringing this to our attention and for providing suggestions, workarounds and feedback.

Upgrading to 4.0.30

OS X	Debian	Ubuntu
Heroku	Ruby gem	Tarball