- [Nginx] Fixes CVE-2018-12029, a local privilege escalation
vulnerability in the Nginx module that occurs when
`passenger_instance_registry_dir` is configured to a directory
with insufficiently strict permissions.
- Fixes CVE-2018-12026, 12027, and 12028. These are local denial of
service, local information disclosure and local privilege escalation
vulnerabilities that could be exploited by malicious applications or
malicious users on the system.
- Fixes Meteor support in non-bundled mode (regression from 5.3.0).
- Fixes the fact that the error page (which is shown when an app fails
to spawn) sometimes contains unsufficient analysis details about the
app.
- [Apache] Fixes PassengerMaxInstancesPerApp not being respected
(regression from config refactor in 5.2.0).
- [Enterprise, Apache] Fixes PassengerMaxInstances not being respected
(regression from config refactor in 5.2.0).
- [Enterprise] Fixes passenger-irb being unable to connect to an app
process (regression from 5.3.0).
Release 5.3.1
-------------
- Fixes a regression from 5.3.0: a crash that occurs if the user that
an application should run under, does not have a shell configured.
- Fixes a regression from 5.3.0: setting supplementary group IDs
during user switching.
Release 5.3.0
-------------
- Vastly improves spawning error page: quick overview of where the
problem is, and the option to drill down in extensive
troubleshooting information.
- Fuse Panel support: fixes a crash that occurs when you shut down
Passenger right after it fails to connect to Fuse Panel.
- [Nginx] Updates the preferred Nginx version to 1.14.0 (from 1.12.2).
- [Enterprise] Fix licensing proxy warning to refer to
licensing_proxy_url instead of licensing_proxy.
- [Enterprise] Add new `PassengerAppLogFile` (Apache) /
`passenger_app_log_file` (Nginx) config option to specify a file for
app-specific logs.
- Fuse Panel support: fixes a few bugs with handling small log files
and with apps that don't output any messages.
- Python app support: fixes a Python 3 compatibility issue w.r.t.
writing data over the socket.
- macOS support: fixes a crash in the `passenger-config
compile-nginx-engine` command which only occurs on macOS >= 10.13.
- Fixes a small memory corruption issue (dangling pointer) in the
ApplicationPool subsystem.
- Improves support for the $TMPDIR environment variable by removing
leftover hardcoded references to /tmp. Closes GH-2052.
- Updated PCRE version to 8.42 (was: 8.41) across the board.
- Adds an option for dumping the web server config manifest to a given
file: `PassengerDumpConfigManifest` (Apache) /
`passenger_dump_config_manifest` (Nginx). This option is mostly useful
for Passenger developers.
- [Nginx] Fixes support for configurations that have two
`passenger_base_uri` options in a single virtual host, without
corresponding `passenger_app_group_name` and `passenger_app_root`
directives. Closes GH-2043.
- [Enterprise] Improved support for RAM-based pricing on Heroku (now
using officially recommended memory limit reporting via CGROUP).
- (added in CHANGELOG after release) Four new options to connect to
the new Fuse Panel: admin_panel_url, admin_panel_auth_type,
admin_panel_username, admin_panel_password
- Fixes a regression from 5.1.11 that prevented Passenger from
compiling on FreeBSD in some cases.
- Fixes a bounds issue in printing an error message that could occur
in some cases when spawning a child process fails.
- Fixes a regression from 5.2.0 which prevented setting the max pool
idle time to 0.
- Warns if using an incompatible compiler on macOS < 10.13.
- No longer uses Security Framework on macOS 10.13+. This will prevent
further keychain warnings from appropriately compiled Passengers.
- Fixes warning on macOS about /proc/self access (excluded some code
that was intended only for Linux).
- `passenger-install-nginx-module` now downloads the preferred Nginx
version via https.
- [Apache] Fixes a regression from 5.2.0 that caused a crash on
startup when no top-level ServerName is set.
- [Enterprise] Adds support for using RAM-based pricing on Heroku.
(Based on wip/*passenger.)
Phusion Passenger is a web server and application server,
designed to be fast, robust and lightweight. It supports Ruby,
Python, Node.js and Meteor.