forked from phusion/passenger
-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS
1255 lines (1032 loc) · 58.2 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Release 4.0.21
--------------
* [Nginx] Upgraded the preferred Nginx version to 1.4.3.
* Prelimenary OS X Mavericks support.
* Work around an Apache packaging bug in CentOS 5.
* Various user friendliness improvements in the documentation and the
installers.
* Fixed a bug in the always_restart.txt support. Phusion Passenger was
looking for it in the wrong directory.
* Many Solaris and Sun Studio compatibility fixes. Special thanks to
"mark" for his extensive assistance.
* [Standalone] The --temp-dir command line option has been introduced.
Release 4.0.20
--------------
* Fixed a bug in Phusion Passenger Standalone's daemon mode. When in daemon
mode, the Nginx temporary directory was deleted prematurely, causing some
POST requests to fail. This was a regression that was introduced in 4.0.15
as part of an optimization.
* Fixed compilation problems on Solaris 10 with Sun Studio 12.3.
* Improved detection of RVM problems.
* It is now possible to log the request method to Union Station.
* Introduced a new option, `PassengerLoadShellEnvvars` (Apache) and
`passenger_load_shell_envvars` (Nginx). This allows enabling or disabling
the loading of bashrc before spawning the application.
* [Enterprise] Fixed a packaging problem which caused the flying-passenger
executable not to be properly included in the bin path.
* [Enterprise] Fixed a race condition which sometimes causes the Flying
Passenger socket to be deleted after a restart. Fixes issue #939.
* [Enterprise] The `byebug` gem is now supported for debugging on Ruby 2.0.
The byebug gem requires a patch before this works:
https://github.com/deivid-rodriguez/byebug/pull/29
Release 4.0.19
--------------
* Fixed a problem with response buffering. Application processes are now
properly marked available for request processing immediately after they're
done sending the response, instead of after having sent the entire response
to the client.
* The "processed" counter in `passenger-status` is now bumped after the process
has handled a request, not at the beginning.
* [Enterprise] Fixed an off-by-one bug in the `passenger_max_processes` setting.
Release 4.0.18
--------------
* The Enterprise variant of Phusion Passenger Standalone now supports
customizing the concurrency model and thread count from the command line.
* On Nginx, the Enterprise license is now only checked if Phusion Passenger
is enabled in Nginx. This allows you to deploy Nginx binaries, that have
Phusion Passenger Enterprise compiled in, to servers that are not
actually running Phusion Passenger Enterprise.
* Fixed a performance bug in the Union Station support code. In certain cases
where a lot of data must be sent to Union Station, the code is now over
100 times faster.
* `passenger-status --show=union_station` now displays all clients that
are connected to the LoggingAgent.
* Added a workaround for Heroku so that exited processes are properly detected
as such.
* When using Phusion Passenger Standalone with Foreman, pressing Ctrl-C
in Foreman no longer results in runaway Nginx processes.
* Fixed backtraces in the Apache module.
Release 4.0.17
--------------
* Fixed compilation problems on GCC 4.8 systems, such as Arch Linux 2013.04.
Fixes issue #941.
* Fixed some deprecation warnings when compiling the Ruby native extension
on Ruby 2.0.0.
* Fixed some Union Station-related stability issues.
Release 4.0.16
--------------
* Allow Phusion Passenger to work properly on systems where the user's GID
does not have a proper entry in /etc/group, such as Heroku.
Release 4.0.15
--------------
* Out-of-band work has been much improved. The number of processes which
may perform out-of-band work concurrently has been limited to 1.
Furthermore, processes which are performing out-of-band work are now
included in the max pool size constraint calculation. However, this
means that in order to use out-of-band work, you need to have at least
2 application processes running. Out-of-band work will never be triggered
if you just have 1 process. Partially fixes issue #892.
* Phusion Passenger now displays an error message to clients if too many
requests are queued up. By default, "too many" is 100. You may customize
this with `PassengerMaxRequestQueueSize` (Apache) or
`passenger_max_request_queue_size` (Nginx).
* A new configuration option, `PassengerStartTimeout` (Apache) and
`passenger_start_timeout` (Nginx), has been added. This option allows you
to specify a timeout for application startup. The startup timeout has exited
since version 4.0.0, but before version 4.0.15 it was hardcoded at a value
of 90 seconds. Now it is customizable. Fixes issue #936.
* [Enterprise] The `PassengerMaxRequestTime`/`passenger_max_request_time`
feature is now available for Python and Node.js as well, and is no longer
limited to just Ruby. Fixes issue #938.
* [Nginx] Introduced a configuration option `passenger_intercept_errors`,
which decides if Nginx will intercept responses with HTTP status codes of
400 and higher. Its effect is similar to `proxy_intercept_errors`.
* [Standalone] Memory usage optimization: when `passenger start` is run with
`--daemonize`, the frontend exits after starting the Nginx core. This saves
~20 MB of memory per `passenger start` instance.
* [Standalone] Phusion Passenger Standalone is now also packaged in the
Debian packages.
* [Standalone] Fix a problem with the `passenger stop` command on Ruby 1.8.7.
The 'thread' library was not properly required, causing a crash.
* [Standalone] There is now builtin support for SSL.
* Fix a crash when multiple `passenger_pass_header` directives are set.
Fixes issue #934.
* Permissions on the server instance directory are now explicitly set
with chmod, so that permissions are correct on systems with a non-default
umask. Fixes issue #928.
* Fix permission problems when running `passenger start` with `--user`.
* `passenger-config --detect-apache2` now correctly detects the eror log
filename on Amazon Linux. Fixes issue #933.
* An environment variable `PASSENGER_THREAD_LOCAL_STORAGE` has been added
to the build system for forcefully disabling the use of thread-local
storage within the Phusion Passenger codebase. This flag useful on systems
that have broken support for thread-local storage, despite passing our build
system's check for proper thread-local storage support. At the time of
writing, one user has reported that Ubuntu 12.04 32-bit has broken
thread-local storage report although neither the reporter nor us were able
to reproduce the problem on any other systems running Ubuntu 12.04 32-bit.
Note that this flag has no effect on non-Phusion Passenger code. Fixes
issue #937.
* It is now possible to preprocess events before they are sent to Union
Station. This is useful for removing confidential data as demonstrated in
this example `config/initializers/passenger.rb` file:
if defined?(PhusionPassenger)
event_preprocessor = lambda do |e|
e.payload[:sql].gsub!("secret","PASSWORD") if e.payload[:sql]
end
PhusionPassenger.install_framework_extensions!(:event_preprocessor => event_preprocessor)
end
Release 4.0.14
--------------
* Fixed a bug in Passenger Standalone's source compiler, for the specific
case when the downloaded Nginx binary doesn't work, and compilation
of the Nginx binary did not succeed the first time (e.g. because of
missing dependencies).
* Precompiled Ruby native extensions are now automatically downloaded.
Release 4.0.13
--------------
* Updated preferred Nginx version to 1.4.2.
* Worked around the fact that FreeBSD 9.1 has a broken C++ runtime. Patch
contributed by David Keller.
* Autogenerated HTTP Date headers are now in UTC instead of local time.
This could cause cookies to have the wrong expiration time. Fixes issue #913.
* Fixed compatibility problems with Ruby 1.8.6 (issue #924).
* Introduced a tool, `passenger-config --detect-apache2`, which autodetects
all Apache installations on the system along with their parameters (which
apachectl command to run, which log file to read, which config file to edit).
The tool advises users about how to use that specific Apache installation.
Useful if the user has multiple Apache installations but don't know about
it, or when the user doesn't know how to work with multiple Apache
installations.
* Added an API for better Rack socket hijacking support.
* Added a hidden configuration option for customizing the application start
timeout. A proper configuration option will be introduced in the future.
* Added autodetection support for Amazon Linux.
* Fixed process metrics collection on some operating systems. Some systems'
'ps' command expect no space between -p and the list of PIDs.
Release 4.0.10
--------------
* Fixed a crash in PassengerWatchdog which occurs on some OS X systems.
* Fixed exception reporting to Union Station.
* Improved documentation.
Release 4.0.9
-------------
* [Enterprise] Fixed a problem with passenger-irb.
Release 4.0.8
-------------
* Fixed a problem with graceful web server restarts. When you gracefully
restart the web server, it would cause Phusion Passenger internal sockets
to be deleted, thus causing Phusion Passenger to go down. This problem
was introduced in 4.0.6 during the attempt to fix issue #910.
* The PassengerRestartDir/passenger_restart_dir now accepts relative
filenames again, just like in Phusion Passenger 3.x. Patch
contributed by Ryan Schwartz.
* Documentation updates contributed by Gokulnath Manakkattil.
* [Enterprise] Fixed a license key checking issue on some operating systems,
such as CentOS 6.
Release 4.0.7
-------------
* There was a regression in 4.0.6 that sometimes prevents
PassengerLoggingAgent from starting up. Unfortunately this slipped
our release testing. This regression has been fixed and we've updated
our test suite to check for these kinds of regressions.
Release 4.0.6
-------------
* Fixed a potential 100% CPU lock up in the crash handler, which only occurs
on OS X. Fixes issue #908.
* Fixed a crash in request handling, when certain events are trigger after
the client has already disconnected. Fixes issue #889.
* Phusion Passenger will no longer crash when the Phusion Passenger
native_support Ruby extension cannot be compiled, e.g. because the Ruby
development headers are not installed or because the current user has no
permission to save the native extension file. Fixes issue #890.
* Fixed OS X 10.9 support. Fixes issue #906.
* Removed dependency on bash, so that Phusion Passenger works out of the box
on BSD platforms without installing/configuring bash. Fixes issue #911.
* Fix 'PassengerPoolIdleTime 0' not being respected correctly. Issue #904.
* Admin tools improvement: it is now possible to see all currently running
requests by invoking `passenger-status --show=requests`.
* A new feature called Flying Passenger allows you to decouple the life time
of Phusion Passenger from the web server, so that both can be restarted
indepedently from each other. Please refer to
http://blog.phusion.nl/2013/07/03/technology-preview-introducing-flying-passenger/
for an introduction.
* [Apache] Fixed compatibility with Apache pipe logging. Previously this
would cause Phusion Passenger to lock up with 100% CPU during Apache
restart.
* [Nginx] The Nginx configure script now checks whether 'ruby' is in $PATH.
Previously, if 'ruby' is not in $PATH, then the compilation process fails
with an obscure error.
* [Nginx] passenger-install-nginx-module now works properly even when Phusion
Passenger is installed through the Debian packages. Before, the installer
would tell you to install Phusion Passenger through the gem or tarball
instead.
* [Enterprise] Added pretty printing helpers to the Live IRB Console.
* Fixed permissions on a subdirectory in the server instance directory. The
server instance directory is a temporary directory that Phusion Passenger
uses to store working files, and is deleted after Phusion Passenger exits.
A subdirectory inside it is world-writable (but not world-readable) and is
used for storing Unix domain sockets created by different apps, which may
run as different users. These sockets had long random filenames to prevent
them from being guessed. However because of a typo, this subdirectory was
created with the setuid bit, when it should have sticky bit (to prevent
existing files from being deleted or renamed by a user that doesn't own the
file). This has now been fixed.
* If the server instance directory already exists, it will now be removed
first in order get correct directory permissions. If the directory still
exists after removal, Phusion Passenger aborts to avoid writing to a
directory with unexpected permissions. Fixes issue #910.
* The installer now checks whether the system has enough virtual memory, and
prints a helpful warning if it doesn't.
* Linux/AArch64 compatibility fixes. Patch contributed by Dirk Mueller.
* Improved documentation.
Release 4.0.5
-------------
* [Standalone] Fixed a regression that prevented Passenger Standalone
from starting. Fixes issue #899.
* Fixed security vulnerability CVE-2013-2119.
Urgency: low
Scope: local exploit
Summary: denial of service and arbitrary code execution by hijacking temp files
Affected versions: all versions
Fixed versions: 3.0.21 and 4.0.5
Description:
Phusion Passenger's code did not always create temporary files and directories in a secure manner. Temporary files and directories were sometimes created with a predictable filename. A local attacker can pre-create temporary files, resulting in a denial of service. In addition, this vulnerability allows a local attacker to run arbitrary code as another user, by hijacking temporary files.
By pre-creating certain temporary files with certain permissions, attackers can prevent Passenger Standalone from starting (denial of service).
By pre-creating certain temporary files with certain other permissions, attackers can trick `passenger start` and the build system (which is invoked by `passenger-install-apache2-module`/`passenger-install-nginx-module`) to run arbitrary code. The user that the code is run as, is equal to the user that ran `passenger start` or the build system. Attacks of this nature have to be timed exactly right. The attacker must overwrite the file contents right after Phusion Passenger has created the file contents, but right before the file is used. In the context of `passenger start`, the vulnerable window begins right after Passenger Standalone has created the Nginx config file, and ends when Nginx has read the config file. Once Nginx has started and initialized, the system is no longer vulnerable. `passenger stop` and other Passenger Standalone commands besides `start` are not vulnerable. In the context of the build system, the vulnerable window begins when `passenger-install-apache2-module`/`passenger-install-nginx-module` prints its first dependency checking message, and ends when it prints the first compiler command.
Only the `passenger start` command, the `passenger-install-apache2-module` command and the `passenger-install-nginx-module` commands are vulnerable. Phusion Passenger for Apache and Phusion Passenger for Nginx (once they are installed) are not vulnerable.
Fixed versions:
3.0.21 and 4.0.5 have been released to address this issue.
Workaround:
You can use this workaround if you are unable to upgrade. Before invoking any Phusion Passenger command, set the `TMPDIR` environment variable to a directory that is not world-writable. Special care must be taken when you use sudo: sudo resets all environment variables, so you should either invoke sudo with `-E`, or you must set the environment variable after gaining root privileges with sudo.
Release 4.0.4
-------------
* Fixed autodetection of noexec-mount /tmp directory. Fixes issue #850
and issue #625.
* Fixed a WSGI bug. wsgi.input was a file object opened in text mode,
but should be opened in binary mode. Fixes issue #881.
* Fixed a potential crash in Out-of-Band Work. Fixes issue #894.
* Fixed a potential crash in rolling restarting, which only occurs if a
process was also being spawned at the same time. Fixes issue #896.
* [Apache] The RailsBaseURI and RackBaseURI directives have been unified.
For a long time, RailsBaseURI told Phusion Passenger that the given
sub-URI belongs to a **Rails 2** application. Attempt to use this
directive with Rails 3 or with Rack applications would result in an
error. Because this confused users, RailsBaseURI and RackBaseURI
have now been unified and can now be used interchangably. Phusion
Passenger will automatically detect what kind of application it is.
The Nginx version already worked like this. Fixes issue #882.
* [Standalone] The Passenger Standalone temp directory and
PassengerWatchdog server instance directory have been unified.
PassengerWatchdog already automatically updates the timestamps of
all files in its server instance directory every 6 hours to prevent
/tmp cleaners from deleting the directory. Therefore this
unification prevents the Passenger Standalone temp directory to be
deleted by /tmp cleaners as well. Fixes issue #654.
* [Standalone] types_hash_max_size has been increased from 1024 to
2048. This solves a problem that causes Nginx not to start on some
platforms. Contributed by Jan-Willem Koelewijn.
Release 4.0.3
-------------
* Better protection is now provided against application processes that
are stuck and refuse to shut down cleanly. Since version 4.0.0,
Phusion Passenger already forcefully shuts down all processes during
web server shutdown. In addition to this, 4.0.3 now also forcefully
shuts down processes that take more than 1 minute to shut down, even
outside the context of web server shutdowns. This feature does not,
however, protect against requests that take too long. Use
PassengerMaxRequestTime (Apache) or passenger_max_request_time (Nginx)
for that.
* Fixed a crash in the HelperAgent which results in frequent process
restarts in some traffic patterns. Fixes issue #862.
* Fixed a problem that prevents processes from being spawned correctly
if the user's bashrc changes working directory. Fixes issue #851.
* passenger-status now also displays CPU usage.
* The installer now checks for checksums when automatically downloading
PCRE and Nginx. Contributed by Joshua Lund.
* An error is now printed when trying to daemonize Phusion Passenger
Standalone on Ruby implementations that don't support forking.
Contributed by Benjamin Fleischer.
* Although Phusion Passenger already supported JRuby, *installing*
Phusion Passenger with JRuby was not possible. This has been fixed.
* Various other minor bug fixes.
Release 4.0.2
-------------
* Bumped the preferred Nginx version to 1.4.1 because of a critical
Nginx security vulnerability, CVE-2013-2028. Users are advised to
upgrade immediately.
Release 4.0.1
-------------
* Fixed a crasher bug in the Deployment Error Resistance feature.
* Fixed a bug in PassengerDefaultUser and PassengerDefaultGroup.
* Fixed a bug which could cause application processes to exit before
they've finished their request.
* Fixed some small file descriptor leaks.
* Bumped the preferred Nginx version to 1.4.0.
* Editing the Phusion Passenger Standalone Nginx config template
is no longer discouraged.
* Improved documentation.
Release 4.0.0 release candidate 6
---------------------------------
* WebSocket support on Nginx. Requires Nginx >= 1.3.15.
* Improved RVM support.
* Performance optimizations.
* Various bug fixes.
Release 4.0.0 release candidate 5
---------------------------------
* The default config snippet for Apache has changed! It must now contain a
`PassengerDefaultRuby` option. The installer has been updated to output
this option. The `PassengerRuby` option still exists, but it's only used
for configuring different Ruby interpreters in different contexts. Please
refer to the manual for more information.
* We now provide GPG digital signatures for all file releases by Phusion.
More information can be found in the manual.
* `passenger-status` now displays process memory usage and time when it
was last used. The latter fixes issue #853.
* Exceptions in Rack application objects are now caught to prevent
application processes from exiting.
* The `passenger-config` tool now supports the `--ruby-command` argument,
which helps the user with figuring out the correct Ruby command to use
in case s/he wants to use multiple Ruby interpreters. The manual has
also been updated to mention this tool.
* Fixed streaming responses on Apache.
* Worked around an OS X Unix domain socket bug. Fixes issue #854.
* Out-of-Band Garbage Collection now works properly when the application
has disabled garbage collection. Fixes issue #859.
* Fixed support for /usr/bin/python on OS X. Fixes issue #855.
* Fixed looping-without-sleeping in the ApplicationPool garbage collector
if PassengerPoolIdleTime is set to 0. Fixes issue #858.
* Fixed some process memory usage measurement bugs.
* Fixed process memory usage measurement on NetBSD. Fixes issue #736.
* Fixed a file descriptor leak in the Out-of-Band Work feature. Fixes issue #864.
* The PassengerPreStart helper script now uses the default Ruby
interpreter specified in the web server configuration, and no longer
requires a `ruby` command to be in `$PATH`.
* Updated preferred PCRE version to 8.32.
* Worked around some RVM bugs.
* The ngx_http_stub_status_module is now enabled by default.
* Performance optimizations.
Release 4.0.0 release candidate 4
---------------------------------
* Fixed compilation on systems where /tmp is mounted noexec.
* Fixed some memory corruption bugs.
* Improved debugging messages.
* Phusion Passenger Standalone now sets underscores_in_headers.
Fixes issue #708.
* Fixed some process spawning compatibility problems, as
reported in issue #842.
* The Python WSGI loader now correctly shuts down client sockets
even when there are child processes that keep the socket open.
* A new configuration option PassengerPython (Apache) and
passenger_python (Nginx) has been added so that users can
customize the Python interpreter on a per-application basis.
Fixes issue #852.
* The Apache module now supports file uploads larger than 2 GB
when on 32-bit systems. Fixes issue #838.
* The Nginx version now supports the `passenger_temp_dir` option.
* Environment variables set in the Nginx configuration file
(through the `env` config option) are now correctly passed to
all application processes. Fixes issue #371.
* Fixed support for RVM mixed mode installations. Fixes issue #828.
* Phusion Passenger now outputs the Date HTTP header in case the
application didn't already do that (and was violating the HTTP spec).
Fixes issue #485.
* Phusion Passenger now checks whether /dev/urandom isn't broken.
Fixes issue #516.
Release 3.9.5 (4.0.0 release candidate 3)
-----------------------------------------
* Fixed Rake autodetection.
Release 3.9.4 (4.0.0 release candidate 2)
-----------------------------------------
* More bug fixes.
* More documentation updates.
* Better crash diagnostics.
Release 3.9.3 (4.0.0 release candidate 1)
-----------------------------------------
* The Nginx version now supports the `passenger_app_root` configuration option.
* The Enterprise memory limiting feature has been extended to work with non-Ruby applications as well.
* Application processes that have been killed are now automatically detected within 5 seconds. Previously Phusion Passenger needed to send a request to the process before detecting that it's gone. This change means that when you kill a process by sending it a signal, Phusion Passenger will automatically respawn it within 5 seconds (provided that the process limit settings allow respawning).
* Phusion Passenger Standalone's HTTP client body limit has been raised from 50 MB to 1 GB.
* Python 3 support has been added.
* The build system has been made compatible with JRuby and Ruby 2.0.
* The installers now print a lot more information about detected system settings so that the user can see whether something has been wrongly detected.
* Some performance optimizations. These involve further extending the zero-copy architecture, and the use of hash table maps instead of binary tree maps.
* Many potential crasher and freezer bugs have been fixed.
* Error diagnostics have been further improved.
* Many documentation improvements.
Release 3.9.2 (4.0.0 beta 2)
----------------------------
* New feature: JRuby and Rubinius support.
* New feature: Out of Band Work.
* Sending SIGBART to a Ruby process will now trigger the same behavior
as SIGQUIT - that is, it will print a backtrace. This is necessary
for proper JRuby support because JRuby cannot catch SIGQUIT.
* Rolling restarts and depoyment error resistance are now also available
in Phusion Passenger Standalone in the Enterprise version.
* System call failure simulation framework.
* Improved crash reporting.
* Many documentation improvements.
* Many bug fixes.
Release 3.9.1 (4.0.0 beta 1)
----------------------------
This is the first beta of Phusion Passenger 4. The changes are numerous.
* Support for multiple Ruby versions.
* The internals now use evented I/O.
* Real-time response buffering.
* Improved zero-copy architecture.
* Rewritten ApplicationPool and process spawning subsystem.
* Multithreading within Ruby apps (Phusion Passenger Enterprise only).
* Python WSGI support lifted to "beta" status.
* More protection against stuck processes.
* Automatically picks up environment variables from your bashrc.
* Allows setting environment variables directly in Apache.
* Automatic asset pipeline support in Standalone.
* Deleting restart.txt no longer triggers a restart.
* More stable Union Station support.
* Many internal robustness improvements.
* Better relocatability without wasting space.
Release 3.0.21
--------------
* Rebootstrapped the libev configure to fix compilation problems on Solaris 11.
* Fixed support for RVM mixed mode installations. Fixes issue #828.
* Fixed encoding problems in Phusion Passenger Standalone.
* Changed preferred Nginx version to 1.2.9.
* Catch exceptions raised by Rack application objects.
* Fix for CVE-2013-2119. Details can be found in the announcement for version 4.0.5.
* Version 3.0.20 was pulled because its fixes were incomplete.
Release 3.0.19
--------------
* Nginx security fix: do not display Nginx version when
server_tokens are off.
* Fixed compilation problems on some systems.
* Fixed some Union Station-related bugs.
Release 3.0.18
--------------
* Fixed compilation problems on Fedora 17.
* Fixed Union Station compatibility with Rails 3.2.
* Phusion Passenger Enterprise Standalone now supports rolling
restarts and deployment error resistance.
Release 3.0.17
--------------
* Fixed a Ruby 1.9 encoding-related bug in the memory measurer.
(Phusion Passenger Enterprise)
* Fixed OOM adjustment bugs on Linux.
* Fixed compilation problems on Fedora 18 and 19.
* Fixed compilation problems on SunOS.
* Fixed compilation problems on AIX. Contribution by Perry Smith.
* Fixed various compilation warnings.
* Upgraded preferred Nginx version to 1.2.3.
3.0.16 was an unofficial hotfix release, and so its announcement had been skipped.
Release 3.0.15
--------------
* Updated documentation.
* Updated website links.
Release 3.0.14
--------------
* [Apache] Fixed a long-standing mod_rewrite-related problem.
Some mod_rewrite rules would not work, but it depends on the exact
mod_rewrite configuration so it would work for some people but not
for others. Issue #563. Thanks a lot to cedricmaion for providing
information on the nature of the bug and to peter.nash55 for
providing a VM that allowed us to reproduce the problem.
* [Nginx] Preferred Nginx version to 1.2.2.
The previously preferred version was 1.2.1.
* Cleared some confusing terminology in the documentation.
* Fixed some Ruby 1.9 encoding problems.
Release 3.0.13
--------------
* [Nginx] Preferred Nginx version upgraded to 1.2.1.
* Fixed compilation problems on FreeBSD 6.4. Fixes issue #766.
* Fixed compilation problems on GCC >= 4.6.
* Fixed compilation problems on OpenIndiana and Solaris 11. Fixes issue #742.
* Union Station-related bug fixes.
* Sending the soft termination signal twice to application processes no longer makes them crash. Patch contributed by Ian Ehlert.
Release 3.0.12
--------------
* [Apache] Support Apache 2.4. The event MPM is now also supported.
* [Nginx] Preferred Nginx version upgraded to 1.0.15.
* [Nginx] Preferred PCRE version upgraded to 8.30.
* [Nginx] Fixed compatibility with Nginx < 1.0.10.
* [Nginx] Nginx is now installed with http_gzip_static_module by default.
* [Nginx] Fixed a memory disclosure security problem.
The issue is documented at http://www.nginx.org/en/security_advisories.html
and affects more modules than just Phusion Passenger. Users are advised
to upgrade as soon as possible. Patch submitted by Gregory Potamianos.
* [Nginx] passenger_show_version_in_header now hides the Phusion Passenger version number from the 'Server:' header too.
Patch submitted by Gregory Potamianos.
* Fixed a /proc deprecation warning on Linux kernel >= 3.0.
Release 3.0.11
--------------
* Fixed a compilation problem on platforms without alloca.h, such as FreeBSD 7.
* Improved performance and solved some warnings on Xen systems by compiling
with `-mno-tls-direct-seg-refs`. Patch contributed by Michał Pokrywka.
Release 3.0.10
--------------
* [Nginx] Dropped support for Nginx versions older than 1.0.0
* [Nginx] Fixed support for Nginx 1.1.4+
* [Nginx, Standalone] Upgraded default Nginx version to 1.0.10
The previously default version was 1.0.5.
* [Nginx] New option passenger_max_requests
This is equivalent to the PassengerMaxRequests option in the Apache
version: Phusion Passenger will automatically shutdown a worker process
once it has processed the specified number of requests.
Contributed by Paul Kmiec.
* [Apache] New option PassengerBufferResponse
The Apache version did not buffer responses. This could block the Ruby
worker process in case of slow clients. We now enable response buffering
by default. It can be turned off through this option. Feature contributed
by Ryo Onodera.
* Fixed remaining Ruby 1.9.3 compatibility problems
We already supported Ruby 1.9.3 since 3.0.8, but due to bugs in Ruby
1.9.3's build system Phusion Passenger would fail to detect Ruby 1.9.3
features on some systems. Fixes issue #714.
* Fixed a bug in PassengerPreStart
A regression was introduced in 3.0.8, causing the prespawn script to
connect to the host name instead of to 127.0.0.1. Fix contributed by
Andy Allan.
* Fixed compatibility with GCC 4.6
Affected systems include Ubuntu 11.10.
* Fixed various compilation problems.
* Fixed some Ruby 1.9 encoding problems.
* Fixed some Ruby 1.9.3 deprecation warnings.
Release 3.0.9
-------------
* [Nginx] Fixed a NULL pointer crash that occurs on HTTP/1.0 requests
when the Host header isn't given.
* Fixed deprecation warnings on RubyGems >= 1.6.
* Improved Union Station support stability.
Release 3.0.8
-------------
* [Nginx] Upgraded preferred Nginx version to 1.0.5.
* [Nginx] Fixed various compilation problems on various platforms.
* [Nginx] We now ensure that SERVER_NAME is equal to HTTP_HOST without the port part.
This is needed for Rack compliance. By default Nginx sets SERVER_NAME to
whatever is specified in the server_name directive, but that's not necessarily
the correct value. This fixes, for example, the use of the 'map' statement
in config.ru.
* [Nginx] Added the options passenger_buffer_size, passenger_buffers and passenger_busy_buffers_size.
These options are similar to proxy_module's similarly named options. You can
use these to e.g. increase the maximum header size limit.
* [Nginx] passenger_pre_start now supports virtual hosts that listen on Unix domain sockets.
* [Apache] Fixed the pcre.h compilation problem.
* [Standalone] Fixed 'passenger stop'.
It didn't work properly because it kept waiting for 'tail' to exit.
We now properly terminate 'tail' as well.
* Fixed compatibility with Rake 0.9.
* Fixed various Ruby 1.9 compatibility issues.
* Various documentation improvements.
* New Union Station filter language features.
It now supports status codes and response times.
Please refer to https://engage.unionstationapp.com/help#filtering
for more information.
Release 3.0.7
-------------
* Fixed a bug passenger-install-apache2-module. It could crash on
some systems due to a typo in the code.
* Upgraded preferred Nginx version to 1.0.0.
* Phusion Passenger Standalone now pre-starts application processes
at startup instead of doing that at the first request.
* When sending data to Union Station, the HTTP status code is now also
logged.
* Various Union Station-related stability improvements.
* The Linux OOM killer was previously erroneously disabled for all
Phusion Passenger processes, including application processes. The
intention was to only disable it for the Watchdog. This has been
fixed, and the Watchdog is now the only process for which the OOM
killer is disabled.
* Fixed some compilation problems on OpenBSD.
* Due to a typo, the dependency on file-tail was not entirely removed
in 3.0.6. This has now been fixed.
Release 3.0.6
-------------
* Fixed various compilation problems such as XCode 4 support and OpenBSD support.
* Fixed various Union Station-related stability issues.
* Fixed an issue with host name detection on certain platforms.
* Improved error logging in various parts.
* The dependency on the file-tail library has been removed.
* During installation, check whether /tmp is mounted with 'noexec'.
Phusion Passenger's installer relies on /tmp *not* being mounted
with 'noexec'. If it is then the installer will now show a helpful
error message instead of bailing out in a confusing manner. Users
can now tell the installer to use a different directory for storing
temporary files by customizing the $TMPDIR environment variable.
* Phusion Passenger Standalone can now run Rackup files that are not named 'config.ru'.
The filename can be passed through the command line using the -R option.
Release 3.0.5
-------------
* [Apache] Fixed Union Station process statistics collection
Union Station users that are using Apache may notice that no process
information show up in Union Station. This is because of a bug in
Phusion Passenger's Apache version, which has now been fixed.
* [Apache] PassengerAnalytics has been renamed to UnionStationSupport
This option has been renamed for consistency reasons.
* [Nginx] passenger_analytics has been renamed to union_station_support
This option has been renamed for consistency reasons.
* Fixed Union Station data sending on older libcurl versions
Some Union Station users have reported that their data don't show up.
Upon investigation this turned out to be a compatibility with older
libcurl versions. Affected systems include all RHEL 5 based systems,
such as RHEL 5.5 and CentOS 5.5. We've now fixed compatibility
with older libcurl versions.
* Added support for the Union Station filter language
This language can be used to limit the kind of data that's sent to
Union Station. Please read
https://engage.unionstationapp.com/help#filtering for details.
* Fixed a PassengerMaxPoolSize/passenger_max_pool_size violation bug
People who host a lot of different applications on Phusion Passenger
may notice that it sometimes spawns more processes than is allowed
by PassengerMaxPoolSize/passenger_max_pool_size. This has been fixed.
Release 3.0.4
-------------
* [Apache] Changed mod_dir workaround hook priority
Phusion Passenger temporarily disables mod_dir on all Phusion
Passenger-handled requests in order to avoid conflicts. In order to do this
it registers some Apache hooks with the APR_HOOK_MIDDLE priority, but it
turned out that this breaks some other modules like mod_python. The hook
priority has been changed to APR_HOOK_LAST to match mod_dir's hook
priorities. Issue reported by Jay Freeman.
* Added support for Union Station: http://www.unionstationapp.com/
* Some error messages have been improved.
Release 3.0.3
-------------
* [Nginx] Preferred Nginx version upgraded to 0.8.54
The previous preferred version was 0.8.53.
* PATH_INFO and REQUEST_URI now contain the original escaped URI
Phusion Passenger passes the URI, as reported by Apache/Nginx, to
application processes through the PATH_INFO and REQUEST_URI variables.
These variables are supposed to contain the original, unescaped URI, e.g.
/clubs/%C3%BC. Both Apache and Nginx thought that it would be a good idea
to unescape the URI before passing it to modules like Phusion Passenger,
thereby causing PATH_INFO and REQUEST_URI to contain the unescaped URI,
e.g. /clubs/ü. This causes all sorts of encoding problems. We now manually
re-escape the URI when setting PATH_INFO and REQUEST_URI. Issue #404.
* The installer no longer detects directories as potential commands
Previously the installer would look in $PATH for everything that's
executable, including directories. If one has /usr/lib in $PATH
and a directory /usr/lib/gcc exists then the installer would recognize
/usr/lib/gcc as the compiler. We now explicitly check whether the item
is also a file.
* PseudoIO now responds to #to_io
Phusion Passenger sets STDERR to a PseudoIO object in order to capture
anything written to STDERR during application startup. This breaks
some libraries which expect STDERR to respond to #to_io. This has now
been fixed. Issue #607.
* Fixed various other minor bugs
See the git commit log for details.
Release 3.0.2
-------------
* [Nginx] Fixed compilation problems
The Nginx compilation process was broken due to not correctly reverting
the working directory of the Nginx configure script. This has been fixed:
issue #595.
* [Nginx] Fixed crash if passenger_root refers to a nonexistant directory
Issue #599.
* Fixed compilation problems on NetBSD
There was a typo in a NetBSD-specific fcntl() call. It also turns out that
NetBSD doesn't support some ISO C99 math functions like llroundl(); this
has been worked around by using other functions. Issue #593.
* Fixed file descriptor closing issues on FreeBSD
Phusion Passenger child processes didn't correct close file descriptors
on FreeBSD because it queries /dev/fd to do that. On FreeBSD /dev/fd
only returns meaningful results if fdescfs is mounted, which it isn't
by default. Issue #597.
Release 3.0.1
-------------
* MUCH faster compilation
We've applied code aggregation techniques, allowing Phusion Passenger
to be compiled much quicker now. For example, compiling the Nginx
component (not Nginx itself) on a MacBook Pro now takes only 29
seconds instead of 51 seconds, an improvement of 75%! Compiling the
Apache module on a slower Dell Inspiron now takes 39 seconds instead of
1 minute 22 seconds, or 110% faster!
* Fixed malfunction after web server restart
On Linux systems that have a non-standard filesystem on /tmp, Phusion
Passenger could malfunction after restarting the web server because of
a bug that's only triggered on certain filesystems. Issue #569.
* Boost upgraded to version 1.44.0.
We were on 1.42.0.
* Much improved startup error messages
Phusion Passenger performs many extensive checks during startup to ensure
integrity. However the error message in some situation could be vague.
These startup error messages have now been improved dramatically, so that
if something goes wrong during startup you will now more likely know why.
* Curl < 7.12.1 is now supported
The previous version fails to compile with Curl versions earlier than
7.12.1. Issue #556.
* passenger-make-enterprisey fixed
This is the command that people can run after donating. It allows people
to slightly modify Phusion Passenger's display name as a joke. In 3.0.0 it
was broken because of a typo. This has been fixed.
* Removed passenger-stress-test
This tool was used during the early life of Phusion Passenger for stress
testing websites. Its performance has never been very good and there are
much better tools for stress testing, so this tool has now been removed.
* [Apache] RailsEnv and RackEnv configuration options are now equivalent
In previous versions, RailsEnv only had effect on Rails 1 and Rails 2 apps
while RackEnv only had effect on Rack apps. Because Rails 3 apps are
considered Rack apps, setting RailsEnv had no effect on Rails 3 apps.
Because this is confusing to users, we've now made RailsEnv and RackEnv
equivalent. Issue #579.
* [Nginx] Fixed compilation problems on systems with unpowerful shells
Most notably Solaris. Its default shell does not support some basic
constructs that we used in the Nginx configure script.
* [Nginx] Upgraded default Nginx version to to 0.8.53
The previous default was 0.8.52.
* [Nginx] passenger_enabled now only accepts 'on' or 'off' values
Previously it would recognize any value not equal to 'on' as meaning
'off'. This caused confusion among users who thought they could also
specify 'true', so we now throw a proper error if the value is
unrecognized. Fixes issue #583.
Release 3.0.0
-------------
This is a major release with many changes. Please read our blog for details.
Release 2.2.15
--------------
* [Apache] Fixed incorrect temp dir cleanup by passenger-status
On some systems, running passenger-status could print the following
message:
*** Cleaning stale folder /tmp/passenger.1234
...after which Phusion Passenger breaks because that directory is
necessary for it to function properly. The cause of this problem
has been found and has been fixed.
* [Apache] Fixed some upload handling problems
Previous versions of Phusion Passenger check whether the size of
the received upload data matches the contents of the Content-Length
header as received by the client. It turns out that there could
be a mismatch e.g. because of mod_deflate input compression, so
we can't trust Content-Length anyway and we're being too strict.
The check has now been removed.
* [Nginx] Fixed compilation issues with Nginx >= 0.7.66
Thanks to Potamianos Gregory for reporting this issue. Issue #500.
* [Nginx] Default Nginx version changed to 0.7.67
The previous default version was 0.7.65.
* Fixed more Bundler problems
Previous versions of Phusion Passenger would preload some popular
libraries such as mysql and sqlite3 in order to utilize copy-on-write
optimizations better. However this behavior conflicts with Bundler
so we've removed it.
Release 2.2.14
--------------
* Added support for Rubinius
Patch contributed by Evan Phoenix.
* Fixed a mistake in the SIGQUIT backtrace message.
Patch contributed by Christoffer Sawicki.
* [Nginx] Fix a localtime() crash on FreeBSD
This was caused by insufficient stack space for threads. Issue #499.
Release 2.2.13
--------------
* Fixed some Rails 3 compatibility issues that were recently introduced.
* Fixed a typo that causes config/setup_load_paths.rb not to be loaded
correctly.
Release 2.2.12
--------------
* Improved Bundler support.
Previous versions might not be able to correctly load gems bundled
by Bundler. We've also documented how our Bundler support works and
how to override our support if you need special behavior.
Please refer to the Phusion Passenger Users Guide, section
"Bundler support".
* Worked around some user account handling bugs in Ruby. Issue #192.
* Fixed some Ruby 1.9 tempfile.rb compatibility problems.
* Fixed some compilation problems on some ARM Linux platforms.
* [Apache] Suppress bogus mod_xsendfile-related error messages.
When mod_xsendfile is being used, Phusion Passenger might print
bogus error messages like "EPIPE" or "Apache stopped forwarding
the backend's response" to the log file. These messages are
normal, are harmless and can be safely ignored, but they pollute
the log file. So in this release we've added code to suppress
these messages when mod_xsendfile is being used. Issue #474.
* [Nginx] Fixed "passenger_user_switching off" permission problems
If Nginx is running as root and passenger_user_switching is turned
off, then Phusion Passenger would fail to initialize because of
a permission problem. This has been fixed. Issue #458.
* [Nginx] Nginx >= 0.8.38 is now supported.
Thanks to Sergey A. Osokin for reporting the problem.
* [Nginx] passenger-install-nginx-module upgraded
It now defaults to installing Nginx 0.7.65 instead of 0.7.64.
Release 2.2.11
--------------
* This release fixes a regression that appeared in 2.2.10 which only
affects Apache. When under high load, Apache might freeze and stop
responding to requests. It is caused by a race condition which is
why it escaped our last release testing.
This problem does not affect Nginx; you only have to upgrade if
you're using Apache.
http://groups.google.com/group/phusion-passenger/t/d5bb2f17c8446ea0
Release 2.2.10
--------------
* Fixed some Bundler compatibility problems.
* Fixed some file descriptor passing problems, which previously
could lead to mysterious crashes.
* Fixed some compilation problems on newer GCC versions. Issue #430.
* Support #size method in rack.input.
Release 2.2.9
-------------
* Fixed compatibility with Rails 3.
Actually, previous Phusion Passenger releases were already compatible
with Rails 3, depending on the spawn method that would be invoked. Here's
the story:
Since Phusion Passenger 2.2.8, when the file config.ru exists, Phusion
Passenger will treat the app as a Rack app, not as a Rails app. This is
in contrast to earlier versions which gave Rails detection more priority
than Rack detection. Phusion Passenger loads Rack apps and Rails apps in
different ways. The Rails loader was not compatible with Rails 3, which
is what we've fixed in this release.