SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for ruby2.5-rubygem-passenger-5.0.18-lp151.12.12.1.x86_64.rpm :

* Fri Jun 15 2018 mschnitzerAATTsuse.com- Add CVE-2018-12029.patch (CVE-2018-12029, bsc#1097663) [#] CHMOD race vulnerability:
* The file system access race condition allows for local privilege escalation and affects the Nginx module for Passenger versions 5.3.1, all the way back to 3.0.0 (the chown command entered the code in 2010).- Add series file to handle patches with quilt
* Wed Jan 03 2018 schubiAATTsuse.de- If Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from the application root folder to a file of choice and querying passenger-status --show=xml. (CVE-2017-16355; bnc#1073255)
* Thu Nov 23 2017 schubiAATTsuse.de- Introduces a new check that logs a vulnerability warning if Passenger is run with root permissions while the directory permissions of (parts of) its root dir allow modifications by non-root users. Patch: warning_weak_root_directory_permissions.patch CVE-2017-1000384 )(bnc#1068874)
* Wed Dec 14 2016 jmassaguerplaAATTsuse.com- add a patch for disabling mod_autoindex. Otherwise, with sle12sp2 apache2 shows the error \"Access forbidden\" (bsc#1015092)
* Mon Nov 30 2015 jmassaguerplaAATTsuse.com- fix CVE-2015-7519: rubygem-passenger: Passenger is not filtering environment like apache is doing (bnc#956281) CVE-2015-7519.patch: contains the fix
* Thu Oct 29 2015 jmassaguerplaAATTsuse.com- Clean up Remove unneeded files: - passenger-4.0.14_missing_includes.patch - series
* Thu Sep 10 2015 cooloAATTsuse.com- updated to version 5.0.18 see installed CHANGELOG Release 5.0.18 - -------------
* Fixes more memory corruption issues in the palloc subsystem.
* Fixes memory corruption issues in the Passenger core that may occur if the application sets many response headers. The issue was caused by an off-by-one bug.
* Tue Sep 08 2015 cooloAATTsuse.com- updated to version 5.0.17 see installed CHANGELOG Release 5.0.17 - -------------
* Adds packages for Ubuntu 15.10 \"Wily\", even though Ubuntu 15.10 hasn\'t been released yet.
* Fixes some memory corruption issues in the palloc subsystem. Closes GH-1587.
* Fixes the Node.js `PhusionPassenger.on(\'exit\')` event. This event worked if you restart the app or detach an application process, but not if you stop Passenger.
* Fixes support for `passenger_pre_start` URLs that contain very long authentication strings. This was caused by the fact that our Base64 encoder generated unexpected newlines.
* [Standalone] Improves application prestarting. Application prestarting is now available in combination with the \'builtin\' engine, and now works when SSL is used.
* Tue Aug 25 2015 cooloAATTsuse.com- updated to version 5.0.16 see installed CHANGELOG Release 5.0.16 - -------------
* Allows independent configuration of Union Station gateway address, port and certificate. Closes GH-1543.
* Supports seek() such that body.rewind works when using Rack middleware that uses Zlib::GzipReader (e.g. for compressed requests). Closes GH-1553.
* [Apache] Improves detection of Apache configuration file problems. Closes GH-1577.
* [Enterprise] Fixes installation of the Passenger Enterprise Apache module on Debian Testing.
* Fixes logging of HTTP response code for Union Station. This regression was introduced by Passenger 5. Closes GH-1581.
* Adds a new subcommand `passenger-config about support-binaries-dir`.
* Fixes a regression in the Node.js loader with regard to custom startup files. This bug was introduced in 5.0.14. Closes GH-1557 (again).
* Fixes a crash when a Ruby application is accessed through a sub-URI and a root virtual host at the same time.
* Wed Aug 12 2015 mrueckertAATTsuse.de- make sure we set up /{var/,}run/passenger on install
* Wed Aug 12 2015 mrueckertAATTsuse.de- update to version 5.0.15 - Support SHA256 digests for the Rails asset pipeline, as used by Sprockets 3.x. - Support for JRuby 9.0.0.0. Closes GH-1562. - Fixes some bugs in Union Station support, which causes some data (such as controller information and exceptions) to not be logged. - The old Users Guides have been deprecated in favor of the [Passenger Library](https://www.phusionpassenger.com/library/). The Users Guides now redirect to appropriate sections in the Passenger Library.- additional changes in 5.0.14 - [Standalone] Relative path handling has been improved. In previous versions, relative paths were not handled in a consistent manner. Relative paths are now handled consistently according to the following rules: - If a relative path is given via a command line option, then it is relative to the current working directory. - If a relative path is given via Passengerfile.json, then it is relative to Passengerfile.json. Closes GH-1557. - [Standalone] The `--disable-turbocaching` now works with the Nginx engine.- additional changes in 5.0.13 - The `passenger-config restart-app` command now supports the option `--ignore-passenger-not-running`. If this option is given, the command will exit normally instead of exiting with an error, if Passenger is not running. This option is useful in deployments involving Passenger Standalone. In an initial deployment, Passenger Standalone may not yet be running. Passing this option allows you to ignore that issue. - SELinux policy issues in the RPMs have been fixed. - [Apache] `passenger-config reopen-logs` didn\'t work on Apache unless you explicitly set `PassengerLogFile`. This has now been fixed. - [Standalone] Due to some internal refactorings, the Passenger Standalone Nginx configuration template has changed. If you used a custom Nginx configuration template, please merge our latest changes into it.- additional changes in 5.0.12 - [Enterprise] Fixed passenger-irb. It was broken in 5.0.10 because of the change that made using admin commands without sudo possible.- additional changes in 5.0.11 - In 5.0.10, admin tools such as `passenger-status` and `passenger-config restart-app` display an authorization error if they are run without sudo, while at the same time Passenger isn\'t serving any applications. Since this is confusing, they have now been modified to display a more appropriate error message. - Fixes a bug in the RPMs that prevent admin tools such as `passenger-status` and `passenger-config restart-app` from working when they are invoked without root privileges. - Fixes a bug on OS X that prevent admin tools such as `passenger-status` and `passenger-config restart-app` from detecting Passenger instance directories when they are invoked without root privileges. Closes GH-1535. - Fixes a bug that causes Passenger not to work if the HOME environment variable is not set. - Fixes compatibility with non-Rails Ruby apps that require the actionview gem. Closes GH-1547. - Fixes some non-fatal \"permission denied\" error that may occasionally occur if user switching is turned off. Closes GH-1541. - Relative values for the `pid_file` and `log_file` options in Passengerfile.json are now supported. - If Passengerfile.json contains a syntax error, Passenger Standalone now correctly prints an error message instead of crashing. - Sending a SIGABRT signal to a Ruby process now properly makes it terminate. - The `passenger-config restart-app` command now accepts `.` as parameter, which it will interpreter as \"restart the app in the current working directory\". Closes GH-1386. - [Apache] Setting `PassengerLogLevel` no longer redirects Apache\'s own stderr to that log file. Closes GH-1373. - [Standalone] Passenger Standalone\'s Nginx engine now includes the RealIP module. Closes GH-1389. - [Standalone] The `--max-preloader-idle-time` option has been added.- additional changes in 5.0.10 - It is now possible to run `passenger-status`, `passenger-config restart-app` and other admin commands without using sudo. When run without sudo, these admin commands will allow you to operate on apps and processes that are owned by the user that invoked the admin command. Closes GH-1392. - Fixes a crash introduces in 5.0.9 due to not properly initializing a variable. Closes GH-1530. - The `passenger-config reopen-logs` command now works by instructing the Watchdog process to reopen the log file, while instructing the other Passenger processes to re-inerhit the log file from the Watchdog instead of trying to reopen the log file on their own. This makes log file reopening more robust. Closes GH-1452. - `passenger-config restart-app` no longer leaves the terminal in a state with black background. Closes GH-1526. - `passenger-config admin-command` has been renamed to `passenger-config api-call` in order to avoid confusion with any potential admin interfaces that we will introduce in the future. - If Union Station support is enabled, process and system metrics weren\'t being sent correctly to Union Station. This has been fixed. - [Enterprise] Fixes the fact that the Passenger Enterprise RPM didn\'t correctly set SELinux permissions on its own files. - [Apache] passenger-install-apache2-module no longer aborts with an error if the Apache configuration file contains errors. Closes GH-1525. - [Apache] Fixes a typo that would cause passenger-install-apache2-module to crash on Red Hat and CentOS systems on which the SELinux command line tools are not installed. Closes GH-1527.- additional changes in 5.0.9 - The casing of original headers as generated by the application are now preserved, instead of being downcased. This fixes compatibility issues with broken HTTP clients. Closes GH-1436. - Internal refactoring: we\'ve replaced libeio with libuv. This makes some of our code simpler. Closes GH-1428. - When the passenger-status tool tries to cleanup a stale instance directory, it will no longer abort with an error when it fails to do that. It will now merely print a warning. Fixes [StackOverflow question 30354732](http://stackoverflow.com/questions/30354732/cap-aborted-capistrano-aborts-rails-deploy-while-attempting-to-chown-tmp-p/30357100#30357100). - Fixes compilation problems on Solaris. - The Ruby handler has been made more robust. Previously, it was possible for applications to corrupt connections by returning incorrect Rack responses. This may cause connections to get stuck. The Rack handler has been hardened to ensure that connections will never get corrupted or stuck. Closes GH-1512. - The Ruby handler now closes the Rack response body even when the socket connection is hijacked by the application. The Rack specification is unclear about what to do in this case, and different Ruby app servers do different things. We have found that by closing the body object anyway, we maximize compatibility with existing Rack middlewares and apps, such as Rack::Lock. Background information about this issue can be found at https://github.com/ngauthier/tubesock/issues/10#issuecomment-72539461. - Fixes a crash that could occur if some HTTP request headers are present, but have the empty value. Closes GH-1524. - Fixes a permission problem that prevents the web server from communicating with Passenger when user switching is off. Closes GH-1520. - Fixes a few small one-time memory leaks in the Passenger agent. This wraps up the workitems discovered in valgrind runs on earlier versions. - Fixes use of uninitialized metrics. This could happen for a brief moment after spawning. - [Apache] If you pass the `--apxs2-path` parameter to `passenger-install-apache2-module`, and the apxs2 path that you specified is not in PATH, then the installer would think that Apache installation is broken. This has been fixed. - [Apache] A `Connection: close` header that was used for internal communication between Passenger processes was being leaked to the client, which breaks HTTP keep-alive connections. This has been fixed. Closes GH-1516. - [Nginx] The preferred Nginx version is now 1.8.0. It was previously 1.6.3. - [Nginx] Passenger now passes to the application the raw URI as sent by the client, as long as Nginx didn\'t modify the URI (e.g. as part of rewrite rules). This means that escaped slashes (%2F) in the URI now work correctly and out-of-the-box as long as there are no applicable rewrite rules. - [Nginx] Fixes that crash that would occur if Nginx is configured to log to syslog. And to prevent log messages from disappearing into a black hole, Passenger will now ask you to set `passenger_log_file` if Nginx is configured to log to syslog. Closes GH-1514. - [Standalone] Prevents an existing instance from being shut down if starting a new instance fails.- additional changes in 5.0.8 - We now supply Debian 8 and Ubuntu 15.04 packages. Closes GH-1494 and GH-1400. - We now supply Red Hat 6, Red Hat 7, CentOS 6 and CentOS 7 packages. - We no longer supply Ubuntu 10.04 packages because Ubuntu 10.04 is no longer supported by Canonical. - Fixes a Passenger crash (SIGSEGV) that occurs occasionally when out-of-band garbage collection is enabled. Closes GH-1469. - Fixes a Passenger crash (SIGSEGV) that occurs occasionally with redirects to relative URLs. Closes GH-1513. - Fixes cases when Passenger shuts down more processes than is allowed by the `min_instances` limit. Closes GH-1500. - Fixes \"Bad Gateway\" errors that would occur when an application sets the X-Sendfile or X-Accel-Redirect header, together with a non-empty response body. Closes GH-1498. - Fixes the fact that Passenger agent processes don\'t lower their privilege when user switching is turned off. - Fixes autodetection of Apache on Gentoo. Closes GH-1510. - Fixes compilation problems on Solaris. Closes GH-1508. - [Standalone] Adds the `--pool-idle-time` command line parameter. - [Standalone] Adds the `--auto` command line parameter for running non-interactively. This supresses prompts. Closes GH-1511.
* Mon May 18 2015 mrueckertAATTsuse.de- update to version 5.0.7 - Supports changed way of specifying settings for (non-bundled) Meteor apps. Closes GH-1403. - Fixes an integer-to-string conversion bug in the code responsible for buffering chunked request bodies. This bug could cause the PassengerAgent to crash due to an exception. Thanks to Marcus Rückert of SUSE for reporting this. - Request-specific environment variables are no longer cached. This fixes a number of issues, such as Shibboleth not working properly and conflicts between HTTPS and non-HTTPS virtual hosts. Closes GH-1472. - Fixes a memory corruption bug that would be triggered when using `passenger_base_uri`. The memory corruption bug resided in the code for resolving symlinks. Closes GH-1388. - Re-introduced signal catchers during shutdown, to allow clean shutdown in Foreman. Closes GH-1454. - `passenger-status --show=xml` no longer outputs the non-XML header by default. This fixes a regression as reported in a comment in GH-1136. - Passenger now prefers to load Rack and Bundler from RubyGems instead of from `vendor_ruby`. This solves some issues with Rack and Bundler on Debian systems. Closes GH-1480 and GH-1478. - The turbocache no longer caches responses that contain the `X-Sendfile` or the `X-Accel-Redirect` header. - The preferred Nginx version has been upgraded to 1.6.3. - The logging agent no longer aborts with an error if one of the Passenger root directory\'s parent directories is not world-executable. Closes GH-1487. - [Standalone] It is now possible to configure the Ruby, Node.js and Python executable to use in Passenger Standalone through the command line options --ruby, --nodejs and --python. Closes GH-1442. - [Standalone] Running `passenger start --engine=builtin - -daemonize` would fail with a timeout error. This has been fixed. - [Standalone] Running `passenger start --nginx-version=XXX` would crash. This has been fixed. Closes GH-1490. - [Apache] Fixed some issues with X-Sendfile. Closes GH-1376. - [Apache] If the installer fails to autodetect Apache while the installer is running as a normal user, it will now ask you to give it root privileges. Closes GH-1289. - [Apache] The installer now validates your Apache configuration file to check for common problems. The validator can also be accessed separately by running `passenger-config validate-install --validate-apache2`. - [Nginx] Introduces the `passenger_read_timeout` option for rare cases when server needs more than the default 10 minute timeout. Contributed by pkmiec. Closes [GH-PR-34](https://github.com/phusion/passenger/pull/34). - [Nginx] The Nginx module now looks for index.html if the path ends in / so that it works intuitively, without needing to use try_files. - Fixes wrong memory address display in crash dumps. Thanks to thoughtpolice for pointing it out. - Fixes an ugly backtrace that would be shown if an invalid request is made to an application process using the private HTTP interface. Contributed by jbergler. Closes GH-1311. - Various documentation improvements. Closes [GH-PR-1332](https://github.com/phusion/passenger/pull/1332), [GH-PR-1354](https://github.com/phusion/passenger/pull/1354), [GH-PR-1216](https://github.com/phusion/passenger/pull/1216), [GH-PR-1385](https://github.com/phusion/passenger/pull/1385), [GH-PR-1302](https://github.com/phusion/passenger/pull/1302).- drop 3cd918c27e7015d5e60106f4574ea439fc4a16da.patch: included in update
* Thu Apr 16 2015 mrueckertAATTsuse.de- update to passenger-4.0.50_load_system_passenger_libs.patch: we still had 2 places that tried to load the libraries from the relative path instead of the installed library.- pull 3cd918c27e7015d5e60106f4574ea439fc4a16da.patch until 5.0.7 is released
* Thu Apr 02 2015 mrueckertAATTsuse.de- use intree libebio as well. our system copy seems to be broken.
* Thu Apr 02 2015 asnAATTcryptomilk.org- Fix temp directory path in mod_passenger.conf
* Tue Mar 31 2015 mrueckertAATTsuse.de- use intree libev again. according to passenger upstream it is patched with things they need which are not in upstream libev.
* Tue Mar 31 2015 mrueckertAATTsuse.de- update to version 5.0.6 - The turbocache no longer caches responses for which the Cache-Control header contains \"no-cache\". Please note that \"no-cache\" does not mean \"do not cache this response\". Instead, it means \"any caching servers may only serve the cached response after validating it\". Since the turbocache does not support validation, we\'ve chosen to skip caching instead. Coincidentally, this change \"fixes\" problems with applications that erroneously use \"no-cache\" as a flag for \"do not cache this response\". What these applications should actually use is \"no-store\". We recommend the developers of such applications to change their caching headers in this manner, because even if Passenger doesn\'t unintentionally cache the response, any intermediate proxies that visitors are behind may still cache the response. - Fixes a number of memory leaks. Memory was leaked upon processing a request with multiple headers, upon processing a response with multiple headers, and upon processing a response with Set-Cookie headers. Every time such a request or response was processed, 512 bytes of memory was leaked due to improperly dereferencing relevant memory buffers. Closes GH-1455. - Fixes various bugs related to Union Station data collection. Union Station is our upcoming application analytics and performance monitoring SaaS platform. It is opt-in: no data is collected unless you turn the feature on. - Fixes a Union Station-related file descriptor leak. Closes GH-1439. - Fixes some bugs w.r.t. use of uninitialized memory. - More informative error message if a support binary is not found, including a resolution hint. Closes GH-1395. - [Apache] `SetEnv` variables are now passed as Rack/CGI/request variables. This was also the case in Passenger 4, but not in Passenger 5.0.0-5.0.5. We\'ve restored the old behavior because the behavior in 5.0.0-5.0.5 breaks certain Apache modules such as Shibboleth. Closes GH-1446. - [Standalone] PID and log files now correctly created if user specifies relative path.
* Wed Mar 25 2015 mrueckertAATTsuse.de- updated to version 5.0.5 - Fixes various crashes due to use of uninitialized memory. One such crash is documented in GH-1431. - Fixes a connection stall in the Apache module. Closes GH-1425. - Fixes a potential read-past-buffer bug in string-to-integer conversion routines. Thanks to dcb314 for spotting this. Closes GH-1441. - Fixes a compilation problem on Solaris. This problem was caused by the fact that `tm_gmtoff` is not supported on that platform. Closes GH-1435. - There is now an API endpoint for force disconnecting a client: `passenger-config admin-command DELETE /server/.json`. Closes GH-1246. - Fixes some file descriptor leaks. These leaks were caused by the fact that keep-alive connections with application processes were not being closed properly. Closes GH-1439. - In order to more easily debug future file descriptor leaks, we\'ve introduced the `PassengerFileDescriptorLogFile` (Apache) and `passenger_file_descriptor_log_file` (Nginx) config options. This allows Passenger to log all file descriptor open/close activity to a specific log file. - The `PassengerDebugLogFile` (Apache) and `passenger_debug_log_file` (Nginx) configuration options have been renamed to `PassengerLogFile` and `passenger_log_file`, respectively. The old name is support supported for backward compatibility reasons. - [Enterprise] Fixes a bug in Flying Passenger\'s `--instance-registry-dir` command line parameter. This command line parameter didn\'t do anything. - [Enterprise] The Flying Passenger daemon no longer supports the `--max-preloader-idle-time` config option. This is because the config option never worked. The correct way to set the max preloader idle time is through the Nginx config option, but this was wrongly documented, so the documentation has been fixed.- adapted several patches
* Tue Mar 17 2015 mrueckertAATTsuse.de- use new ruby-find-versioned script and make it build on 1.8
* Tue Mar 17 2015 cooloAATTsuse.com- updated to version 5.0.4
* Fixes a compilation problem introduced in 5.0.3.
* Tue Feb 10 2015 cooloAATTsuse.com- updated to version 4.0.59
* Wed Nov 26 2014 adrianAATTsuse.de- fix default tmp dir in code, matching our default configs
* Tue Nov 25 2014 mrueckertAATTsuse.de- make it easier to run apps not under wwwrun:www by setting /run/passenger to root:root and 1777.
* Tue Nov 25 2014 mrueckertAATTsuse.de- update to 4.0.53 - Upgraded the preferred Nginx version to 1.6.2. - Improved RVM gemset autodetection. - Fixed some Ruby 2.2 compatibility issues.- changes in 4.0.52 - Fixed a null termination bug when autodetecting application types. - Node.js apps can now also trigger the inverse port binding mechanism by passing `\'/passenger\'` as argument. This was introduced in order to be able to support the Hapi.js framework. Please read http://stackoverflow.com/questions/20645231/phusion-passenger-error-http-server-listen-was-called-more-than-once/20645549 for more information regarding Hapi.js support. - It is now possible to abort Node.js WebSocket connections upon application restart. Please refer to https://github.com/phusion/passenger/wiki/Phusion-Passenger:-Node.js-tutorial#restarting_apps_that_serve_long_running_connections for more information. Closes GH-1200. - Passenger Standalone no longer automatically resolves symlinks in its paths. - `passenger-config system-metrics` no longer crashes when the system clock is set to a time in the past. Closes GH-1276. - `passenger-status`, `passenger-memory-stats`, `passenger-install-apache2-module` and `passenger-install-nginx-module` no longer output ANSI color codes by default when STDOUT is not a TTY. Closes GH-487. - `passenger-install-nginx-module --auto` is now all that\'s necessary to make it fully non-interactive. It is no longer necessary to provide all the answers through command line parameters. Closes GH-852. - Minor contribution by Alessandro Lenzen.
* Thu Nov 20 2014 mrueckertAATTsuse.de- remove .o files
* Thu Nov 20 2014 mrueckertAATTsuse.de- it seems we need the buildout part for the agents
* Thu Nov 20 2014 mrueckertAATTsuse.de- fixed paths to some scripts: - added passenger-4.0.50_paths.patch: - patch paths to match our configs - no longer copy the bin dir to the %{_libdir}/passenger/%{version} - copy the agents directory directly without the buildout part in the target directory
  
ICM