This release contains many security updates. Users are advised to upgrade as soon as possible. See our blog for more information on the vulnerabilities.
[Nginx] Fixes CVE-2018-12029, a local privilege escalation vulnerability in the Nginx module that occurs when passenger_instance_registry_dir is configured to a directory with insufficiently strict permissions.
Fixes CVE-2018-12026, 12027, and 12028. These are local denial of service, local information disclosure and local privilege escalation vulnerabilities that could be exploited by malicious applications or malicious users on the system.
Updated various library versions used in precompiled binaries (used for e.g. gem installs):
OpenSSL (Linux only): 1.0.2o (was: 1.0.2k; on macOS it was already 1.0.2o)
GeoIP: 1.6.12 (was: 1.6.11)
libcurl: 7.60.0 (was: 7.56.1)
Fixes Meteor support in non-bundled mode (regression from 5.3.0). Closes GH-2082.
Fixes the fact that the error page (which is shown when an app fails to spawn) sometimes contains unsufficient analysis details about the app.
[Apache] Fixes PassengerMaxInstancesPerApp not being respected (regression from config refactor in 5.2.0). Closes GH-2059.
[Enterprise, Apache] Fixes PassengerMaxInstances not being respected (regression from config refactor in 5.2.0).
[Enterprise] Fixes passenger-irb being unable to connect to an app process (regression from 5.3.0). Closes GH-2087.
Release 5.3.1
Fixes a regression from 5.3.0: a crash that occurs if the user that an application should run under, does not have a shell configured. Closes GH-2078.
Fixes a regression from 5.3.0: setting supplementary group IDs during user switching. Closes GH-2077.
Release 5.3.0
Adds Ubuntu 18.04 "Bionic" packages.
Removes packages for Debian 7 "Wheezy" (EOL May 2018).
Vastly improves spawning error page: quick overview of where the problem is, and the option to drill down in extensive troubleshooting information.
Fuse Panel support: fixes a crash that occurs when you shut down Passenger right after it fails to connect to Fuse Panel.
[Nginx] Updates the preferred Nginx version to 1.14.0 (from 1.12.2).
[Apache] Updates the recommended package for apache dev headers on debian >= 9.4. Closes GH-2048.
[Enterprise] Fix licensing proxy warning to refer to licensing_proxy_url instead of licensing_proxy.
[Enterprise] Add new PassengerAppLogFile (Apache) / passenger_app_log_file (Nginx) config option to specify a file for app-specific logs. Closes GH-1279.
Release 5.2.3
Fuse Panel support: fixes a few bugs with handling small log files and with apps that don't output any messages.
Python app support: fixes a Python 3 compatibility issue w.r.t. writing data over the socket.
macOS support: fixes a crash in the passenger-config compile-nginx-engine command which only occurs on macOS >= 10.13. This crash was caused by a missing require call in our code, and affects users who compile Passenger from source, e.g. users of the Passenger Enterprise Homebrew formula.
Fixes a small memory corruption issue (dangling pointer) in the ApplicationPool subsystem.
Improves support for the $TMPDIR environment variable by removing leftover hardcoded references to /tmp. Closes GH-2052.
Updated PCRE version to 8.42 (was: 8.41) across the board.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/atheiman/better-chef-rundeck/network/alerts).
Bumps passenger from 5.1.12 to 5.3.2.
Changelog
Sourced from passenger's changelog.
... (truncated)
Commits
5e4d605
Prepare for released98fafe
Fix compilation problem in SchemaPrinterMaine83a117
Update CHANGELOG1cfb17a
Upgrade passenger_binary_build_automationb970339
SpawningKit properties.json validation handling: correctly set errored journe...a4f2b12
SpawningKit HandshakePerform: add more trace pointsbd77908
SpawningKit HandshakePerform: ensure that more SpawnExceptions contain inform...c3fa512
Warn if instance registry dir insecure1e7c82d
SpawningKit: do not allow killing the PID returned by the preloader until we ...3f270a9
SpawningKit: sanity-check Unix domain socket addresses reported by the appDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/atheiman/better-chef-rundeck/network/alerts).