Phusion Passenger 4.0.41 released, OpenSSL Heartbleed security update
Phusion Passenger is a fast and robust web server and application server for Ruby, Python, Node.js and Meteor. Passenger takes a lot of complexity out of deploying web apps, and adds powerful enterprise-grade features that are useful in production. High-profile companies such as Apple, New York Times, AirBnB, Juniper, American Express, etc are already using it, as well as over 350.000 websites.
Phusion Passenger 4.0.41 has been released ahead of time in order to address the OpenSSL heartbleed security issue (CVE-2014-0160). This is an extremely serious vulnerability in OpenSSL which can completely negate the security that it provides. Users are advised to upgrade as soon as possible.
Phusion Passenger’s relationship with the OpenSSL heartbleed vulnerability is as follows.
We provide precompiled binaries for Passenger Standalone. These binaries are statically linked to OpenSSL in order to make them useable on a wide range of operating systems. With 4.0.41, the binaries have been upgraded to link against OpenSSL 1.0.1g, which fixes the heartbleed vulnerability.
You are vulnerable if:
- You are using Passenger Standalone, with SSL enabled inside Passenger Standalone (that is,
passenger start --ssl).
You are not vulnerable (to the Passenger Standalone static linking issue) if:
- You are not using Passenger Standalone (e.g. if you’re using Phusion Passenger through the Apache or Nginx integration mode).
- You are using Passenger Standalone, but without SSL.
- Your Passenger Standalone is behind another SSL-enabled reverse proxy.
Update: Please note that the only thing this Phusion Passenger update fixes, is any potential vulnerabilities in the Passenger Standalone binaries that we provide. Your system as a whole may still be vulnerable because you’re running a vulnerable OpenSSL version. Please check with your vendor for system updates.
There aren’t many other changes in this release:
- Fixed some issues with printing UTF-8 log files on Heroku.
- Added a new flag
--ignore-app-not-runningtopassenger-config restart-app.
When this flag is given,passenger-config restart-appwill exit successfully
when the specified application is not running, instead of exiting with
an error.
Installing or upgrading to 4.0.41
 OS X |
 Debian |
 Ubuntu |
 Heroku |
 Ruby gem |
 Tarball |
Final
Phusion Passenger’s core is open source. Please -
Hello, we are Phusion. We provide amazing products and services for web apps written in Ruby, Python, Node.js and Meteor.
Featured articles
- Docker-friendly Vagrant boxes
- Duplicity + S3: easy, cheap, encrypted, automated full-disk backups for your servers
- Efficient Substring Searching
- Mail in 2012 from an admin’s perspective
- Making Ruby threadable: properly handling context switching in native extensions
- Objective-C for Ruby developers
- Passing environment variables to Ruby from Phusion Passenger
- Securely store passwords with bcrypt-ruby
- The right way to deal with frozen processes on Unix
- Tuning Phusion Passenger's concurrency settings
- Tutorial: setting up Gitlab on Debian 6
- Why Rails 4 Live Streaming is a big deal
Phusion. All rights reserved.