Phusion white papers Phusion overview

Phusion Blog

Security advisory: Phusion Passenger and the CVE-2014-6271 Bash vulnerability

By Hongli Lai on September 25th, 2014

On 24 September 2014, an important security vulnerability for Bash was published. This vulnerability, dubbed “Shellshock” and with identifiers CVE-2014-6271 and CVE-2014-7169, allows remote code execution.

This vulnerability is not caused by Phusion Passenger, but does affect Phusion Passenger. We strongly advise users to upgrade their systems as soon as possible. Please note that while CVE-2014-6271 has been patched, CVE-2014-7169 isn’t. A fix is still pending.

Update: CVE-2014-7169 has been patched in Debian 7. Other operating system vendors may follow soon.

For details about how Phusion Passenger is related to this vulnerability, please refer to

Please refer to your operating system vendor’s upgrade instructions, for example: