CHANGELOG

Next version (not yet released)
-------------------------------

 * [Standalone] Fixes `install-standalone-runtime` command after regression in 5.1.2.
 * Removes unnecessary logging of "No Error" from macOS Security Update Checker.


Release 5.1.2
-------------

 * Improve curl check for passenger-install- scripts to catch (very old) curl versions that won't compile against 5.1+.
 * Fixes remaining false positives (logging) from the new Meteor cluster warning system. Closes GH-1905.
 * Create a private keychain on macOS when the system keychain is defaulted to, this avoids a permissions issue with the system keychain when performing the Security Update Check. This is necessary because the system keychain is the default keychain of daemon users and root on macOS.
 * Improve `passenger-memory-stats` to include JRuby processes that fail to rename as expected. Closes GH-1878.
 * [Standalone] Don't download or compile Nginx when using the builtin engine. Closes GH-1910.
 * [Standalone] Fixes `--nginx-tarball` option of `passenger start` and `passenger-config install-standalone-runtime` (wasn't working). Also verifies that `--nginx-version` is explicitly specified as it should be.


Release 5.1.1
-------------

 * The precompiled version of the PassengerAgent binary (used for e.g. gem installs) now configures (statically linked) libcurl with system keystore, so that the new security update check can successfully validate certs.
 * Fixes some false positives (logging) from the new Node and Meteor cluster warning system. Logging is less repetitive and has extra debug info. Closes GH-1905.
 * Updates the upload-progress module in the Nginx Debian package. The module version that we linked against in 5.1.0 was 0.9.2, but due to a bug in that version the module didn't work.
 * The security update check now reports whether libcurl + SSL backend are statically linked to Passenger, in which case the check also needs to warn about relevant OpenSSL vulnerabilities in the linked library.
 * Increases the allowed line lengths emitted by apps at startup.
 * Adds support for the unary 'not' operator in the Union Station filter language.
 * [Enterprise] Add missing flying-passenger integration mode to security update check. 
 * Fixes support for Rails 5.0.1 Action Cable. Specifically, we now support the `options` argument in the `write_nonblock` method in hijacked Rack IO sockets.
 * [Apache] Introduces a small delay to prevent running the Security Update Checker twice at startup.


Release 5.1.0
--------------

 * Upgrades union_station_hooks_core to version 2.1.2.
 * [Enterprise] When running a Rails app in multithreaded mode, Passenger Enterprise automatically tags Rails logs with the current thread number. This makes it possible to distinguish logs generated by different threads.
 * Fixes permissions issue on Linux when setting OOM score after lowering privileges. Closes GH-1858.
 * [Standalone] Allows raw json envvars in Passengerfile.json. Closes GH-1837.
 * [Standalone] Make the `max_requests` option available on the command line as well. 
 * Fixes unaligned memory access in base64 decoder on platforms that have strict aliasing requirements (non x86/x86_64). Closes GH-1646.
 * Introduces daily Passenger security update check to warn (error log) if there are newer Passenger versions with important security fixes (describing what was discovered, what is affected, which version has the fix).
 * Fixes compilation on Linux when a non-glibc C library is in use. Closes GH-1870.
 * `passenger-install-nginx-module` and the standalone compiler now add the http v2, realip and addition module flags for Nginx (just like the APT/RPM/autobuilder already had). Closes GH-1788. 
 * [Apache] Fixes PassengerShowVersionInHeader option. Thanks to Sebastian Welther for contributing this.
 * Passenger now reports when you try to use Node.js or Meteor clustering, and tries to continue with just a nonfunctional shim in place, so that if your code uses the clustering APIs your app may still work.
 * Updates libev config.sub and config.guess to support newer platforms such as the IBM power 8.
 * Fixes an issue where passenger-config couldn't restart an app if the TMPDIR variable was set to /tmp
 * `passenger-install-apache-module` now suggests the correct apache package on Ubuntu Xenial. Closes GH-1884.
 * [Standalone] The TempDirToucher will now spend most of its time with reduced privileges, except when it's actively touching files. This allows it to be killed when Passenger is quit in most circumstances. Closes GH-1678.
 * Fixes a file overwrite vulnerability caused by a predictable temporary file being written by `passenger-install-nginx-module`. Thanks to Jeremy Evans for reporting this.
 * [Standalone] Fixes starting Passenger as a non-extant user. Closes GH-1849.
 * Improved look of the error pages for failing to spawn an application (development & production mode), and Error ID is now also shown in production mode.
 * [Standalone] Enable ipv6 support by default in builtin nginx. Closes GH-1873.
 * [Nginx] Updates to APT package builder (Debian & Ubuntu) with fix for www-data to root privilege escalation via log file handling (CVE-2016-1247/USN-3114-1).
 * [Nginx] Updates to RPM package builder (CentOS & RHEL) with fix for 1.10.x system nginx package overriding the nginx from the Passenger repo. Closes GH-1895.
 * [Nginx] The preferred Nginx version is now 1.10.2 (previously 1.10.1).
 * RPM pkg builder fix for breaking SELinux change in RHEL 7.3.
 * RPM pkg builder fix for RHEL6/CentOS6 incompatibility and replacement in Passenger.
 * Adds Ubuntu 16.10 "Yakkety" packages.


Release 5.0.30
--------------

 * Changes mbuf block size from 512 to 4096 bytes to better fit modern requests and significantly speed up disk buffering.
 * [Nginx] Fixes PCRE checksum after the preferred version update in 5.0.29 (contributed by: clemensg).
 * [Apache] Fixes buffer limit crash on large file upload (when core disk buffer can't keep up with client for some time), and limits per-client buffer memory usage to 130 KB. Closes GH-1620.
 * Fixes potential hang when an UnseekableSocket gets serialized to json. Closes GH-1838.


Release 5.0.29
--------------

 * Fixes the FreeBSD build breaking due to the `-ldl` flag introduced by the LVE integration patch (5.0.28). Closes GH-1805.
 * Fixes per-application interpreter override (ruby, node, python) being ignored in mass deployment mode. Closes GH-1818.
 * Fixes incomplete refactor from 5.0.27 that could, under specific conditions, lead to a Passenger crash. Closes GH-1794.
 * [Apache] Remove unused code that caused a crash in configurations with thousands of VirtualHost entries. Closes GH-1676.
 * [Nginx] Fixes use of invalid logfile name (memory already released) in backup log redirection code. Possibly related to GH-1774.
 * [Nginx] The preferred Nginx version is now 1.10.1 (previously 1.10.0).
 * [Nginx] The preferred PCRE version is now 8.39 (previously 8.34).
 * [Standalone] Passenger Standalone now supports /dev/stdout and /dev/stderr as log file path (via `--log-file` or Passengerfile.json). This is especially useful in Docker containers. In previous versions logging to those paths did not work, resulting in nothing getting logged at all.
 * Adds Ubuntu 16.04 "Xenial" packages, deprecates Ubuntu 15.10 “Wily” packages (in accordance with LTS support policy).


Release 5.0.28
--------------

 * Finalizes the fix (5.0.26) for the `rails server` command integration to prevent "missing on_event" errors. Closes GH-1768.
 * Fixes missing -fPIC in Nginx dynamic module compilation (5.0.26) on Linux (rewrite of a patch by Andrei Belov). Closes GH-1793.
 * Fixes memory leak that could occur whenever more than 1024 concurrent requests are handled (more likely since the higher concurrency support options from 5.0.24). Closes GH-1797.
 * Integrates with CloudLinux LVE and CageFS (security checks and a new option PassengerLveMinUid). Thanks to Oleksiy Shchukin from CloudLinux Inc. for contributing this.
 * Fixes the Nginx build when the PCRE library is not available (such as when compiling with `--without-http_rewrite_module`). Closes GH-1796.
 * Extends `passenger-memory-stats` filter to show the instance dir toucher too (as well as the core in valgrind debug runs).
 * Changes the default for friendly error pages to "off" unless the environment is set to "development", rather than "on" unless "staging" or "production". Closes GH-1782.
 * [Nginx] The preferred Nginx version is now 1.10.0 (previously 1.8.1).


Release 5.0.27
--------------

 * Fixes encoding issue for Ruby apps that resulted in a 0-byte response body. This occurred when the Ruby native support lib was not used and the app outputted an encoding that doesn't mix with UTF-8 (like UTF-16). Closes GH-1763.
 * Fixes Passenger Core and application processes staying on the Watchdogs OOM score (unkillable) when user switching is set to off. Closes GH-1631.
 * Supports Debian GNU/kFreeBSD build. Based on contribution by stevenc99.
 * Switches a number of places in the Passenger Core over to using the monotonic clock instead of the wallclock for robustness against clock time-stepping.
 * Slightly improves out-of-memory detection in some subroutines.
 * Fixes incomplete libuv upgrade: some build files were not autoregenerated during the upgrade from 1.5.0 to 1.8.0 in the previous release.
 * Warnings about 502 responses that are caused by applications aborting their output while the client is no longer connected (e.g. due to half-close event, reported since 5.0.26) are now reduced to debug level.
 * Fixes automatic compilation of Ruby's native_support library in case Passenger was installed through Debian or RPM packages. Closes GH-1778.
 * Fixes memory leak when buffering large request/response bodies to disk (which happens as soon as the 100 KB memory buffer is full).
 * Fixes crash if an application spawn fails and a non-UTF8 character appears in the spawn output. Closes GH-1601.
 * Updates the `rails server` command integration (from 5.0.25) to prevent "missing on_event" errors. Closes GH-1768. Update: not all required code made it to the release, the final fix is delivered in 5.0.28.
 * [Union Station] Fixes a crash that occurs if all of the following conditions are met: 1) Union Station support is enabled, 2) the client sent at least one header containing the empty string, 3) the application responds with a 4xx or 5xx status. Closes GH-1776.


Release 5.0.26
--------------

 * `passenger-status --show=server` now reports the speed at which new requests are accepted.
 * `passenger-status --show=server` now reports `last_data_send_time` and `last_data_receive_time` which can be used to troubleshoot long-running requests (for example, to see if a websocket heartbeat is stuck).
 * Passenger now reports TCP half-closing events to Node.js and Meteor applications, which allows them to detect request body and WebSocket closes without having to send data to the client.
 * Fixes outputting Content-Length and Transfer-Encoding headers on HEAD requests for Ruby apps. These headers were omitted in previous versions on HEAD requests.
 * Bumps the default socket backlog size from 1024 to 2048.
 * Upgrades libuv to version 1.8.0.
 * When using our RPM packages, system SELinux policy upgrades no longer break the Passenger SELinux policy. Closes GH-1663.
 * [Apache] Fixes compilation against Apache installations which include `-pie` in CFLAGS. Closes GH-1756.
 * [Nginx, Standalone] Bumps default Nginx worker_connections from 1024 to 4096 (effectively 2048 because of internal reverse proxy)
 * [Nginx, Standalone] Introduces the option `core_file_descriptor_ulimit` and `app_file_descriptor_ulimit`, for setting the file descriptor ulimits of the Passenger core and the application, respectively.
 * [Nginx] Passenger can now be [compiled as an Nginx dynamic module](https://www.phusionpassenger.com/library/install/nginx/install_as_nginx_module.html#dynamic-module). Thanks to Ruslan Ermilov from NGINX Inc for contributing this.
 * [Standalone] Prints a warning when an unsupported configuration option in Passengerfile.json is set.
 * [Standalone] Fixes "address already in use" errors when using the builtin engine.
 * [Enterprise] The rolling restart feature now waits until the old process is completely gone (drained its request queue, process exited) before proceeding with rolling restarting the next process. This results in friendlier resource usage during rolling restart.
 * [Union Station] Fixes custom logging time arguments getting overwritten by current time for Ruby apps (so some sub-blocks like "framework request processing" appeared shorter than they were). This could happen since the switch to monotonic clock in 5.0.22.


Release 5.0.25
--------------

 * Integrates into the `rails server` command. Please learn more at [the Passenger + Rails integration documentation](https://www.phusionpassenger.com/library/dev/ruby/rails_integration.html).
 * Adds explicit support for Action Cable. Please learn more at the [Passenger Library](https://www.phusionpassenger.com/library/dev/ruby/rails_integration.html#action_cable).
 * Removes packages for Ubuntu 15.04 Vivid and Debian 6. Ubuntu 15.04 and Debian 6 are still supported, we just don't supply packages for them anymore. If you are an Ubuntu 15.04 or Debian 6 user and you want to use Passenger >= 5.0.25, then please upgrade your distribution, or install Passenger from RubyGems/tarball.
 * Fixes a potential crash due to memory corruption in code for `passenger-config reopen-logs`.
 * Fixes a potential crash in the large (inbound/outbound) file buffering code.
 * Fixes a crash that occurs when using Nginx + HTTPS + Sub-requests. Closes GH-1724.
 * Fixes a crash that occurs when using Nginx + syslog and a logfile for Passenger. Also fixes edge cases where the Nginx logpath would override the Passenger logpath. Closes GH-1514 (again).
 * [Union Station] Fixes a potential crash due to a wrong limit on snprintf (introduced in 5.0.24 by GH-1633). Closes GH-1744.
 * [Union Station] Fixes Union Station Node.js request introspection to allow for application.use method chaining. Closes GH-1745.
 * [Union Station] Fixes information about sinks sometimes missing from `passenger-status --show=union_station`.
 * [Union Station] When one or more Union Station gateways are suffering from technical difficulties, the Union Station support code now tries more quickly to reestablish the connection.
 * [Standalone] Don't reject the value 0 (meaning no limit) for `--max-request-queue-size`. Closes GH-1743.
 * [Standalone] Makes the `--address` option work more reliably if the passed hostname may resolve to multiple addresses. For example, if you pass `--address localhost` then previous versions could fail because Passenger thinks it's an IPv6 address (::1) while Nginx thinks it's an IPv4 address (127.0.0.1). Hostname resolution is now done in a consistent manner.
 * [Standalone] Adds the `--unlimited-concurrency-path` configuration option.
 * [Standalone] Adds IPv6 support to the builtin engine.


Release 5.0.24
--------------

 * Fixes a crash when the new `force_max_concurrent_requests_per_process` option (5.0.22) was used for non-Node.js apps (e.g. Ruby). Closes GH-1720.
 * Fixes Solaris compilation. This was a regression due to the patch for GH-1643 in 5.0.22. Closes GH-1694, GH-1701.
 * Logs for [Union Station](https://www.unionstationapp.com) provide more information about request queueing. Closes GH-1633.
 * Also log HTTP headers to Union Station for HTTP 4xx responses (extends the header logging for HTTP 5xx that was added in 5.0.22)
 * Fixes cases where compilation failure of (optional) native utils was not reported.
 * On Ruby, no longer traps SIGEXIT. This fixes erroneously setting `$ERROR_INFO` in `at_exit` callbacks. Closes GH-1730.
 * Fixes a wrong loop exit condition that could cause a deadlock with 100% CPU usage by Passenger core. Closes GH-1709, GH-1732.
 * Adds `socket_backlog` option to configure the Passenger Core socket backlog. For use with e.g. "Resource temporarily unavailable while connecting to upstream" errors. Closes GH-1726.
 * [Nginx] The preferred Nginx version is now 1.8.1 (previously 1.8.0).
 * [Standalone] Fixes the default value of the `load_shell_envvars` option. It's supposed to be disabled by default, but due to a typo it was enabled by default.


Release 5.0.23
--------------

 * Fixes the request acceptor error handling timeout. When an error occurs while Passenger is accepting a request (for example, when Passenger has run out of file descriptors), Passenger is supposed to wait for 3 seconds before trying again. Because of a typo, Passenger actually waited 3 milliseconds.
 * [Enterprise] Fixed a regression in the Passenger Standalone Nginx config template that breaks the Mass Deployment feature.
 * The mime type for serving static XHTML files is updated. We no longer use the mobile profile, so it is recognized by desktop browsers. Closes GH-1695.
 * Improves error messages about Ruby native support to indicate the optional nature. Passenger is able to operate even without the native support extension, but that wasn't clear enough to some users, causing them to think of the old messages as errors.
 * [Standalone, Nginx] When using the new `abort_websockets_on_process_shutdown` configuration option, Passenger waited for the app to close without signaling it that shutdown was in progress. Node.js apps now get a SIGINT. Closes GH-1702.
 * With friendly error pages off Passenger would still show a trace (referencing only Passenger code) for unusual spawn errors. This has been changed to a generic error message. Closes GH-1704.


Release 5.0.22
--------------

 * Fixes a header collision vulnerability (CVE-2015-7519, medium severity). Note that this fix involves filtering request headers containing underscores. Please see our blog for detailed vulnerability description and advisory. Thanks to the SUSE security team for reporting this issue.
 * [Apache] Fixes compatibility with Apache 2.4.17's mod_autoindex. Fix contributed by Eric Covener. Closes GH-1642.
 * [Standalone] Passenger Standalone now [accepts configuration options from environment variables](https://www.phusionpassenger.com/library/config/standalone/intro.html). This makes using Passenger Standalone significantly easier on Heroku or on systems that follow the 12-factor principle. Closes GH-1661.
 * [Standalone] The Nginx configuration template has been cleaned up. It is now significantly easier to edit the Nginx configuration template without breaking compatibility with future versions.
 * [Standalone] The `passenger start` command now performs a sanity check on the internally generated Nginx configuration file and advises you accordingly when there is a problem.
 * [Standalone] The `passenger status` and `passenger stop` commands now respect Passengerfile.json. Closes GH-1593.
 * [Standalone] Passenger Standalone on Solaris now properly tails the application log file.
 * [Standalone] Fixes a problem with Passenger Standalone's builtin engine exiting at startup when run on Solaris.
 * [Standalone] `passenger start` now accepts the `--envvar` command line option for passing environment variables to the application.
 * [Standalone] `passenger start` now accepts the `--memory-limit` configuration option.
 * [Standalone] `passenger start` now accepts the `--max-request-queue-size` configuration option.
 * [Standalone] `passenger start` now accepts the `--debug-nginx-config` configuration option. This option allows you to view the Nginx configuration file that Passenger Standalone generates internally.
 * [Standalone, Nginx] Introduces a new configuration option: `abort_websockets_on_process_shutdown`. By default, when Passenger shuts down or restarts an application process, it will abort associated Websocket connections. This option allows you to disable that behavior. Closes GH-1686.
 * Introduces a new configuration option: `force_max_concurrent_requests_per_process`. This option is mostly useful for making dynamic process scaling work in Node.js and Meteor apps.
 * Various administration tools, such as `passenger-status`, no longer raise an flock EBADF error on Solaris. Closes GH-1643.
 * The `passenger-config reopen-logs` command, when used in combination with Passenger Standalone and the Nginx engine, now also instructs Nginx to reopen its log files. Closes GH-1674.
 * Fixes Passenger erroneously adding a `Content-Length` or `Transfer-Encoding` header to Ruby HTTP 204 No Content responses. Closes GH-1595.
 * Fixes Union Station logging of Rack response body actions.
 * The `passenger-config restart-app` command, when given `--ignore-app-not-running`, now properly exits with a zero status when one or more applications are running, but none of them belonging to the invoking user. Closes GH-1655.
 * The `passenger-config validate-install` command no longer prints false warnings about duplicate Passenger installs on systems that use RBenv. Closes GH-1627.
 * Fixes race conditions in the automatic building of the Ruby native support extension. Closes GH-1570.
 * [Enterprise] Fixes compatibility with byebug 7.0. Closes GH-1662.
 * Support Union Station logging for Node.js applications, with Express/MongoDB automatically supported. 
 * The Ruby Union Station hooks no longer abort with a fatal error when the application does not call the Union Station initializer method during startup. The error is now only logged.
 * In case of an error response (HTTP 5xx), Union Station logging will also contain request headers.
 * The Union Station hooks are now more resilient against environment variable problems.


Release 5.0.21
--------------

 * Properly handles Ruby applications that output the `Content-Length` and `Transfer-Encoding` headers in non-standard casing, e.g. `Content-length`. Closes GH-1517.
 * Fixes Ruby application loading incompatibilities caused by the use of absolute paths. Closes GH-1596.
 * Fixes OpenSSL detection problems on OS X 10.11 El Capitan. OS X 10.11 no longer includes OpenSSL headers, so Passenger will suggest and use OpenSSL from Homebrew. Closes GH-1630.
 * Introduces the [secure HTTP headers](https://www.phusionpassenger.com/library/indepth/meteor/secure_http_headers.html) feature for Node.js and Meteor apps. This mechanism allows Passenger to send per-request information to the application, while guaranteeing that this information is not spoofed by the client.
 * Per-request Apache environment variables are now passed to Node.js and Meteor apps through the [`!~Passenger-Envvars`](https://www.phusionpassenger.com/library/indepth/nodejs/apache_per_request_envvars.html) secure header.
 * Fixes some unintentional caching of request-specific environment variables. Closes GH-1479.
 * For Node.js applications, Passenger now calls `process.emit('message', 'shutdown')` whenever Passenger shuts down an application process. This is the same hook as used by PM2, allowing applications which use the PM2 graceful shutdown mechanism to be run on Passenger without changes.
 * [Enterprise] Fixes a bug in passenger-irb where printing strings larger than 64 KB would cause it to crash.
 * [Enterprise] Fixes the `passenger-config restart-app` command so that it performs a non-rolling-restart unless `--rolling-restart` is given as command line option, as per the documentation. Previously, `passenger-config restart-app` without `--rolling-restart` would perform a rolling restart if rolling restarts are configured in the configuration file, but this contradicted documented behavior. Closes GH-1634.


Release 5.0.20
--------------

 * Fixes memory management bugs in Union Station support.
 * Improves the error handling in Union Station support.
 * `passenger-config validate-install` now properly handles CR characters in Apache configuration files.


Release 5.0.19
--------------

 * Fixes an encoding crash in `passenger-memory-stats` on OS X in case one or more processes are running on the system with names containing UTF-8 characters. Closes GH-1603.
 * [Ruby] Fixes handling of HTTP 205 responses, which would cause client connections to freeze.
 * Improves Union Station data collection: more Rack I/O events are now logged. The time taken to write out and to close the Rack response body are now logged.
 * Improves Union Station data sending: errors are now logged more clearly, and DNS errors are now handled more robustly.
 * Improves Union Station troubleshooting: errors can now be diagnosed by running `passenger-status --show=union_station`.
 * Refactors the Union Station Ruby hook code. They have been extracted to external gems. However, they are still bundled with Passenger for ease of use.


Release 5.0.18
--------------

 * Fixes more memory corruption issues in the palloc subsystem.
 * Fixes memory corruption issues in the Passenger core that may occur if the application sets many response headers. The issue was caused by an off-by-one bug.


Release 5.0.17
--------------

 * Adds packages for Ubuntu 15.10 "Wily", even though Ubuntu 15.10 hasn't been released yet.
 * Fixes some memory corruption issues in the palloc subsystem. Closes GH-1587.
 * Fixes the Node.js `PhusionPassenger.on('exit')` event. This event worked if you restart the app or detach an application process, but not if you stop Passenger.
 * Fixes support for `passenger_pre_start` URLs that contain very long authentication strings. This was caused by the fact that our Base64 encoder generated unexpected newlines.
 * [Standalone] Improves application prestarting. Application prestarting is now available in combination with the 'builtin' engine, and now works when SSL is used.


Release 5.0.16
--------------

 * Allows independent configuration of Union Station gateway address, port and certificate. Closes GH-1543.
 * Supports seek() such that body.rewind works when using Rack middleware that uses Zlib::GzipReader (e.g. for compressed requests). Closes GH-1553.
 * [Apache] Improves detection of Apache configuration file problems. Closes GH-1577.
 * [Enterprise] Fixes installation of the Passenger Enterprise Apache module on Debian Testing.
 * Fixes logging of HTTP response code for Union Station. This regression was introduced by Passenger 5. Closes GH-1581. 
 * Adds a new subcommand `passenger-config about support-binaries-dir`.
 * Fixes a regression in the Node.js loader with regard to custom startup files. This bug was introduced in 5.0.14. Closes GH-1557 (again).
 * Fixes a crash when a Ruby application is accessed through a sub-URI and a root virtual host at the same time.


Release 5.0.15
--------------

 * Support SHA256 digests for the Rails asset pipeline, as used by Sprockets 3.x.
 * Support for JRuby 9.0.0.0. Closes GH-1562.
 * Fixes some bugs in Union Station support, which causes some data (such as controller information and exceptions) to not be logged.
 * The old Users Guides have been deprecated in favor of the [Passenger Library](https://www.phusionpassenger.com/library/). The Users Guides now redirect to appropriate sections in the Passenger Library.


Release 5.0.14
--------------

 * [Standalone] Relative path handling has been improved. In previous versions, relative paths were not handled in a consistent manner. Relative paths are now handled consistently according to the following rules:

   - If a relative path is given via a command line option, then it is relative to the current working directory.
   - If a relative path is given via Passengerfile.json, then it is relative to Passengerfile.json.

   Closes GH-1557.
 * [Standalone] The `--disable-turbocaching` now works with the Nginx engine.


Release 5.0.13
--------------

 * The `passenger-config restart-app` command now supports the option `--ignore-passenger-not-running`. If this option is given, the command will exit normally instead of exiting with an error, if Passenger is not running. This option is useful in deployments involving Passenger Standalone. In an initial deployment, Passenger Standalone may not yet be running. Passing this option allows you to ignore that issue.
 * SELinux policy issues in the RPMs have been fixed.
 * [Apache] `passenger-config reopen-logs` didn't work on Apache unless you explicitly set `PassengerLogFile`. This has now been fixed.
 * [Standalone] Due to some internal refactorings, the Passenger Standalone Nginx configuration template has changed. If you used a custom Nginx configuration template, please merge our latest changes into it.


Release 5.0.12
--------------

 * [Enterprise] Fixed passenger-irb. It was broken in 5.0.10 because of the change that made using admin commands without sudo possible.


Release 5.0.11
--------------

 * In 5.0.10, admin tools such as `passenger-status` and `passenger-config restart-app` display an authorization error if they are run without sudo, while at the same time Passenger isn't serving any applications. Since this is confusing, they have now been modified to display a more appropriate error message.
 * Fixes a bug in the RPMs that prevent admin tools such as `passenger-status` and `passenger-config restart-app` from working when they are invoked without root privileges.
 * Fixes a bug on OS X that prevent admin tools such as `passenger-status` and `passenger-config restart-app` from detecting Passenger instance directories when they are invoked without root privileges. Closes GH-1535.
 * Fixes a bug that causes Passenger not to work if the HOME environment variable is not set.
 * Fixes compatibility with non-Rails Ruby apps that require the actionview gem. Closes GH-1547.
 * Fixes some non-fatal "permission denied" error that may occasionally occur if user switching is turned off. Closes GH-1541.
 * Relative values for the `pid_file` and `log_file` options in Passengerfile.json are now supported.
 * If Passengerfile.json contains a syntax error, Passenger Standalone now correctly prints an error message instead of crashing.
 * Sending a SIGABRT signal to a Ruby process now properly makes it terminate.
 * The `passenger-config restart-app` command now accepts `.` as parameter, which it will interpreter as "restart the app in the current working directory". Closes GH-1386.
 * [Apache] Setting `PassengerLogLevel` no longer redirects Apache's own stderr to that log file. Closes GH-1373.
 * [Standalone] Passenger Standalone's Nginx engine now includes the RealIP module. Closes GH-1389.
 * [Standalone] The `--max-preloader-idle-time` option has been added.


Release 5.0.10
--------------

 * It is now possible to run `passenger-status`, `passenger-config restart-app` and other admin commands without using sudo. When run without sudo, these admin commands will allow you to operate on apps and processes that are owned by the user that invoked the admin command. Closes GH-1392.
 * Fixes a crash introduces in 5.0.9 due to not properly initializing a variable. Closes GH-1530.
 * The `passenger-config reopen-logs` command now works by instructing the Watchdog process to reopen the log file, while instructing the other Passenger processes to re-inherit the log file from the Watchdog instead of trying to reopen the log file on their own. This makes log file reopening more robust. Closes GH-1452.
 * `passenger-config restart-app` no longer leaves the terminal in a state with black background. Closes GH-1526.
 * `passenger-config admin-command` has been renamed to `passenger-config api-call` in order to avoid confusion with any potential admin interfaces that we will introduce in the future.
 * If Union Station support is enabled, process and system metrics weren't being sent correctly to Union Station. This has been fixed.
 * [Enterprise] Fixes the fact that the Passenger Enterprise RPM didn't correctly set SELinux permissions on its own files.
 * [Apache] passenger-install-apache2-module no longer aborts with an error if the Apache configuration file contains errors. Closes GH-1525.
 * [Apache] Fixes a typo that would cause passenger-install-apache2-module to crash on Red Hat and CentOS systems on which the SELinux command line tools are not installed. Closes GH-1527.


Release 5.0.9
-------------

 * The casing of original headers as generated by the application are now preserved, instead of being downcased. This fixes compatibility issues with broken HTTP clients. Closes GH-1436.
 * Internal refactoring: we've replaced libeio with libuv. This makes some of our code simpler. Closes GH-1428.
 * When the passenger-status tool tries to cleanup a stale instance directory, it will no longer abort with an error when it fails to do that. It will now merely print a warning. Fixes [StackOverflow question 30354732](http://stackoverflow.com/questions/30354732/cap-aborted-capistrano-aborts-rails-deploy-while-attempting-to-chown-tmp-p/30357100#30357100).
 * Fixes compilation problems on Solaris.
 * The Ruby handler has been made more robust. Previously, it was possible for applications to corrupt connections by returning incorrect Rack responses. This may cause connections to get stuck. The Rack handler has been hardened to ensure that connections will never get corrupted or stuck. Closes GH-1512.
 * The Ruby handler now closes the Rack response body even when the socket connection is hijacked by the application. The Rack specification is unclear about what to do in this case, and different Ruby app servers do different things. We have found that by closing the body object anyway, we maximize compatibility with existing Rack middlewares and apps, such as Rack::Lock. Background information about this issue can be found at https://github.com/ngauthier/tubesock/issues/10#issuecomment-72539461.
 * Fixes a crash that could occur if some HTTP request headers are present, but have the empty value. Closes GH-1524.
 * Fixes a permission problem that prevents the web server from communicating with Passenger when user switching is off. Closes GH-1520.
 * Fixes a few small one-time memory leaks in the Passenger agent. This wraps up the workitems discovered in valgrind runs on earlier versions.
 * Fixes use of uninitialized metrics. This could happen for a brief moment after spawning.
 * [Apache] If you pass the `--apxs2-path` parameter to `passenger-install-apache2-module`, and the apxs2 path that you specified is not in PATH, then the installer would think that Apache installation is broken. This has been fixed.
 * [Apache] A `Connection: close` header that was used for internal communication between Passenger processes was being leaked to the client, which breaks HTTP keep-alive connections. This has been fixed. Closes GH-1516.
 * [Nginx] The preferred Nginx version is now 1.8.0. It was previously 1.6.3.
 * [Nginx] Passenger now passes to the application the raw URI as sent by the client, as long as Nginx didn't modify the URI (e.g. as part of rewrite rules). This means that escaped slashes (%2F) in the URI now work correctly and out-of-the-box as long as there are no applicable rewrite rules.
 * [Nginx] Fixes that crash that would occur if Nginx is configured to log to syslog. And to prevent log messages from disappearing into a black hole, Passenger will now ask you to set `passenger_log_file` if Nginx is configured to log to syslog. Closes GH-1514.
 * [Standalone] Prevents an existing instance from being shut down if starting a new instance fails.


Release 5.0.8
-------------

 * We now supply Debian 8 and Ubuntu 15.04 packages. Closes GH-1494 and GH-1400.
 * We now supply Red Hat 6, Red Hat 7, CentOS 6 and CentOS 7 packages.
 * We no longer supply Ubuntu 10.04 packages because Ubuntu 10.04 is no longer supported by Canonical.
 * Fixes a Passenger crash (SIGSEGV) that occurs occasionally when out-of-band garbage collection is enabled. Closes GH-1469.
 * Fixes a Passenger crash (SIGSEGV) that occurs occasionally with redirects to relative URLs. Closes GH-1513.
 * Fixes cases when Passenger shuts down more processes than is allowed by the `min_instances` limit. Closes GH-1500.
 * Fixes "Bad Gateway" errors that would occur when an application sets the X-Sendfile or X-Accel-Redirect header, together with a non-empty response body. Closes GH-1498.
 * Fixes the fact that Passenger agent processes don't lower their privilege when user switching is turned off.
 * Fixes autodetection of Apache on Gentoo. Closes GH-1510.
 * Fixes compilation problems on Solaris. Closes GH-1508.
 * [Standalone] Adds the `--pool-idle-time` command line parameter.
 * [Standalone] Adds the `--auto` command line parameter for running non-interactively. This supresses prompts. Closes GH-1511.


Release 5.0.7
-------------

 * Supports changed way of specifying settings for (non-bundled) Meteor apps. Closes GH-1403.
 * Fixes an integer-to-string conversion bug in the code responsible for buffering chunked request bodies. This bug could cause the PassengerAgent to crash due to an exception. Thanks to Marcus Rückert of SUSE for reporting this.
 * Request-specific environment variables are no longer cached. This fixes a number of issues, such as Shibboleth not working properly and conflicts between HTTPS and non-HTTPS virtual hosts. Closes GH-1472.
 * Fixes a memory corruption bug that would be triggered when using `passenger_base_uri`. The memory corruption bug resided in the code for resolving symlinks. Closes GH-1388.
 * Re-introduced signal catchers during shutdown, to allow clean shutdown in Foreman. Closes GH-1454.
 * `passenger-status --show=xml` no longer outputs the non-XML header by default. This fixes a regression as reported in a comment in GH-1136.
 * Passenger now prefers to load Rack and Bundler from RubyGems instead of from `vendor_ruby`. This solves some issues with Rack and Bundler on Debian systems. Closes GH-1480 and GH-1478.
 * The turbocache no longer caches responses that contain the `X-Sendfile` or the `X-Accel-Redirect` header.
 * The preferred Nginx version has been upgraded to 1.6.3.
 * The logging agent no longer aborts with an error if one of the Passenger root directory's parent directories is not world-executable. Closes GH-1487.
 * [Standalone] It is now possible to configure the Ruby, Node.js and Python executable to use in Passenger Standalone through the command line options --ruby, --nodejs and --python. Closes GH-1442.
 * [Standalone] Running `passenger start --engine=builtin --daemonize` would fail with a timeout error. This has been fixed.
 * [Standalone] Running `passenger start --nginx-version=XXX` would crash. This has been fixed. Closes GH-1490.
 * [Apache] Fixed some issues with X-Sendfile. Closes GH-1376.
 * [Apache] If the installer fails to autodetect Apache while the installer is running as a normal user, it will now ask you to give it root privileges. Closes GH-1289.
 * [Apache] The installer now validates your Apache configuration file to check for common problems. The validator can also be accessed separately by running `passenger-config validate-install --validate-apache2`.
 * [Nginx] Introduces the `passenger_read_timeout` option for rare cases when server needs more than the default 10 minute timeout. Contributed by pkmiec. Closes [GH-PR-34](https://github.com/phusion/passenger/pull/34).
 * [Nginx] The Nginx module now looks for index.html if the path ends in / so that it works intuitively, without needing to use try_files.
 * Fixes wrong memory address display in crash dumps. Thanks to thoughtpolice for pointing it out.
 * Fixes an ugly backtrace that would be shown if an invalid request is made to an application process using the private HTTP interface. Contributed by jbergler. Closes GH-1311.
 * Various documentation improvements. Closes [GH-PR-1332](https://github.com/phusion/passenger/pull/1332), [GH-PR-1354](https://github.com/phusion/passenger/pull/1354), [GH-PR-1216](https://github.com/phusion/passenger/pull/1216), [GH-PR-1385](https://github.com/phusion/passenger/pull/1385), [GH-PR-1302](https://github.com/phusion/passenger/pull/1302).


Release 5.0.6
-------------

 * The turbocache no longer caches responses for which the Cache-Control header contains "no-cache". Please note that "no-cache" does not mean "do not cache this response". Instead, it means "any caching servers may only serve the cached response after validating it". Since the turbocache does not support validation, we've chosen to skip caching instead.

   Coincidentally, this change "fixes" problems with applications that erroneously use "no-cache" as a flag for "do not cache this response". What these applications should actually use is "no-store". We recommend the developers of such applications to change their caching headers in this manner, because even if Passenger doesn't unintentionally cache the response, any intermediate proxies that visitors are behind may still cache the response.
 * Fixes a number of memory leaks. Memory was leaked upon processing a request with multiple headers, upon processing a response with multiple headers, and upon processing a response with Set-Cookie headers. Every time such a request or response was processed, 512 bytes of memory was leaked due to improperly dereferencing relevant memory buffers. Closes GH-1455.
 * Fixes various bugs related to Union Station data collection.

   Union Station is our upcoming application analytics and performance monitoring SaaS platform. It is opt-in: no data is collected unless you turn the feature on.
 * Fixes a Union Station-related file descriptor leak. Closes GH-1439.
 * Fixes some bugs w.r.t. use of uninitialized memory.
 * More informative error message if a support binary is not found, including a resolution hint. Closes GH-1395.
 * [Apache] `SetEnv` variables are now passed as Rack/CGI/request variables. This was also the case in Passenger 4, but not in Passenger 5.0.0-5.0.5. We've restored the old behavior because the behavior in 5.0.0-5.0.5 breaks certain Apache modules such as Shibboleth. Closes GH-1446.
 * [Standalone] PID and log files now correctly created if user specifies relative path.


Release 5.0.5
-------------

 * Fixes various crashes due to use of uninitialized memory. One such crash is documented in GH-1431.
 * Fixes a connection stall in the Apache module. Closes GH-1425.
 * Fixes a potential read-past-buffer bug in string-to-integer conversion routines. Thanks to dcb314 for spotting this. Closes GH-1441.
 * Fixes a compilation problem on Solaris. This problem was caused by the fact that `tm_gmtoff` is not supported on that platform. Closes GH-1435.
 * There is now an API endpoint for force disconnecting a client: `passenger-config admin-command DELETE /server/<client name>.json`. Closes GH-1246.
 * Fixes some file descriptor leaks. These leaks were caused by the fact that keep-alive connections with application processes were not being closed properly. Closes GH-1439.
 * In order to more easily debug future file descriptor leaks, we've introduced the `PassengerFileDescriptorLogFile` (Apache) and `passenger_file_descriptor_log_file` (Nginx) config options. This allows Passenger to log all file descriptor open/close activity to a specific log file.
 * The `PassengerDebugLogFile` (Apache) and `passenger_debug_log_file` (Nginx) configuration options have been renamed to `PassengerLogFile` and `passenger_log_file`, respectively. The old name is support supported for backward compatibility reasons.
 * [Enterprise] Fixes a bug in Flying Passenger's `--instance-registry-dir` command line parameter. This command line parameter didn't do anything.
 * [Enterprise] The Flying Passenger daemon no longer supports the `--max-preloader-idle-time` config option. This is because the config option never worked. The correct way to set the max preloader idle time is through the Nginx config option, but this was wrongly documented, so the documentation has been fixed.


Release 5.0.4
-------------

 * Fixes a compilation problem introduced in 5.0.3.


Release 5.0.3
-------------

 * [Standalone] When using the builtin engine, `passenger start` may crash during startup due to an initialization race condition. This has been fixed.
 * [Enterprise] Fixes a bug in passenger-irb. Running passenger-irb without a PID parameter worked, but running it with a PID parameter didn't.
 * Fixes an integer overflow that resulted in a file descriptor leak and stalled client connections. Closes GH-1412.
 * Truncates Passenger source code paths in logs (to 3 chars) to reduce redundant info. Closes GH-1383.
 * Fixes invalid JSON output for non-finite double values (e.g. from the HTTP JSON API). Closes GH-1408.
 * All hooks now set the `PASSENGER_HOOK_NAME` environment variable. This variable is set to the name of the hook that is being called.
 * The Ruby handler no longer tries to call #force_encoding on response body strings, which fixes an incompatibility with apps/libraries that return frozen body strings. Closes GH-1414.
 * If the Ruby handler crashes while processing a Rack response body, it will now no longer stall the connection.
 * Fixes env.SERVER_PORT containing 80 instead of 443 when using https on default port. Closes GH-1421.
 * We now handle errors in the `poll()` system call better. This might fix some crashes during shutdown which manifest on FreeBSD.


Release 5.0.2
-------------

 * Fixes a connection freeze that could occur when processing large responses. This would manifest itself under the error message "This website is under heavy load" or "Request queue is full, returning an error". Closes GH-1404.
 * Debian and Ubuntu packages have been reintroduced.
 * When `passenger-config restart-app` is run interactively, if Passenger is not serving any applications, then the command now prints an error message instead of showing a menu with only a "Cancel" option.
 * Fixes a compilation problem on FreeBSD 10 (contributed by: clemensg). Closes GH-1401.
 * [Standalone] Fixes a crash that would occur if you use the `--ctl` parameter.
 * [Enterprise] The `--max-request-time` option has been added to Passenger Standalone.
 * [Enterprise] The `max_request_time_reached` hook has been introduced. This hook allows you to run diagnostics on a process that that took too long to respond to a request.


Release 5.0.1
-------------

 * The `passenger-config restart-app` command is now more user friendly. When run in a terminal, it will show an interactive menu, allowing you to select the app to restart. Closes GH-1387.
 * Fixed a crash bug in the handling of sticky session cookies.
 * Log failed program in error message, not its command line (contributed by: paisleyrob). Closes GH-1397.
 * [Nginx] Fixes cases in which Passenger overrides the Nginx handler function even when it shouldn't, for example when Passenger is disabled. Closes GH-1393.
 * [Enterprise] The `sticky_sessions` and `envvars` options in Passengerfile.json is now also supported in mass deployment mode.


Release 5.0.0 release candidate 2
---------------------------------

 * Fixes an installation problem with the Ruby gem due to incorrect Makefile generation. Closes GH-1382.
 * More helpful message when request queue is full. Closes GH-1375.


Release 5.0.0 release candidate 1
---------------------------------

 * Fixed Date headers not being formatted in the GMT timezone. Closes GH-1367.
 * Fixed Passengerfile.json/passenger-standalone.json not being properly loaded in Passenger Standalone.
 * Fixed support for sticky sessions.
 * Fixed an infinite loop if the ApplicationPool garbage collector fails due to an exception. Closes GH-1360.
 * Fixed Passenger Standalone exiting prematurely when the HelperAgent crashes. Exiting prematurely is not supposed to happen because the watchdog will restart the HelperAgent. Closes GH-1339.
 * Fixed a crash that occurs when using a non-standard startup file value. Closes GH-1378.
 * When dumping system metrics during error page generation, the `passenger-config` command is now invoked under the same Ruby interpreter as the app, instead of the one in PATH. Closes GH-1381.
 * When a Ruby process crashes due to an uncaught exception, this fact is now properly logged.
 * Specifying 0 for the `max_pool_size` config option no longer results in a crash. Closes GH-1334.
 * The timeouts when downloading Passenger Standalone binaries and source files are now customizable. Closes GH-1295.
 * The `envvars` option is now supported in Passengerfile.json, for passing environment variables to the application. Closes GH-1377.
 * Introduced `hook_queue_full_error` for request queue overflows. Closes GH-1358.
 * [Ruby] Fixed handling of "transfer-encoding chunked" response bodies which contain zero-sized chunks.
 * [Nginx] It is no longer necessary to re-specify `passenger_enabled` in `location` contexts. Closes GH-1338.
 * [Enterprise] Fixed a bug in mass deployment reloading.
 * [Enterprise] Fixed a bug in mass deployment daemonization.
 * [Enterprise] Fixed passenger-irb. Closes GH-1350.
 * [Enterprise] The mass deployment mode now supports the `app_type` and `startup_file` configuration options in Passengerfile.json/passenger-standalone.json. Closes GH-1366.


Release 5.0.0 beta 3
--------------------

 * The turbocache has received major updates and fixes based on excellent feedback Chris Heald and the community. First, several bugs w.r.t. the handling of caching headers have been fixed. Second, the turbocache has become slightly more conservative for security reasons. In previous versions, default cacheable responses (as defined by RFC 7234) were cached unless caching headers tell us not to. Now, default cacheable responses are only cached if caching headers explicitly tell us to. This change was introduced because there are many applications that set incorrect caching headers on private responses. This new behavior is currently not configurable, but there are plans to make it configurable in 5.0.0 release candidate 1.
 * Introduced a new configuration option, `passenger_response_buffer_high_watermark` (Nginx) and `PassengerResponseBufferHighWatermark` (Apache), for configuring the behavior of the response buffering system. Closes GH-1300.
 * Fixed more cookie handling issues. Closes GH-1310.
 * Fixed various WebSocket issues. Closes GH-1306.
 * Fixed some crashes caused by race conditions. Closes GH-1326.
 * Fixed issues with handling POST data. Closes GH-1331.
 * Fixed some issues on Heroku. Closes GH-1329.
 * Fixed some integer overflows. Fix contributed by Go Maeda. Closes GH-1357.
 * Fixed the `passenger-status --show=union_station` command. Closes GH-1336.
 * Nginx versions earlier than 1.6 are no longer supported.
 * Improved state introspection.


Release 5.0.0 beta 2
--------------------

 * Fixed handling of multiple Set-Cookie headers. Closes GH-1296.
 * `passenger-config system-metrics` now works properly if the agent is installed in ~/.passenger. Closes GH-1304.
 * Documentation enhancements by Igor Vuk. Closes GH-1318.
 * Fixed some crasher bugs.
 * [Standalone] User switching is now correctly disabled.
 * [Standalone] Fixed the `--thread-count` parameter.
 * [Apache] IPs set by mod_remoteip are now respected. Closes GH-1284.
 * [Apache] Fixed support for gzipped chunked responses. Closes GH-1309.


Release 5.0.0 beta 1
--------------------

Version 5.0.0 beta 1 contains major changes. It's mostly compatible with version 4, but there are a few minor breakages, which are described below. Major changes and notable breakages are:

 * Performance has been much improved. This is thanks to months of optimization work. You can learn more at www.rubyraptor.org.
 * We've published a [server optimization guide](https://www.phusionpassenger.com/documentation/ServerOptimizationGuide.html) for those who are interested in tuning Phusion Passenger.
 * Support for Rails 1.2 - 2.2 has been removed, for performance reasons. Rails 2.3 is still supported.
 * Phusion Passenger now supports integrated HTTP caching, which we call turbocaching. If your app sets the right HTTP headers then Phusion Passenger can tremendously accelerate your app. It is enabled by default, but you can disable it with `--disable-turbocaching` (Standalone), `PassengerTurbocaching off` (Apache), or 'passenger_turbocaching off' (Nginx).
 * Touching restart.txt will no longer restart your app immediately. This is because, for performance reasons, the stat throttle rate now defaults to 10. You can still get back the old behavior by setting `PassengerStatThrottleRate 0` (Apache) or `passenger_stat_throttle_rate 0` (Nginx), but this is not encouraged. Instead, we encourage you to use the `passenger-config restart-app` tool to initiate restarts, which has immediate effect.
 * Websockets are now properly disconnected on application restarts.
 * The Phusion Passneger log levels have been completely revamped. If you were setting a log level before (e.g. through `passenger_log_level`), please read the latest documentation to learn about the new log levels.
 * If you use out-of-band garbage collection, beware that the `X-Passenger-Request-OOB-Work` header has now been renamed to `!~Request-OOB-Work`.
 * When using Rack's full socket hijacking, you must now output an HTTP status line.
 * [Nginx] The `passenger_set_cgi_param` option has been removed and replaced by `passenger_set_header` and `passenger_env_var`.
 * [Nginx] `passenger_show_version_in_header` is now only valid in the `http` context.
 * [Apache] The `PassengerStatThrottleRate` option is now global.

Minor changes:

 * The minimum required Nginx version is now 1.6.0.
 * The instance directory is now touched every hour instead of every 6 hours. This should hopefully prevent more problems with /tmp cleaner daemons.
 * Applications are not grouped not only on the application root path, but also on the environment. For example, this allows you to run the same app in both production and staging mode, with only a single directory, without further configuration. Closes GH-664.
 * The `passenger_temp_dir` option (Nginx) and the `PassengerTempDir` option (Apache) have been replaced by two config options. On Nginx they are `passenger_instance_registry_dir` and `passenger_data_buffer_dir`. On Apache they are `PassengerInstanceRegistryDir` and `PassengerDataBufferDir`. On Apache, `PassengerUploadBufferDir` has been replaced by `PassengerDataBufferDir`.
 * Command line tools no longer respect the `PASSENGER_TEMP_DIR` environment variable. Use `PASSENGER_INSTANCE_REGISTRY_DIR` instead.
 * `passenger-status --show=requests` has been deprecated in favor of `passenger-status --show=connections`.
 * Using the SIGUSR1 signal to restart a Ruby app without dropping connections, is no longer supported. Instead, use `passenger-config detach-process`.
 * Introduced the `passenger-config reopen-logs` command, which instructs all Phusion Passenger agent processes to reopen their log files. You should call this after having rotated the web server logs.
 * [Standalone] The Phusion Passenger Standalone config template has changed. Users are encouraged to update it.
 * [Standalone] `passenger-standalone.json` has been renamed to `Passengerfile.json`.
 * [Standalone] `passenger-standalone.json`/`Passengerfile.json` no longer overrides command line options. Instead, command line options now have the highest priority.


Release 4.0.60
--------------

Note that 4.0.60 is a source-only maintenance release. There will not be any binaries, Debian or RPM packages for this release.

 * Adds OS X El Capitan support.
 * Updates preferred Nginx version from 1.6.2 to 1.6.3.
 * Fixes a header collision vulnerability (CVE-2015-7519, medium severity). Please see our blog for detailed vulnerability description and advisory. Thanks to the SUSE security team for reporting this issue.
 * Fixes the password protection of internal Phusion Passenger processes.

   For security reasons, Phusion Passenger limits access to internal processes, by using Unix file permissions and randomly generated passwords that only authorized internal processes know. It turns out that this password wasn't set correctly, which has now been fixed. There was no security vulnerability, because the file permissions already provide sufficient security. The password only serves as an extra layer of security just in case there is a problem with the former.

   This issue is not at all related to any application-level security or application-level passwords. Any database passwords, keys, or secrets used and generated by applications have got nothing to do with the nature of this issue. This issue only relates to some randomly generated passwords that Passenger uses internally, for its internal operations.


Release 4.0.59
--------------

 * [Enterprise] Fixed support for free-style Node.js apps.


Release 4.0.58
--------------

 * [Enterprise] Fixed a bug in the Debian packages which caused Flying Passenger to break when used with non-system Rubies.
 * The Debian packages no longer require Ruby 1.9. Closes GH-1353.


Release 4.0.57
--------------

 * Fixed a native extension compatibility problem with Ruby 2.2. Closes [ruby-core:67152](https://bugs.ruby-lang.org/issues/10656).
 * Fixed compatibility with Nginx 1.7.9. Closes GH-1335.


Release 4.0.56
--------------

 * Fixed a file descriptor leak that manifests when an error page is shown. Contributed by Paul Bonaud, closes GH-1325.
 * Improved Node.js request load balancing. Closes GH-1322. Thanks to Charles Vallières for the analysis.


Release 4.0.55
--------------

 * Supports Ruby 2.2. Closes GH-1314.
 * Fixed Linux OS name detection.


Release 4.0.54
--------------

 * Contains a licensing-related hot fix for Enterprise customers.


Release 4.0.53
--------------

 * Upgraded the preferred Nginx version to 1.6.2.
 * Improved RVM gemset autodetection.
 * Fixed some Ruby 2.2 compatibility issues.


Release 4.0.52
--------------

 * Fixed a null termination bug when autodetecting application types.
 * Node.js apps can now also trigger the inverse port binding mechanism by passing `'/passenger'` as argument. This was introduced in order to be able to support the Hapi.js framework. Please read http://stackoverflow.com/questions/20645231/phusion-passenger-error-http-server-listen-was-called-more-than-once/20645549 for more information regarding Hapi.js support.
 * It is now possible to abort Node.js WebSocket connections upon application restart. Please refer to https://github.com/phusion/passenger/wiki/Phusion-Passenger:-Node.js-tutorial#restarting_apps_that_serve_long_running_connections for more information. Closes GH-1200.
 * Passenger Standalone no longer automatically resolves symlinks in its paths.
 * `passenger-config system-metrics` no longer crashes when the system clock is set to a time in the past. Closes GH-1276.
 * `passenger-status`, `passenger-memory-stats`, `passenger-install-apache2-module` and `passenger-install-nginx-module` no longer output ANSI color codes by default when STDOUT is not a TTY. Closes GH-487.
 * `passenger-install-nginx-module --auto` is now all that's necessary to make it fully non-interactive. It is no longer necessary to provide all the answers through command line parameters. Closes GH-852.
 * Minor contribution by Alessandro Lenzen.


Release 4.0.50
--------------

 * Fixed a potential heap corruption bug.
 * Added Union Station support for Rails 4.1.


Release 4.0.49
--------------

 * Upgraded the preferred Nginx version to 1.6.1.
 * Fixed a crash that may be triggered by the `passenger_max_requests` feature.
 * Introduced the `spawn_failed` hook, which is called when an application
   process fails to spawn. You could use this hook to setup an error
   notification system. Closes GH-1252.
 * Fonts, RSS and XML are now gzip-compressed by default in Phusion Passenger
   Standalone. Thanks to Jacob Elder. Closes GH-1254.
 * Fixed some user and group information lookup issues. Closes GH-1253.
 * Fixed some request handling crashes. Closes GH-1250.
 * Fixed some compilation problems on Gentoo. Closes GH-1261.
 * Fixed some compilation problems on Solaris. Closes GH-1260.


Release 4.0.48
--------------

 * Fixed a race condition while determining what user an application should
   be executed as. This bug could lead to applications being run as the wrong
   user. Closes GH-1241.
 * [Standalone] Improved autodetection of Rails asset pipeline files. This
   prevents Standalone from incorrectly setting caching headers on non-asset
   pipeline files. Closes GH-1225.
 * Fixed compilation problems on CentOS 5. Thanks to J. Smith. Closes GH-1247.
 * Fixed compilation problems on OpenBSD.
 * Fixed compatibility with Ruby 1.8.5.


Release 4.0.47
--------------

 * [Enterprise] Fixed a bug in Flying Passenger's `--max-preloader-idle-time`
   option.


Release 4.0.46
--------------

 * Further improved Node.js and Socket.io compatibility.
 * Sticky session cookies have been made more reliable.
 * Fixed WebSocket upgrade issues on Firefox. Closes GH-1232.
 * The Python application loader now inserts the application root into `sys.path`.
   The fact that this was not done previously caused a lot of confusion amongst
   Python users, who wondered why their `passenger_wsgi.py` could not import any
   modules from the same directory.
 * Fixed a compatibility problem with Django, which could cause Django apps to
   freeze indefinitely. Closes GH-1215.
 * Logging of application spawning errors has been much improved. Full details
   about the error, such as environment variables, are saved to a private log file.
   In the past, these details were only viewable in the browser. This change also
   fixes a bug on Phusion Passenger Enterprise, where enabling Deployment Error
   Resistance causes error messages to get lost. Closes GH-1021 and GH-1175.
 * Fixed a regression in Node.js support. When a Node.js app is deployed on
   a HTTPS host, the `X-Forwarded-Proto` header wasn't set in 4.0.45.
   Closes GH-1231.
 * Passenger Standalone no longer, by default, loads shell startup files before
   loading the application. This is because Passenger Standalone is often invoked
   from the shell anyway. Indeed, loading shell startup files again can interfere
   with any environment variables already set in the invoking shell. You can
   still tell Passenger Standalone to load shell startup files by passing
   `--load-shell-envvars`. Passenger for Apache and Passenger for Nginx still
   load shell startup files by default.
 * Passenger Standalone now works properly when the HOME environment variable
   isn't set. Closes GH-713.
 * Passenger Standalone's `package-runtime` command has been removed. It has
   been broken for a while and has nowadays been obsolete by our automatic
   [binary generation system](https://github.com/phusion/passenger_autobuilder).
   Closes GH-1133.
 * The `passenger_startup_file` option now also works on Python apps. Closes GH-1233.
 * If you are a [Union Station](https://www.unionstationapp.com) customer, then
   Phusion Passenger will now also log application spawning errors to Union Station.
   This data isn't shown in the Union Station interface yet, but it will be
   implemented in the future.
 * Fixed compilation problems on OmniOS and OpenIndiana. Closes GH-1212.
 * Fixed compilation problems when Nginx is configured with OpenResty.
   Thanks to Yichun Zhang. Closes GH-1226.
 * Fixed Nginx HTTP POST failures on ARM platforms. Thanks to nocelic for the fix.
   Closes GH-1151.
 * Documentation contributions by Tim Bishop and Tugdual de Kerviler.
 * Minor Nginx bug fix by Feng Gu. Closes GH-1235.


Release 4.0.45
--------------

 * Major improvements in Node.js and Meteor compatibility. Older Phusion Passenger
   versions implemented Node.js support by emulating Node.js' HTTP library.
   This approach was found to be unsustainable, so we've abandoned that approach
   and replaced it with a much simpler approach that does not involve emulating
   the HTTP library.
 * Introduced support for sticky sessions. Sticky sessions are useful -- or even
   required -- for apps that store state inside process memory. Prominent examples
   include SockJS, Socket.io, faye-websocket and Meteor. Sticky sessions are
   required to make the aforementioned examples work in multi-process scenarios.
   By introducing sticky sessions support, we've much improved WebSocket support
   and support for the aforementioned libraries and frameworks.
 * Due to user demand, GET requests with request bodies are once again supported.
   Support for these kinds of requests was removed in 4.0.42 in an attempt to
   increase the strictness and robustness of our request handling code. It has
   been determined that GET requests with request bodies can be adequately
   supported without degrading robustness in Phusion Passenger. However, GET
   requests with both request bodies and WebSocket upgrade headers are
   unsupported. Fixes issue #1092.
 * [Enterprise] The [Flying Passenger](http://www.modrails.com/documentation/Users%20guide%20Apache.html#flying_passenger)
   feature is now also available on Apache.
 * Fixed some issues with RVM mixed mode support, issue #1121.
 * Fixed Passenger Standalone complaining about not finding PassengerHelperAgent
   during startup.
 * Fixed various minor issues such as #1190 and #1197.
 * The download timeout for passenger-install-nginx-module has been increased.
   Patch by 亀田 義裕.


Release 4.0.44
--------------

 * The issue tracker has now been moved from Google Code to Github.
   Before version 4.0.44 (May 29 2014, commit 3dd0964c9f4), all
   issue numbers referred to Google Code. From now on, all issue
   numbers will refer to Github Issues.
 * Fixed compilation problems on OS X Lion and OS X Mountain Lion.
 * On Ruby, fixed `nil` being frozen on accident in some cases.
   See issue #1192.


Release 4.0.43
--------------

 * Introduced a new command `passenger-config list-instances`, which prints all
   running Phusion Passenger instances.
 * Introduced a new command `passenger-config system-metrics, which displays
   metrics about the system such as the total CPU and memory usage.
 * Fixed some compilation problems caused by the compiler capability autodetector.
 * System metrics such as total CPU usage and memory usage, are now sent to
   [Union Station](https://www.unionstationapp.com) in preparation for future
   features.


Release 4.0.42
--------------

 * [Nginx] Upgraded the preferred Nginx version to 1.6.0.
 * [Nginx] Fixed compatibility with Nginx 1.7.0.
 * [Standalone] The MIME type for .woff files has been changed to application/font-woff.
   Fixes issue #1071.
 * There are now APT packages for Ubuntu 14.04. At the same time, packages for
   Ubuntu 13.10 have been abandoned.
 * Introduced a new command, `passenger-config build-native-support`, for ensuring
   that the native_support library for the current Ruby interpreter is built. This
   is useful in system provisioning scripts.
 * For security reasons, friendly error pages (those black/purple pages that shows
   the error message, backtrace and environment variable dump when an application
   fails to start) are now disabled by default when the application environment is
   set to 'staging' or 'production'. Fixes issue #1063.
 * Fixed some compilation warnings on Ubuntu 14.04.
 * Fixed some compatibility problems with Rake 10.2.0 and later.
   See [Rake issue 274](https://github.com/jimweirich/rake/issues/274).
 * Improved error handling in [Union Station](https://www.unionstationapp.com) support.
 * Data is now sent to Union Station on a more frequent basis, in order to make new
   data show up more quickly.
 * Information about the code revision is now sent to Union Station, which will be
   used in the upcoming deployment tracking feature in Union Station 2.


Release 4.0.41
--------------

 * Fixed some issues with printing UTF-8 log files on Heroku.
 * Added a new flag `--ignore-app-not-running` to `passenger-config restart-app`.
   When this flag is given, `passenger-config restart-app` will exit successfully
   when the specified application is not running, instead of exiting with
   an error.
 * Our precompiled Passenger Standalone binaries have been upgraded to use
   OpenSSL 1.0.1g, which fixes [the OpenSSL Heartbleed vulnerability](http://heartbleed.com/).
   Users who are using Passenger Standalone with SSL enabled are vulnerable,
   and should upgrade immediately. Users who do not use Passenger Standalone,
   users who use Passenger Standalone without SSL, or users who use Passenger
   Standalone with SSL behind another SSL-enabled reverse proxy, are not
   vulnerable.


Release 4.0.40
--------------

 * Upgraded preferred Nginx version to 1.4.7. This Nginx version fixes
   a buffer overflow. Users are strongly urged to upgrade Nginx as soon
   as possible.


Release 4.0.39
--------------

 * Fixed a crash that could happen if the client disconnects while a chunked
   response is being sent. Fixes issue #1062.
 * In Phusion Passenger Standalone, it is now possible to customize the Nginx
   configuration file on Heroku. It is now also possible to permanently apply
   changes to the Nginx configuration file, surviving upgrades. Please refer
   to the "Advanced configuration" section of the Phusion Passenger Standalone
   manual for more information.
 * The programming language selection menu in passenger-install-apache2-module
   and passenger-install-nginx-module only works on terminals that support
   UTF-8 and that have a UTF-8 capable font. To cater to users who cannot meet
   these requirements (e.g. PuTTY users using any of the default Windows fonts),
   it is now possible to switch the menu to a plain text mode by pressing '!'.
   Fixes issue #1066.
 * Fixed printing UTF-8 characters in log files in Phusion Passenger Standalone.
 * It is now possible to dump live backtraces of Python apps through the
   'SIGABRT' signal.
 * Fixed closing of file descriptors on OS X 10.9.
 * Fixed compilation problems with Apple Clang 503.0.38 on OS X.
 * Fixed compilation of native_support on Rubinius.


Release 4.0.38
--------------

 * Added support for the new Ruby 2.1.0 out-of-band garbage collector.
   This can much improve garbage collection performance, and drastically
   reduce request times.
 * Fixed a symlink-related security vulnerability.

   Urgency: low
   Scope: local exploit
   Summary: writing files to arbitrary directory by hijacking temp directories
   Affected versions: 4.0.37
   Fixed versions: 4.0.38
   CVE-2014-1832

   Description:
   This issue is related to CVE-2014-1831 (the security issue as mentioned in
   the 4.0.37 release notes). The previous fix was incomplete, and still has a
   (albeit smaller) small attack time window in between two filesystem
   checks. This attack window is now gone.
 * Passenger Standalone is now compatible with IPv6.
 * Fixed some compilation problems on Solaris. See issue #1047.
 * passenger-install-apache2-module and passenger-install-nginx-module
   now automatically run in `--auto` mode if stdin is not a TTY. Fixes
   issue #1030.
 * Fixed an issue with non-bundled Meteor apps not correctly running in
   production mode.
 * The `PassengerPreStart` option is now compatible with IPv6 server sockets.
 * When running Python WSGI apps, `wsgi.run_once` is now set to False.
   This should improve the performance of certain apps and frameworks.
 * When handling HTTP requests with chunked transfer encoding, the
   'Transfer-Encoding' header is no longer passed to the application.
   This is because the web server already buffers and dechunks the
   request body.
 * Fixed a possible hang in Phusion Passenger for Nginx when Nginx
   is instructed to reload or reopen log files. Thanks to Feng Gu,
   [pull request #97](https://github.com/phusion/passenger/pull/97).
 * The preferred Nginx version has been upgraded to 1.4.6.
 * Fixed a problem with running passenger-install-apache2-module and
   passenger-install-nginx-module on JRuby. They were not able to accept
   any terminal input after displaying the programming language menu.


Release 4.0.37
--------------

 * Improved Node.js compatibility. Calling on() on the request object
   now returns the request object itself. This fixes some issues with
   Express, Connect and Formidable. Furthermore, some WebSocket-related
   issues have been fixed.
 * Improved Meteor support. Meteor application processes are now shut down
   quicker. Previously, they linger around for 5 seconds while waiting for
   all connections to terminate, but that didn't work well because WebSocket
   connections were kept open indefinitely. Also, some WebSocket-related
   issues have been fixed.
 * Introduced a new tool `passenger-config detach-process` for gracefully
   detaching an application process from the process pool. Has a similar
   effect to killing the application process directly with `kill <PID>`,
   but killing directly may cause the HTTP client to see an error, while
   using this command guarantees that clients see no errors.
 * Fixed a crash that occurs when an application fails to spawn, but the HTTP
   client disconnects before the error page is generated. Fixes issue #1028.
 * Fixed a symlink-related security vulnerability.

   Urgency: low
   Scope: local exploit
   Summary: writing files to arbitrary directory by hijacking temp directories
   Affected versions: 4.0.5 and later
   Fixed versions: 4.0.37
   CVE-2014-1831

   Description:
   Phusion Passenger creates a "server instance directory" in /tmp during startup,
   which is a temporary directory that Phusion Passenger uses to store working files.
   This directory is deleted after Phusion Passenger exits. For various technical
   reasons, this directory must have a semi-predictable filename. If a local attacker
   can predict this filename, and precreates a symlink with the same filename that
   points to an arbitrary directory with mode 755, owner root and group root, then
   the attacker will succeed in making Phusion Passenger write files and create
   subdirectories inside that target directory. The following files/subdirectories
   are created:

    * control_process.pid
    * generation-X, where X is a number.

   If you happen to have a file inside the target directory called `control_process.pid`,
   then that file's contents are overwritten.

   These files and directories are deleted during Phusion Passenger exit. The target
   directory itself is not deleted, nor are any other contents inside the target
   directory, although the symlink is.

   Thanks go to Jakub Wilk for discovering this issue.


Release 4.0.36
--------------

 * [Enterprise] Fixed some Mass Deployment bugs.
 * [Enterprise] Fixed a bug that causes an application group to be put into
   Deployment Error Resistance Mode if rolling restarting fails while
   deployment error resistance is off. Deployment Error Resistance Mode is
   now only activated if it's explicitly turned on.
 * Passenger Standalone now gzips JSON responses.
 * Fixed some cases in which Passenger Standalone does not to properly cleanup
   its temporary files.


Release 4.0.35
--------------

 * Fixed some unit tests.


Release 4.0.34
--------------

 * The Node.js loader code now sets the `isApplicationLoader` attribute on the
   bootstrapping module. This provides a way for apps and frameworks that check
   for `module.parent` to check whether the current file is loaded by Phusion
   Passenger, or by other software that work in a similar way.

   This change has been introduced to solve a compatibility issue with CompoundJS.
   CompoundJS users should modify their server.js, and change the following:

       if (!module.parent) {

   to:

       if (!module.parent || module.parent.isApplicationLoader) {

 * Improved support for Meteor in development mode. Terminating Phusion Passenger
   now leaves less garbage Meteor processes behind.
 * It is now possible to disable the usage of the Ruby native extension by setting
   the environment variable `PASSENGER_USE_RUBY_NATIVE_SUPPORT=0`.
 * Fixed incorrect detection of the Apache MPM on Ubuntu 13.10.
 * When using RVM, if you set PassengerRuby/passenger_ruby to the raw Ruby binary
   instead of the wrapper script, Phusion Passenger will now print an error.
 * Added support for RVM >= 1.25 wrapper scripts.
 * Fixed loading passenger_native_support on Ruby 1.9.2.
 * The Union Station analytics code now works even without native_support.
 * Fixed `passenger-install-apache2-module` and `passenger-install-nginx-module` in
   Homebrew.
 * Binaries are now downloaded from an Amazon S3 mirror if the main binary server
   is unavailable.
 * And finally, although this isn't really a change in 4.0.34, it should be noted.
   In version 4.0.33 we changed the way Phusion Passenger's own Ruby source files
   are loaded, in order to fix some Debian and RPM packaging issues. The following
   doesn't work anymore:

       require 'phusion_passenger/foo'

   Instead, it should become:

       PhusionPassenger.require_passenger_lib 'foo'

   However, we overlooked the fact that this change breaks Ruby apps which use
   our Out-of-Band GC feature, because such apps had to call
   `require 'phusion_passenger/rack/out_of_band_gc'`. Unfortunately we're not able
   to maintain compatibility without reintroducing the Debian and RPM packaging
   issues. Users should modify the following:

       require 'phusion_passenger/rack/out_of_band_gc'

   to:

       if PhusionPassenger.respond_to?(:require_passenger_lib)
         # Phusion Passenger >= 4.0.33
         PhusionPassenger.require_passenger_lib 'rack/out_of_band_gc'
       else
         # Phusion Passenger < 4.0.33
         require 'phusion_passenger/rack/out_of_band_gc'
       end

Release 4.0.33
--------------

 * Fixed a compatibility problem in passenger-install-apache2-module with Ruby 1.8.
   The language selection menu didn't work properly.


Release 4.0.32
--------------

 * Fixed compatibility problems with old Ruby versions that didn't include RubyGems.


Release 4.0.31
--------------

 * Introduced a new tool: `passenger-config restart-app`. With this command you
   can initiate an application restart without touching restart.txt.
   Unlike touching restart.txt, this tool initiates the restart immediately
   instead of on the next request.
 * Fixed some problems in process spawning and request handling.
 * Fixed some problems with the handling of HTTP chunked transfer encoding
   bodies. These problems only occurred in Ruby.
 * Fixed the HelperAgent, upon shutdown, not correctly waiting 5 seconds until
   all clients have disconnected. Fixes issue #884.
 * Fixed compilation problems on FreeBSD.
 * Fixed some C++ strict aliasing problems.
 * Fixed some problems with spawning applications that print messages without
   newline during startup. Fixes issue #1039.
 * Fixed potential hangs on JRuby when Ctrl-C is used to shutdown the server.
   Fixes issue #1035.
 * When Phusion Passenger is installed through the Debian package,
   passenger-install-apache2-module now checks whether the Apache
   module package (libapache2-mod-passenger) is properly installed,
   and installs it using apt-get if it's not installed. Fixes
   issue #1031.
 * The `passenger-status --show=xml` command no longer prints the non-XML
   preamble, such as the version number and the time. Fixes issue #1037.
 * The Ruby native extension check whether it's loaded against the right Ruby
   version, to prevent problems when people upgrade Ruby without recompiling
   their native extensions.
 * Various other minor Debian packaging improvements.


Release 4.0.30
--------------

 * Fixed wrong autogeneration of HTTP Date header. If the web app does
   not supply a Date header, then Passenger will add one. Unfortunately
   due to the use of the wrong format string, December 30 2013 is
   formatted as December 30 2014. As a result, cookies that expire before
   2014 would expire on December 30 2013 and December 31 2013. Details can
   be found at [Github pull request 93](https://github.com/phusion/passenger/pull/93).

   This issue only affects Phusion Passenger for Nginx and Phusion Passenger
   Standalone, and does not affect Phusion Passenger for Apache.

   You can work around this problem in your application by setting a
   Date header. For example, in Rails you can do:

       before_filter { response.date = Time.now.utc }

   Many thanks to Jeff Michael Dean (zilkey) and many others for bringing this to our attention and for providing workarounds and feedback.


Release 4.0.29
--------------

 * Fixed a compilation problem on OS X Mavericks.


Release 4.0.28
--------------

 * Introduced a workaround for a GCC 4.6 bug. This bug could cause Phusion
   Passsenger to crash during startup. Affected operating systems include
   Ubuntu 12.04 and Amazon Linux 2013.09.01, though not every machine with
   this OS installed exhibits the problem. See issue #902.
 * Improved Node.js support: the Sails framework is now supported.
 * Improved Node.js support: the streams2 API is now supported.
 * Introduced support for hooks, allowing users to easily extend Phusion
   Passenger's behavior.
 * Fixed a bug in the `passenger start -R` option. It was broken because of a
   change introduced in 4.0.25.
 * Fixed a bug in PassengerMaxInstancesPerApp. Fixes issue #1016.
 * Fixed compilation problems on Solaris.
 * Fixed an encoding problem in the Apache autodetection code. Fixes
   issue #1026.
 * The Debian packages no longer depend on libruby.
 * Application stdout and stderr are now printed without normal
   Phusion Passenger debugging information, making them easier to read.


Release 4.0.27
--------------

 * [Apache] Fixed a bug in the Apache module which could lock up the Apache
   process or thread. This is a regression introduced in version 4.0.24.
 * Node.js application processes now have friendly process titles.


Release 4.0.26
--------------

 * Introduced the `PassengerBufferUpload` option for Apache. This option allows one
   to disable upload buffering, e.g. in order to be able to track upload progress.
 * [Nginx] The `HTTPS` variable is now set correctly for HTTPS connections, even
   without setting `ssl on`. Fixes issue #401.
 * [Standalone] It is now possible to listen on both a normal HTTP and an HTTPS port.
 * [Enterprise] The `passenger-status` tool now displays rolling restart status.


Release 4.0.25
--------------

 * The `PassengerAppEnv`/`passenger_app_env`/`--environment` option now also sets NODE_ENV,
   so that Node.js frameworks like Connect can properly respond to the environment.
 * Fixed a bug in our Debian/Ubuntu packages causing `passenger-install-nginx-module`
   not to be able to compile Nginx.
 * Arbitrary Node.js application structures are now supported.
 * [Nginx] Introduced the `passenger_restart_dir` option.
 * [Nginx] Upgraded preferred Nginx version to 1.4.4 because of CVE-2013-4547.


Release 4.0.24
--------------

 * Introduced the `PassengerNodejs` (Apache) and `passenger_nodejs` (Nginx)
   configuration options.
 * [Apache] Introduced the `PassengerErrorOverride` option, so that HTTP error
   responses generated by applications can be intercepted by Apache and customized
   using the `ErrorDocument` directive.
 * [Standalone] It is now possible to specify some configuration options in
   a configuration file `passenger-standalone.json`. When Passenger Standalone
   is used in Mass Deployment mode, this configuration file can be used to customize
   settings on a per-application basis.
 * [Enterprise] Fixed a potential crash when a rolling restart is triggered
   while a process is already shutting down.
 * [Enterprise] Fixed Mass Deployment support for Node.js and Meteor.


Release 4.0.23
--------------

 * Fixed compilation problems on GCC 4.8.2 (e.g. Arch Linux 2013-10-27).
 * Fixed a compatibility problem with Solaris /usr/ccs/bin/make: issue #999.
 * Support for the Meteor Javascript framework has been open sourced.


Release 4.0.22
--------------

 * [Enterprised] Fixed compilation problems on OS X Mavericks.


Release 4.0.21
--------------

 * [Nginx] Upgraded the preferred Nginx version to 1.4.3.
 * Node.js support has been open sourced.
 * Prelimenary OS X Mavericks support.
 * Work around an Apache packaging bug in CentOS 5.
 * Various user friendliness improvements in the documentation and the
   installers.
 * Fixed a bug in the always_restart.txt support. Phusion Passenger was
   looking for it in the wrong directory.
 * Many Solaris and Sun Studio compatibility fixes. Special thanks to
   "mark" for his extensive assistance.
 * [Standalone] The --temp-dir command line option has been introduced.


Release 4.0.20
--------------

 * Fixed a bug in Phusion Passenger Standalone's daemon mode. When in daemon
   mode, the Nginx temporary directory was deleted prematurely, causing some
   POST requests to fail. This was a regression that was introduced in 4.0.15
   as part of an optimization.
 * Fixed compilation problems on Solaris 10 with Sun Studio 12.3.
 * Improved detection of RVM problems.
 * It is now possible to log the request method to Union Station.
 * Introduced a new option, `PassengerLoadShellEnvvars` (Apache) and
   `passenger_load_shell_envvars` (Nginx). This allows enabling or disabling
   the loading of bashrc before spawning the application.
 * [Enterprise] Fixed a packaging problem which caused the flying-passenger
   executable not to be properly included in the bin path.
 * [Enterprise] Fixed a race condition which sometimes causes the Flying
   Passenger socket to be deleted after a restart. Fixes issue #939.
 * [Enterprise] The `byebug` gem is now supported for debugging on Ruby 2.0.
   The byebug gem requires a patch before this works:
   https://github.com/deivid-rodriguez/byebug/pull/29


Release 4.0.19
--------------

 * Fixed a problem with response buffering. Application processes are now
   properly marked available for request processing immediately after they're
   done sending the response, instead of after having sent the entire response
   to the client.
 * The "processed" counter in `passenger-status` is now bumped after the process
   has handled a request, not at the beginning.
 * [Enterprise] Fixed an off-by-one bug in the `passenger_max_processes` setting.


Release 4.0.18
--------------

 * The Enterprise variant of Phusion Passenger Standalone now supports
   customizing the concurrency model and thread count from the command line.
 * On Nginx, the Enterprise license is now only checked if Phusion Passenger
   is enabled in Nginx. This allows you to deploy Nginx binaries, that have
   Phusion Passenger Enterprise compiled in, to servers that are not
   actually running Phusion Passenger Enterprise.
 * Fixed a performance bug in the Union Station support code. In certain cases
   where a lot of data must be sent to Union Station, the code is now over
   100 times faster.
 * `passenger-status --show=union_station` now displays all clients that
   are connected to the LoggingAgent.
 * Added a workaround for Heroku so that exited processes are properly detected
   as such.
 * When using Phusion Passenger Standalone with Foreman, pressing Ctrl-C
   in Foreman no longer results in runaway Nginx processes.
 * Fixed backtraces in the Apache module.


Release 4.0.17
--------------

 * Fixed compilation problems on GCC 4.8 systems, such as Arch Linux 2013.04.
   Fixes issue #941.
 * Fixed some deprecation warnings when compiling the Ruby native extension
   on Ruby 2.0.0.
 * Fixed some Union Station-related stability issues.


Release 4.0.16
--------------

 * Allow Phusion Passenger to work properly on systems where the user's GID
   does not have a proper entry in /etc/group, such as Heroku.


Release 4.0.15
--------------

 * Out-of-band work has been much improved. The number of processes which
   may perform out-of-band work concurrently has been limited to 1.
   Furthermore, processes which are performing out-of-band work are now
   included in the max pool size constraint calculation. However, this
   means that in order to use out-of-band work, you need to have at least
   2 application processes running. Out-of-band work will never be triggered
   if you just have 1 process. Partially fixes issue #892.
 * Phusion Passenger now displays an error message to clients if too many
   requests are queued up. By default, "too many" is 100. You may customize
   this with `PassengerMaxRequestQueueSize` (Apache) or
   `passenger_max_request_queue_size` (Nginx).
 * A new configuration option, `PassengerStartTimeout` (Apache) and
   `passenger_start_timeout` (Nginx), has been added. This option allows you
   to specify a timeout for application startup. The startup timeout has exited
   since version 4.0.0, but before version 4.0.15 it was hardcoded at a value
   of 90 seconds. Now it is customizable. Fixes issue #936.
 * [Enterprise] The `PassengerMaxRequestTime`/`passenger_max_request_time`
   feature is now available for Python and Node.js as well, and is no longer
   limited to just Ruby. Fixes issue #938.
 * [Nginx] Introduced a configuration option `passenger_intercept_errors`,
   which decides if Nginx will intercept responses with HTTP status codes of
   400 and higher. Its effect is similar to `proxy_intercept_errors`.
 * [Standalone] Memory usage optimization: when `passenger start` is run with
   `--daemonize`, the frontend exits after starting the Nginx core. This saves
   ~20 MB of memory per `passenger start` instance.
 * [Standalone] Phusion Passenger Standalone is now also packaged in the
   Debian packages.
 * [Standalone] Fix a problem with the `passenger stop` command on Ruby 1.8.7.
   The 'thread' library was not properly required, causing a crash.
 * [Standalone] There is now builtin support for SSL.
 * Fix a crash when multiple `passenger_pass_header` directives are set.
   Fixes issue #934.
 * Permissions on the server instance directory are now explicitly set
   with chmod, so that permissions are correct on systems with a non-default
   umask. Fixes issue #928.
 * Fix permission problems when running `passenger start` with `--user`.
 * `passenger-config --detect-apache2` now correctly detects the eror log
   filename on Amazon Linux. Fixes issue #933.
 * An environment variable `PASSENGER_THREAD_LOCAL_STORAGE` has been added
   to the build system for forcefully disabling the use of thread-local
   storage within the Phusion Passenger codebase. This flag useful on systems
   that have broken support for thread-local storage, despite passing our build
   system's check for proper thread-local storage support. At the time of
   writing, one user has reported that Ubuntu 12.04 32-bit has broken
   thread-local storage report although neither the reporter nor us were able
   to reproduce the problem on any other systems running Ubuntu 12.04 32-bit.
   Note that this flag has no effect on non-Phusion Passenger code. Fixes
   issue #937.
 * It is now possible to preprocess events before they are sent to Union
   Station. This is useful for removing confidential data as demonstrated in
   this example `config/initializers/passenger.rb` file:

       if defined?(PhusionPassenger)
           event_preprocessor = lambda do |e|
               e.payload[:sql].gsub!("secret","PASSWORD") if e.payload[:sql]
           end
           PhusionPassenger.install_framework_extensions!(:event_preprocessor => event_preprocessor)
       end

Release 4.0.14
--------------

 * Fixed a bug in Passenger Standalone's source compiler, for the specific
   case when the downloaded Nginx binary doesn't work, and compilation
   of the Nginx binary did not succeed the first time (e.g. because of
   missing dependencies).
 * Precompiled Ruby native extensions are now automatically downloaded.


Release 4.0.13
--------------

 * Updated preferred Nginx version to 1.4.2.
 * Worked around the fact that FreeBSD 9.1 has a broken C++ runtime. Patch
   contributed by David Keller.
 * Autogenerated HTTP Date headers are now in UTC instead of local time.
   This could cause cookies to have the wrong expiration time. Fixes issue #913.
 * Fixed compatibility problems with Ruby 1.8.6 (issue #924).
 * Introduced a tool, `passenger-config --detect-apache2`, which autodetects
   all Apache installations on the system along with their parameters (which
   apachectl command to run, which log file to read, which config file to edit).
   The tool advises users about how to use that specific Apache installation.
   Useful if the user has multiple Apache installations but don't know about
   it, or when the user doesn't know how to work with multiple Apache
   installations.
 * Added an API for better Rack socket hijacking support.
 * Added a hidden configuration option for customizing the application start
   timeout. A proper configuration option will be introduced in the future.
 * Added autodetection support for Amazon Linux.
 * Fixed process metrics collection on some operating systems. Some systems'
   'ps' command expect no space between -p and the list of PIDs.


Release 4.0.10
--------------

 * Fixed a crash in PassengerWatchdog which occurs on some OS X systems.
 * Fixed exception reporting to Union Station.
 * Improved documentation.


Release 4.0.9
-------------

 * [Enterprise] Fixed a problem with passenger-irb.


Release 4.0.8
-------------

 * Fixed a problem with graceful web server restarts. When you gracefully
   restart the web server, it would cause Phusion Passenger internal sockets
   to be deleted, thus causing Phusion Passenger to go down. This problem
   was introduced in 4.0.6 during the attempt to fix issue #910.
 * The PassengerRestartDir/passenger_restart_dir now accepts relative
   filenames again, just like in Phusion Passenger 3.x. Patch
   contributed by Ryan Schwartz.
 * Documentation updates contributed by Gokulnath Manakkattil.
 * [Enterprise] Fixed a license key checking issue on some operating systems,
   such as CentOS 6.


Release 4.0.7
-------------

 * There was a regression in 4.0.6 that sometimes prevents
   PassengerLoggingAgent from starting up. Unfortunately this slipped
   our release testing. This regression has been fixed and we've updated
   our test suite to check for these kinds of regressions.


Release 4.0.6
-------------

 * Fixed a potential 100% CPU lock up in the crash handler, which only occurs
   on OS X. Fixes issue #908.
 * Fixed a crash in request handling, when certain events are trigger after
   the client has already disconnected. Fixes issue #889.
 * Phusion Passenger will no longer crash when the Phusion Passenger
   native_support Ruby extension cannot be compiled, e.g. because the Ruby
   development headers are not installed or because the current user has no
   permission to save the native extension file. Fixes issue #890.
 * Fixed OS X 10.9 support. Fixes issue #906.
 * Removed dependency on bash, so that Phusion Passenger works out of the box
   on BSD platforms without installing/configuring bash. Fixes issue #911.
 * Fix 'PassengerPoolIdleTime 0' not being respected correctly. Issue #904.
 * Admin tools improvement: it is now possible to see all currently running
   requests by invoking `passenger-status --show=requests`.
 * A new feature called Flying Passenger allows you to decouple the life time
   of Phusion Passenger from the web server, so that both can be restarted
   indepedently from each other. Please refer to
   http://blog.phusion.nl/2013/07/03/technology-preview-introducing-flying-passenger/
   for an introduction.
 * [Apache] Fixed compatibility with Apache pipe logging. Previously this
   would cause Phusion Passenger to lock up with 100% CPU during Apache
   restart.
 * [Nginx] The Nginx configure script now checks whether 'ruby' is in $PATH.
   Previously, if 'ruby' is not in $PATH, then the compilation process fails
   with an obscure error.
 * [Nginx] passenger-install-nginx-module now works properly even when Phusion
   Passenger is installed through the Debian packages. Before, the installer
   would tell you to install Phusion Passenger through the gem or tarball
   instead.
 * [Enterprise] Added pretty printing helpers to the Live IRB Console.
 * Fixed permissions on a subdirectory in the server instance directory. The
   server instance directory is a temporary directory that Phusion Passenger
   uses to store working files, and is deleted after Phusion Passenger exits.
   A subdirectory inside it is world-writable (but not world-readable) and is
   used for storing Unix domain sockets created by different apps, which may
   run as different users. These sockets had long random filenames to prevent
   them from being guessed. However because of a typo, this subdirectory was
   created with the setuid bit, when it should have sticky bit (to prevent
   existing files from being deleted or renamed by a user that doesn't own the
   file). This has now been fixed.
 * If the server instance directory already exists, it will now be removed
   first in order get correct directory permissions. If the directory still
   exists after removal, Phusion Passenger aborts to avoid writing to a
   directory with unexpected permissions. Fixes issue #910.
 * The installer now checks whether the system has enough virtual memory, and
   prints a helpful warning if it doesn't.
 * Linux/AArch64 compatibility fixes. Patch contributed by Dirk Mueller.
 * Improved documentation.


Release 4.0.5
-------------

 * [Standalone] Fixed a regression that prevented Passenger Standalone
   from starting. Fixes issue #899.
 * Fixed security vulnerability CVE-2013-2119.

   Urgency: low
   Scope: local exploit
   Summary: denial of service and arbitrary code execution by hijacking temp files
   Affected versions: all versions
   Fixed versions: 3.0.21 and 4.0.5

   Description:
   Phusion Passenger's code did not always create temporary files and directories in a secure manner. Temporary files and directories were sometimes created with a predictable filename. A local attacker can pre-create temporary files, resulting in a denial of service. In addition, this vulnerability allows a local attacker to run arbitrary code as another user, by hijacking temporary files.

   By pre-creating certain temporary files with certain permissions, attackers can prevent Passenger Standalone from starting (denial of service).

   By pre-creating certain temporary files with certain other permissions, attackers can trick `passenger start` and the build system (which is invoked by `passenger-install-apache2-module`/`passenger-install-nginx-module`) to run arbitrary code. The user that the code is run as, is equal to the user that ran `passenger start` or the build system. Attacks of this nature have to be timed exactly right. The attacker must overwrite the file contents right after Phusion Passenger has created the file contents, but right before the file is used. In the context of `passenger start`, the vulnerable window begins right after Passenger Standalone has created the Nginx config file, and ends when Nginx has read the config file. Once Nginx has started and initialized, the system is no longer vulnerable. `passenger stop` and other Passenger Standalone commands besides `start` are not vulnerable. In the context of the build system, the vulnerable window begins when `passenger-install-apache2-module`/`passenger-install-nginx-module` prints its first dependency checking message, and ends when it prints the first compiler command.

   Only the `passenger start` command, the `passenger-install-apache2-module` command and the `passenger-install-nginx-module` commands are vulnerable. Phusion Passenger for Apache and Phusion Passenger for Nginx (once they are installed) are not vulnerable.

   Fixed versions:
   3.0.21 and 4.0.5 have been released to address this issue.

   Workaround:
   You can use this workaround if you are unable to upgrade. Before invoking any Phusion Passenger command, set the `TMPDIR` environment variable to a directory that is not world-writable. Special care must be taken when you use sudo: sudo resets all environment variables, so you should either invoke sudo with `-E`, or you must set the environment variable after gaining root privileges with sudo.


Release 4.0.4
-------------

 * Fixed autodetection of noexec-mount /tmp directory. Fixes issue #850
   and issue #625.
 * Fixed a WSGI bug. wsgi.input was a file object opened in text mode,
   but should be opened in binary mode. Fixes issue #881.
 * Fixed a potential crash in Out-of-Band Work. Fixes issue #894.
 * Fixed a potential crash in rolling restarting, which only occurs if a
   process was also being spawned at the same time. Fixes issue #896.
 * [Apache] The RailsBaseURI and RackBaseURI directives have been unified.
   For a long time, RailsBaseURI told Phusion Passenger that the given
   sub-URI belongs to a **Rails 2** application. Attempt to use this
   directive with Rails 3 or with Rack applications would result in an
   error. Because this confused users, RailsBaseURI and RackBaseURI
   have now been unified and can now be used interchangably. Phusion
   Passenger will automatically detect what kind of application it is.
   The Nginx version already worked like this. Fixes issue #882.
 * [Standalone] The Passenger Standalone temp directory and
   PassengerWatchdog server instance directory have been unified.
   PassengerWatchdog already automatically updates the timestamps of
   all files in its server instance directory every 6 hours to prevent
   /tmp cleaners from deleting the directory. Therefore this
   unification prevents the Passenger Standalone temp directory to be
   deleted by /tmp cleaners as well. Fixes issue #654.
 * [Standalone] types_hash_max_size has been increased from 1024 to
   2048. This solves a problem that causes Nginx not to start on some
   platforms. Contributed by Jan-Willem Koelewijn.


Release 4.0.3
-------------

 * Better protection is now provided against application processes that
   are stuck and refuse to shut down cleanly. Since version 4.0.0,
   Phusion Passenger already forcefully shuts down all processes during
   web server shutdown. In addition to this, 4.0.3 now also forcefully
   shuts down processes that take more than 1 minute to shut down, even
   outside the context of web server shutdowns. This feature does not,
   however, protect against requests that take too long. Use
   PassengerMaxRequestTime (Apache) or passenger_max_request_time (Nginx)
   for that.
 * Fixed a crash in the HelperAgent which results in frequent process
   restarts in some traffic patterns. Fixes issue #862.
 * Fixed a problem that prevents processes from being spawned correctly
   if the user's bashrc changes working directory. Fixes issue #851.
 * passenger-status now also displays CPU usage.
 * The installer now checks for checksums when automatically downloading
   PCRE and Nginx. Contributed by Joshua Lund.
 * An error is now printed when trying to daemonize Phusion Passenger
   Standalone on Ruby implementations that don't support forking.
   Contributed by Benjamin Fleischer.
 * Although Phusion Passenger already supported JRuby, *installing*
   Phusion Passenger with JRuby was not possible. This has been fixed.
 * Various other minor bug fixes.


Release 4.0.2
-------------

 * Bumped the preferred Nginx version to 1.4.1 because of a critical
   Nginx security vulnerability, CVE-2013-2028. Users are advised to
   upgrade immediately.


Release 4.0.1
-------------

 * Fixed a crasher bug in the Deployment Error Resistance feature.
 * Fixed a bug in PassengerDefaultUser and PassengerDefaultGroup.
 * Fixed a bug which could cause application processes to exit before
   they've finished their request.
 * Fixed some small file descriptor leaks.
 * Bumped the preferred Nginx version to 1.4.0.
 * Editing the Phusion Passenger Standalone Nginx config template
   is no longer discouraged.
 * Improved documentation.


Release 4.0.0 release candidate 6
---------------------------------

 * WebSocket support on Nginx. Requires Nginx >= 1.3.15.
 * Improved RVM support.
 * Performance optimizations.
 * Various bug fixes.


Release 4.0.0 release candidate 5
---------------------------------

 * The default config snippet for Apache has changed! It must now contain a
   `PassengerDefaultRuby` option. The installer has been updated to output
   this option. The `PassengerRuby` option still exists, but it's only used
   for configuring different Ruby interpreters in different contexts. Please
   refer to the manual for more information.
 * We now provide GPG digital signatures for all file releases by Phusion.
   More information can be found in the manual.
 * `passenger-status` now displays process memory usage and time when it
   was last used. The latter fixes issue #853.
 * Exceptions in Rack application objects are now caught to prevent
   application processes from exiting.
 * The `passenger-config` tool now supports the `--ruby-command` argument,
   which helps the user with figuring out the correct Ruby command to use
   in case s/he wants to use multiple Ruby interpreters. The manual has
   also been updated to mention this tool.
 * Fixed streaming responses on Apache.
 * Worked around an OS X Unix domain socket bug. Fixes issue #854.
 * Out-of-Band Garbage Collection now works properly when the application
   has disabled garbage collection. Fixes issue #859.
 * Fixed support for /usr/bin/python on OS X. Fixes issue #855.
 * Fixed looping-without-sleeping in the ApplicationPool garbage collector
   if PassengerPoolIdleTime is set to 0. Fixes issue #858.
 * Fixed some process memory usage measurement bugs.
 * Fixed process memory usage measurement on NetBSD. Fixes issue #736.
 * Fixed a file descriptor leak in the Out-of-Band Work feature. Fixes issue #864.
 * The PassengerPreStart helper script now uses the default Ruby
   interpreter specified in the web server configuration, and no longer
   requires a `ruby` command to be in `$PATH`.
 * Updated preferred PCRE version to 8.32.
 * Worked around some RVM bugs.
 * The ngx_http_stub_status_module is now enabled by default.
 * Performance optimizations.


Release 4.0.0 release candidate 4
---------------------------------

 * Fixed compilation on systems where /tmp is mounted noexec.
 * Fixed some memory corruption bugs.
 * Improved debugging messages.
 * Phusion Passenger Standalone now sets underscores_in_headers.
   Fixes issue #708.
 * Fixed some process spawning compatibility problems, as
   reported in issue #842.
 * The Python WSGI loader now correctly shuts down client sockets
   even when there are child processes that keep the socket open.
 * A new configuration option PassengerPython (Apache) and
   passenger_python (Nginx) has been added so that users can
   customize the Python interpreter on a per-application basis.
   Fixes issue #852.
 * The Apache module now supports file uploads larger than 2 GB
   when on 32-bit systems. Fixes issue #838.
 * The Nginx version now supports the `passenger_temp_dir` option.
 * Environment variables set in the Nginx configuration file
   (through the `env` config option) are now correctly passed to
   all application processes. Fixes issue #371.
 * Fixed support for RVM mixed mode installations. Fixes issue #828.
 * Phusion Passenger now outputs the Date HTTP header in case the
   application didn't already do that (and was violating the HTTP spec).
   Fixes issue #485.
 * Phusion Passenger now checks whether /dev/urandom isn't broken.
   Fixes issue #516.


Release 3.9.5 (4.0.0 release candidate 3)
-----------------------------------------

 * Fixed Rake autodetection.


Release 3.9.4 (4.0.0 release candidate 2)
-----------------------------------------

 * More bug fixes.
 * More documentation updates.
 * Better crash diagnostics.


Release 3.9.3 (4.0.0 release candidate 1)
-----------------------------------------

 * The Nginx version now supports the `passenger_app_root` configuration option.
 * The Enterprise memory limiting feature has been extended to work with non-Ruby applications as well.
 * Application processes that have been killed are now automatically detected within 5 seconds. Previously Phusion Passenger needed to send a request to the process before detecting that it's gone. This change means that when you kill a process by sending it a signal, Phusion Passenger will automatically respawn it within 5 seconds (provided that the process limit settings allow respawning).
 * Phusion Passenger Standalone's HTTP client body limit has been raised from 50 MB to 1 GB.
 * Python 3 support has been added.
 * The build system has been made compatible with JRuby and Ruby 2.0.
 * The installers now print a lot more information about detected system settings so that the user can see  whether something has been wrongly detected.
 * Some performance optimizations. These involve further extending the zero-copy architecture, and the use of hash table maps instead of binary tree maps.
 * Many potential crasher and freezer bugs have been fixed.
 * Error diagnostics have been further improved.
 * Many documentation improvements.


Release 3.9.2 (4.0.0 beta 2)
----------------------------

 * New feature: JRuby and Rubinius support.
 * New feature: Out of Band Work.
 * Sending SIGBART to a Ruby process will now trigger the same behavior
   as SIGQUIT - that is, it will print a backtrace. This is necessary
   for proper JRuby support because JRuby cannot catch SIGQUIT.
 * Rolling restarts and depoyment error resistance are now also available
   in Phusion Passenger Standalone in the Enterprise version.
 * System call failure simulation framework.
 * Improved crash reporting.
 * Many documentation improvements.
 * Many bug fixes.


Release 3.9.1 (4.0.0 beta 1)
----------------------------

This is the first beta of Phusion Passenger 4. The changes are numerous.

 * Support for multiple Ruby versions.
 * The internals now use evented I/O.
 * Real-time response buffering.
 * Improved zero-copy architecture.
 * Rewritten ApplicationPool and process spawning subsystem.
 * Multithreading within Ruby apps (Phusion Passenger Enterprise only).
 * Python WSGI support lifted to "beta" status.
 * More protection against stuck processes.
 * Automatically picks up environment variables from your bashrc.
 * Allows setting environment variables directly in Apache.
 * Automatic asset pipeline support in Standalone.
 * Deleting restart.txt no longer triggers a restart.
 * More stable Union Station support.
 * Many internal robustness improvements.
 * Better relocatability without wasting space.


Release 3.0.21
--------------

 * Rebootstrapped the libev configure to fix compilation problems on Solaris 11.
 * Fixed support for RVM mixed mode installations. Fixes issue #828.
 * Fixed encoding problems in Phusion Passenger Standalone.
 * Changed preferred Nginx version to 1.2.9.
 * Catch exceptions raised by Rack application objects.
 * Fix for CVE-2013-2119. Details can be found in the announcement for version 4.0.5.
 * Version 3.0.20 was pulled because its fixes were incomplete.


Release 3.0.19
--------------

 * Nginx security fix: do not display Nginx version when
   server_tokens are off.
 * Fixed compilation problems on some systems.
 * Fixed some Union Station-related bugs.


Release 3.0.18
--------------

 * Fixed compilation problems on Fedora 17.
 * Fixed Union Station compatibility with Rails 3.2.
 * Phusion Passenger Enterprise Standalone now supports rolling
   restarts and deployment error resistance.


Release 3.0.17
--------------

 * Fixed a Ruby 1.9 encoding-related bug in the memory measurer.
   (Phusion Passenger Enterprise)
 * Fixed OOM adjustment bugs on Linux.
 * Fixed compilation problems on Fedora 18 and 19.
 * Fixed compilation problems on SunOS.
 * Fixed compilation problems on AIX. Contribution by Perry Smith.
 * Fixed various compilation warnings.
 * Upgraded preferred Nginx version to 1.2.3.

3.0.16 was an unofficial hotfix release, and so its announcement had been skipped.


Release 3.0.15
--------------

 * Updated documentation.
 * Updated website links.


Release 3.0.14
--------------

 * [Apache] Fixed a long-standing mod_rewrite-related problem.
   Some mod_rewrite rules would not work, but it depends on the exact
   mod_rewrite configuration so it would work for some people but not
   for others. Issue #563. Thanks a lot to cedricmaion for providing
   information on the nature of the bug and to peter.nash55 for
   providing a VM that allowed us to reproduce the problem.
 * [Nginx] Preferred Nginx version to 1.2.2.
   The previously preferred version was 1.2.1.
 * Cleared some confusing terminology in the documentation.
 * Fixed some Ruby 1.9 encoding problems.


Release 3.0.13
--------------

 * [Nginx] Preferred Nginx version upgraded to 1.2.1.
 * Fixed compilation problems on FreeBSD 6.4. Fixes issue #766.
 * Fixed compilation problems on GCC >= 4.6.
 * Fixed compilation problems on OpenIndiana and Solaris 11. Fixes issue #742.
 * Union Station-related bug fixes.
 * Sending the soft termination signal twice to application processes no longer makes them crash. Patch contributed by Ian Ehlert.


Release 3.0.12
--------------

 * [Apache] Support Apache 2.4. The event MPM is now also supported.
 * [Nginx] Preferred Nginx version upgraded to 1.0.15.
 * [Nginx] Preferred PCRE version upgraded to 8.30.
 * [Nginx] Fixed compatibility with Nginx < 1.0.10.
 * [Nginx] Nginx is now installed with http_gzip_static_module by default.
 * [Nginx] Fixed a memory disclosure security problem.
   The issue is documented at http://www.nginx.org/en/security_advisories.html
   and affects more modules than just Phusion Passenger. Users are advised
   to upgrade as soon as possible. Patch submitted by Gregory Potamianos.
 * [Nginx] passenger_show_version_in_header now hides the Phusion Passenger version number from the 'Server:' header too.
   Patch submitted by Gregory Potamianos.
 * Fixed a /proc deprecation warning on Linux kernel >= 3.0.


Release 3.0.11
--------------

 * Fixed a compilation problem on platforms without alloca.h, such as FreeBSD 7.
 * Improved performance and solved some warnings on Xen systems by compiling
   with `-mno-tls-direct-seg-refs`. Patch contributed by Michał Pokrywka.


Release 3.0.10
--------------

 * [Nginx] Dropped support for Nginx versions older than 1.0.0
 * [Nginx] Fixed support for Nginx 1.1.4+
 * [Nginx, Standalone] Upgraded default Nginx version to 1.0.10
   The previously default version was 1.0.5.
 * [Nginx] New option passenger_max_requests
   This is equivalent to the PassengerMaxRequests option in the Apache
   version: Phusion Passenger will automatically shutdown a worker process
   once it has processed the specified number of requests.
   Contributed by Paul Kmiec.
 * [Apache] New option PassengerBufferResponse
   The Apache version did not buffer responses. This could block the Ruby
   worker process in case of slow clients. We now enable response buffering
   by default. It can be turned off through this option. Feature contributed
   by Ryo Onodera.
 * Fixed remaining Ruby 1.9.3 compatibility problems
   We already supported Ruby 1.9.3 since 3.0.8, but due to bugs in Ruby
   1.9.3's build system Phusion Passenger would fail to detect Ruby 1.9.3
   features on some systems. Fixes issue #714.
 * Fixed a bug in PassengerPreStart
   A regression was introduced in 3.0.8, causing the prespawn script to
   connect to the host name instead of to 127.0.0.1. Fix contributed by
   Andy Allan.
 * Fixed compatibility with GCC 4.6
   Affected systems include Ubuntu 11.10.
 * Fixed various compilation problems.
 * Fixed some Ruby 1.9 encoding problems.
 * Fixed some Ruby 1.9.3 deprecation warnings.


Release 3.0.9
-------------

 * [Nginx] Fixed a NULL pointer crash that occurs on HTTP/1.0 requests
   when the Host header isn't given.
 * Fixed deprecation warnings on RubyGems >= 1.6.
 * Improved Union Station support stability.


Release 3.0.8
-------------

 * [Nginx] Upgraded preferred Nginx version to 1.0.5.
 * [Nginx] Fixed various compilation problems on various platforms.
 * [Nginx] We now ensure that SERVER_NAME is equal to HTTP_HOST without the port part.
   This is needed for Rack compliance. By default Nginx sets SERVER_NAME to
   whatever is specified in the server_name directive, but that's not necessarily
   the correct value. This fixes, for example, the use of the 'map' statement
   in config.ru.
 * [Nginx] Added the options passenger_buffer_size, passenger_buffers and passenger_busy_buffers_size.
   These options are similar to proxy_module's similarly named options. You can
   use these to e.g. increase the maximum header size limit.
 * [Nginx] passenger_pre_start now supports virtual hosts that listen on Unix domain sockets.
 * [Apache] Fixed the pcre.h compilation problem.
 * [Standalone] Fixed 'passenger stop'.
   It didn't work properly because it kept waiting for 'tail' to exit.
   We now properly terminate 'tail' as well.
 * Fixed compatibility with Rake 0.9.
 * Fixed various Ruby 1.9 compatibility issues.
 * Various documentation improvements.
 * New Union Station filter language features.
   It now supports status codes and response times.
   Please refer to https://engage.unionstationapp.com/help#filtering
   for more information.


Release 3.0.7
-------------

 * Fixed a bug passenger-install-apache2-module. It could crash on
   some systems due to a typo in the code.
 * Upgraded preferred Nginx version to 1.0.0.
 * Phusion Passenger Standalone now pre-starts application processes
   at startup instead of doing that at the first request.
 * When sending data to Union Station, the HTTP status code is now also
   logged.
 * Various Union Station-related stability improvements.
 * The Linux OOM killer was previously erroneously disabled for all
   Phusion Passenger processes, including application processes. The
   intention was to only disable it for the Watchdog. This has been
   fixed, and the Watchdog is now the only process for which the OOM
   killer is disabled.
 * Fixed some compilation problems on OpenBSD.
 * Due to a typo, the dependency on file-tail was not entirely removed
   in 3.0.6. This has now been fixed.


Release 3.0.6
-------------

 * Fixed various compilation problems such as XCode 4 support and OpenBSD support.
 * Fixed various Union Station-related stability issues.
 * Fixed an issue with host name detection on certain platforms.
 * Improved error logging in various parts.
 * The dependency on the file-tail library has been removed.
 * During installation, check whether /tmp is mounted with 'noexec'.
   Phusion Passenger's installer relies on /tmp *not* being mounted
   with 'noexec'. If it is then the installer will now show a helpful
   error message instead of bailing out in a confusing manner. Users
   can now tell the installer to use a different directory for storing
   temporary files by customizing the $TMPDIR environment variable.
 * Phusion Passenger Standalone can now run Rackup files that are not named 'config.ru'.
   The filename can be passed through the command line using the -R option.


Release 3.0.5
-------------

 * [Apache] Fixed Union Station process statistics collection
   Union Station users that are using Apache may notice that no process
   information show up in Union Station. This is because of a bug in
   Phusion Passenger's Apache version, which has now been fixed.
 * [Apache] PassengerAnalytics has been renamed to UnionStationSupport
   This option has been renamed for consistency reasons.
 * [Nginx] passenger_analytics has been renamed to union_station_support
   This option has been renamed for consistency reasons.
 * Fixed Union Station data sending on older libcurl versions
   Some Union Station users have reported that their data don't show up.
   Upon investigation this turned out to be a compatibility with older
   libcurl versions. Affected systems include all RHEL 5 based systems,
   such as RHEL 5.5 and CentOS 5.5. We've now fixed compatibility
   with older libcurl versions.
 * Added support for the Union Station filter language
   This language can be used to limit the kind of data that's sent to
   Union Station. Please read
   https://engage.unionstationapp.com/help#filtering for details.
 * Fixed a PassengerMaxPoolSize/passenger_max_pool_size violation bug
   People who host a lot of different applications on Phusion Passenger
   may notice that it sometimes spawns more processes than is allowed
   by PassengerMaxPoolSize/passenger_max_pool_size. This has been fixed.


Release 3.0.4
-------------

 * [Apache] Changed mod_dir workaround hook priority
   Phusion Passenger temporarily disables mod_dir on all Phusion
   Passenger-handled requests in order to avoid conflicts. In order to do this
   it registers some Apache hooks with the APR_HOOK_MIDDLE priority, but it
   turned out that this breaks some other modules like mod_python. The hook
   priority has been changed to APR_HOOK_LAST to match mod_dir's hook
   priorities. Issue reported by Jay Freeman.
 * Added support for Union Station: http://www.unionstationapp.com/
 * Some error messages have been improved.


Release 3.0.3
-------------

 * [Nginx] Preferred Nginx version upgraded to 0.8.54
   The previous preferred version was 0.8.53.
 * PATH_INFO and REQUEST_URI now contain the original escaped URI
   Phusion Passenger passes the URI, as reported by Apache/Nginx, to
   application processes through the PATH_INFO and REQUEST_URI variables.
   These variables are supposed to contain the original, unescaped URI, e.g.
   /clubs/%C3%BC. Both Apache and Nginx thought that it would be a good idea
   to unescape the URI before passing it to modules like Phusion Passenger,
   thereby causing PATH_INFO and REQUEST_URI to contain the unescaped URI,
   e.g. /clubs/ü. This causes all sorts of encoding problems. We now manually
   re-escape the URI when setting PATH_INFO and REQUEST_URI. Issue #404.
 * The installer no longer detects directories as potential commands
   Previously the installer would look in $PATH for everything that's
   executable, including directories. If one has /usr/lib in $PATH
   and a directory /usr/lib/gcc exists then the installer would recognize
   /usr/lib/gcc as the compiler. We now explicitly check whether the item
   is also a file.
 * PseudoIO now responds to #to_io
   Phusion Passenger sets STDERR to a PseudoIO object in order to capture
   anything written to STDERR during application startup. This breaks
   some libraries which expect STDERR to respond to #to_io. This has now
   been fixed. Issue #607.
 * Fixed various other minor bugs
   See the git commit log for details.


Release 3.0.2
-------------

 * [Nginx] Fixed compilation problems
   The Nginx compilation process was broken due to not correctly reverting
   the working directory of the Nginx configure script. This has been fixed:
   issue #595.
 * [Nginx] Fixed crash if passenger_root refers to a nonexistant directory
   Issue #599.
 * Fixed compilation problems on NetBSD
   There was a typo in a NetBSD-specific fcntl() call. It also turns out that
   NetBSD doesn't support some ISO C99 math functions like llroundl(); this
   has been worked around by using other functions. Issue #593.
 * Fixed file descriptor closing issues on FreeBSD
   Phusion Passenger child processes didn't correct close file descriptors
   on FreeBSD because it queries /dev/fd to do that. On FreeBSD /dev/fd
   only returns meaningful results if fdescfs is mounted, which it isn't
   by default. Issue #597.


Release 3.0.1
-------------

 * MUCH faster compilation
   We've applied code aggregation techniques, allowing Phusion Passenger
   to be compiled much quicker now. For example, compiling the Nginx
   component (not Nginx itself) on a MacBook Pro now takes only 29
   seconds instead of 51 seconds, an improvement of 75%! Compiling the
   Apache module on a slower Dell Inspiron now takes 39 seconds instead of
   1 minute 22 seconds, or 110% faster!
 * Fixed malfunction after web server restart
   On Linux systems that have a non-standard filesystem on /tmp, Phusion
   Passenger could malfunction after restarting the web server because of
   a bug that's only triggered on certain filesystems. Issue #569.
 * Boost upgraded to version 1.44.0.
   We were on 1.42.0.
 * Much improved startup error messages
   Phusion Passenger performs many extensive checks during startup to ensure
   integrity. However the error message in some situation could be vague.
   These startup error messages have now been improved dramatically, so that
   if something goes wrong during startup you will now more likely know why.
 * Curl < 7.12.1 is now supported
   The previous version fails to compile with Curl versions earlier than
   7.12.1. Issue #556.
 * passenger-make-enterprisey fixed
   This is the command that people can run after donating. It allows people
   to slightly modify Phusion Passenger's display name as a joke. In 3.0.0 it
   was broken because of a typo. This has been fixed.
 * Removed passenger-stress-test
   This tool was used during the early life of Phusion Passenger for stress
   testing websites. Its performance has never been very good and there are
   much better tools for stress testing, so this tool has now been removed.
 * [Apache] RailsEnv and RackEnv configuration options are now equivalent
   In previous versions, RailsEnv only had effect on Rails 1 and Rails 2 apps
   while RackEnv only had effect on Rack apps. Because Rails 3 apps are
   considered Rack apps, setting RailsEnv had no effect on Rails 3 apps.
   Because this is confusing to users, we've now made RailsEnv and RackEnv
   equivalent. Issue #579.
 * [Nginx] Fixed compilation problems on systems with unpowerful shells
   Most notably Solaris. Its default shell does not support some basic
   constructs that we used in the Nginx configure script.
 * [Nginx] Upgraded default Nginx version to to 0.8.53
   The previous default was 0.8.52.
 * [Nginx] passenger_enabled now only accepts 'on' or 'off' values
   Previously it would recognize any value not equal to 'on' as meaning
   'off'. This caused confusion among users who thought they could also
   specify 'true', so we now throw a proper error if the value is
   unrecognized. Fixes issue #583.


Release 3.0.0
-------------

This is a major release with many changes. Please read our blog for details.


Release 2.2.15
--------------

 * [Apache] Fixed incorrect temp dir cleanup by passenger-status
   On some systems, running passenger-status could print the following
   message:
   
      *** Cleaning stale folder /tmp/passenger.1234
   
   ...after which Phusion Passenger breaks because that directory is
   necessary for it to function properly. The cause of this problem
   has been found and has been fixed.
 * [Apache] Fixed some upload handling problems
   Previous versions of Phusion Passenger check whether the size of
   the received upload data matches the contents of the Content-Length
   header as received by the client. It turns out that there could
   be a mismatch e.g. because of mod_deflate input compression, so
   we can't trust Content-Length anyway and we're being too strict.
   The check has now been removed.
 * [Nginx] Fixed compilation issues with Nginx >= 0.7.66
   Thanks to Potamianos Gregory for reporting this issue. Issue #500.
 * [Nginx] Default Nginx version changed to 0.7.67
   The previous default version was 0.7.65.
 * Fixed more Bundler problems
   Previous versions of Phusion Passenger would preload some popular
   libraries such as mysql and sqlite3 in order to utilize copy-on-write
   optimizations better. However this behavior conflicts with Bundler
   so we've removed it.


Release 2.2.14
--------------

 * Added support for Rubinius
   Patch contributed by Evan Phoenix.
 * Fixed a mistake in the SIGQUIT backtrace message.
   Patch contributed by Christoffer Sawicki.
 * [Nginx] Fix a localtime() crash on FreeBSD
   This was caused by insufficient stack space for threads. Issue #499.


Release 2.2.13
--------------

 * Fixed some Rails 3 compatibility issues that were recently introduced.
 * Fixed a typo that causes config/setup_load_paths.rb not to be loaded
   correctly.


Release 2.2.12
--------------

 * Improved Bundler support.
   Previous versions might not be able to correctly load gems bundled
   by Bundler. We've also documented how our Bundler support works and
   how to override our support if you need special behavior.
   Please refer to the Phusion Passenger Users Guide, section
   "Bundler support".
 * Worked around some user account handling bugs in Ruby. Issue #192.
 * Fixed some Ruby 1.9 tempfile.rb compatibility problems.
 * Fixed some compilation problems on some ARM Linux platforms.
 * [Apache] Suppress bogus mod_xsendfile-related error messages.
   When mod_xsendfile is being used, Phusion Passenger might print
   bogus error messages like "EPIPE" or "Apache stopped forwarding
   the backend's response" to the log file. These messages are
   normal, are harmless and can be safely ignored, but they pollute
   the log file. So in this release we've added code to suppress
   these messages when mod_xsendfile is being used. Issue #474.
 * [Nginx] Fixed "passenger_user_switching off" permission problems
   If Nginx is running as root and passenger_user_switching is turned
   off, then Phusion Passenger would fail to initialize because of
   a permission problem. This has been fixed. Issue #458.
 * [Nginx] Nginx >= 0.8.38 is now supported.
   Thanks to Sergey A. Osokin for reporting the problem.
 * [Nginx] passenger-install-nginx-module upgraded
    It now defaults to installing Nginx 0.7.65 instead of 0.7.64.


Release 2.2.11
--------------

 * This release fixes a regression that appeared in 2.2.10 which only
   affects Apache. When under high load, Apache might freeze and stop
   responding to requests. It is caused by a race condition which is
   why it escaped our last release testing.
   
   This problem does not affect Nginx; you only have to upgrade if
   you're using Apache.
   
   http://groups.google.com/group/phusion-passenger/t/d5bb2f17c8446ea0


Release 2.2.10
--------------

 * Fixed some Bundler compatibility problems.
 * Fixed some file descriptor passing problems, which previously
   could lead to mysterious crashes.
 * Fixed some compilation problems on newer GCC versions. Issue #430.
 * Support #size method in rack.input.



Release 2.2.9
-------------

 * Fixed compatibility with Rails 3.
   Actually, previous Phusion Passenger releases were already compatible
   with Rails 3, depending on the spawn method that would be invoked. Here's
   the story:
   
   Since Phusion Passenger 2.2.8, when the file config.ru exists, Phusion
   Passenger will treat the app as a Rack app, not as a Rails app. This is
   in contrast to earlier versions which gave Rails detection more priority
   than Rack detection. Phusion Passenger loads Rack apps and Rails apps in
   different ways. The Rails loader was not compatible with Rails 3, which
   is what we've fixed in this release.
   
   That said, a Rails 3 app would have worked out-of-the-box on Phusion
   Passenger 2.2.8 as well because Rails 3 apps include a config.ru file
   by default, causing Phusion Passenger 2.2.8 to use the Rack loader.
   Earlier versions of Phusion Passenger would just completely bail out
   because they'd use the Rails loader.
   
   That said, with 2.2.9 there are still some caveats:
   - Smart spawning (the mechanism with which REE's 33% memory reduction
     is implemented) is *not* supported for Rack apps. This means that if
     you want to utilize smart spawning with Rails 3, then you should
     remove your config.ru file.
   - Rails 3 depends on Rack 1.1.0. You must have Rack 1.1.0 installed as
     a gem, even if you've bundled it with the gem bundler. This is because
     Phusion Passenger itself depends on Rack.
   
   Both of these caveats are temporary. We have plans to solve both of these
   properly in the future.
 * What's up with the Gem Bundler?
   There has been some reports that Phusion Passenger is not compatible with
   Yehuda Katz's gem bundler (http://github.com/wycats/bundler). This might
   have been true for an earlier version of the gem bundler, but the latest
   version seems to work fine. Please note that you need to insert the
   following snippet in config/preinitializer.rb, as instructed by the gem
   bundler's README:
   
     require "#{RAILS_ROOT}/vendor/gems/environment"
   
   The Rails::Boot monkey patching code as posted at
   http://yehudakatz.com/2009/11/03/using-the-new-gem-bundler-today/
   does not seem to be required anymore.
 * Fixed support for ActiveRecord subclasses that connect to another database.
   ActiveRecord subclasses that connect to a database other than the default
   one did not have their connection correctly cleared after forking.
   This can result in weird errors along the lines of "Lost connection to
   MySQL server during query". Issue #429.
 * [Nginx] Fixed PCRE URL.
   passenger-install-nginx-module downloads PCRE 7.8 if PCRE is not already
   installed. However PCRE 7.8 has been removed from their FTP server,
   so we've updated the URL to point to the latest version, 8.0.


Release 2.2.8
-------------

 * [Nginx] Fixed some signal handling problems.
   Restarting Nginx on OS X with SIGHUP can sometimes take a long time or
   even fail completely. This is because of some signal handling problems,
   which have now been fixed.
 * [Nginx] Added OpenSSL as dependency.
   OpenSSL is required in order to install Nginx, but this was not checked
   by passenger-install-nginx-module. As a result,
   passenger-install-nginx-module fails on e.g. out-of-the-box Ubuntu
   installations until the user manually installs OpenSSL. Issue #422.
 * [Nginx] Fixed support for internal redirects and subrequests.
   It is now possible to, for example, point X-Accel-Redirects to Phusion
   Passenger-served URLs. Patch contributed by W. Andrew Loe III: issue #433.
 * [Apache] Fixed a GnuTLS compatibility issue.
   mod_gnutls can cause Phusion Passenger to crash because of an unchecked
   NULL pointer. This problem has now been fixed: issue #391.
 * Fixed thread creation issue on Intel Itanium platforms.
   This fixes issue #427.
 * Fixed compilation problems on Linux running on the Renesas SH4 CPU.
   Patch contributed by iwamatsu: issue #428.
 * The Rack library has been unvendored.
   The original reason for vendoring was to work around broken Rails
   applications that explicitly specify Rack as a gem dependency. We've
   found a better workaround that does not require vendoring Rack.
   This also fixes a compatibility problem with Rails 3, because Rails
   3 depends on a newer Rack version than the one we had vendored.
   Issue #432.
 * Fixed compatibility with Ruby 1.9.1 patchlevel >= 152
   Ruby 1.9.1 patchlevel >= 152 has a bug in its tempfile library. If you've
   seen an error message along the lines of

      *** Exception IOError in Passenger RequestHandler (closed stream)
   
   then this is a Ruby bug at work. This bug has been fixed in Ruby 1.9.2,
   but Ruby 1.9.1 still contains this bug. We've added a workaround so that
   the bug is not triggered with this Ruby version. Issue #432.


Release 2.2.7
-------------

 * Removed forgotten debugging code in passenger-install-apache2-module,
   which caused it not to compile anything.


Release 2.2.6
-------------

 * Some /tmp cleaner programs such as tmpwatch try to remove subdirectories
   in /tmp/passenger.xxx after a while because they think those
   subdirectories are unused. This could cause Phusion Passenger to
   malfunction, requiring a web server restart. Measures have now been
   taken to prevent those tmp cleaner programs from removing anything
   in /tmp/passenger.xxx. Issue #365.
 * When autodetecting the application type, Rack is now given more priority
   than Rails. This allows one to drop a config.ru file in a Rails directory
   and have it detected as a Rack application instead of a Rails application.
   Patch contributed by Sam Pohlenz: issue #338.
 * The default socket backlog has been increased from 'SOMAXCONN' (which
   is 128 on most platforms) to 1024. This should fix most
   'helper_server.sock failed: Resource temporarily unavailable'
   errors.
 * Fixed compilation problems on Solaris. Issue #369 and issue #379.
 * Fixed crashes on PowerPC.
 * Some Ruby 1.9 compatibility fixes. Issue #398.
 * The installer now displays correct dependency installation instructions
   for Mandriva Linux.
 * [Apache] The location of the 'apxs' and 'apr-config' commands can now
   also be passed to the installer through the --apxs-path and
   --apr-config-path parameters, in addition to the $APXS2 and $APR_CONFIG
   environment variables. Issue #3.
 * [Nginx] Various problems that only occur on 64-bit platforms have been fixed.
 * [Nginx] The installer now installs Nginx 0.7.64 by default.


Release 2.2.5
-------------

 * [Apache] Small file uploads are now buffered; fixes potential DoS attack
   Phusion Passenger buffers large file uploads to temp files so that it
   doesn't block applications while an upload is in progress, but it sent
   small uploads directly to the application without buffering it. This could
   result in a potential DoS attack: the client can send many small, incomplete
   file uploads to the server, and this would block all application processes
   until a timeout occurs. In order to solve this problem, Phusion Passenger
   now buffers small file uploads in memory. Bug #356.

 * [Apache] Fixed support for mod_rewrite passthrough rules
   Mod_rewrite passthrough rules were not properly supported because of a bug
   fix for supporting encoded slashes (%2f) in URLs. Unfortunately, due to
   bugs/limitations in Apache, we can support either encoded slashes or
   mod_rewrite passthrough rules, but not both; supporting one will break the
   other.

   Support for mod_rewrite passthrough rules is now enabled by default; that
   is, support for encoded slashes is disabled by default. A new configuration
   option, "PassengerAllowEncodedSlashes", has been added. Turning this option
   on will enable support for encoded slashes and disable support for
   mod_rewrite passthrough rules.

   Issue #113 and issue #230.

 * [Apache] Added a configuration option for resolving symlinks in the document root path
   Phusion Passenger 2.2.0 and higher no longer resolves symlinks in
   the document root path in order to properly support Capistrano-style
   directory structures. The exact behavior is documented in the Users Guide,
   section "How Phusion Passenger detects whether a virtual host is a web
   application".

   However, some people relied on the old behavior. A new configuration option,
   PassengerResolveSymlinksInDocumentRoot, has been added to allow reverting
   back to the old behavior.

   Patch contributed by Locaweb (http://www.locaweb.com.br/).

 * [Apache] mod_env variables are now also passed through CGI environment headers
   Prior to version 2.2.3, environment variables set by mod_env are passed to
   the application as CGI environment headers, not through Ruby's ENV variable.
   In the last release we introduced support for setting ENV environment
   variables with mod_env, and got rid of the code for setting CGI environment
   headers. It turns out that some people relied on the old behavior, we so now
   environment variables set with mod_env are set in both ENV and in the CGI
   environment.
   
   Fixes bug #335.

 * [Apache] Fixed compilation problems on some Linux systems with older versions of Apache
   If you used to see compilation errors like this:

       ext/apache2/Configuration.cpp:554: error: expected primary-expression before '.' token

   then this version should compile properly.

 * [Apache] Fixed I/O timeouts for communication with backend processes
   Got rid of the code for enforcing I/O timeouts when reading from or writing to
   a backend process. This caused more problems than it solved.

 * [Nginx] Support for streaming responses (e.g. Comet or HTTP push)
   Buffering of backend responses is now disabled. This fixes support for
   streaming responses, something which the Apache version has supported
   for a while now. One can generate streaming responses in Ruby on Rails
   like this:

       render :text => lambda { |response, output|
           10_000.times do |i|
               output.write("hello #{i}!\n")
           end
       }

 * [Nginx] Installer now installs Nginx 0.7.61 by default
   Previously it installed 0.6.37 by default.

 * [Nginx] Fixed the installer's --extra-configure-flags flag when combined with --auto-download
   Arguments passed to --extra-configure-flags were not being passed to the
   Nginx configure script when --auto-download is given. This has been
   fixed: bug #349.

 * [Nginx] Fixed unnecessary download of PCRE
   The installer now checks whether PCRE is installed in /opt/local (e.g.
   MacPorts) as well before concluding that it isn't installed and going ahead
   with downloading PCRE.

 * Fixed STDERR capturing
   While spawning an application, Phusion Passenger captures any output written
   to STDERR so that it can show them later if the application failed to start.
   This turns out to be much more difficult than expected, with all kinds of
   corner cases that can mess up this feature.

   For example, if the Rails log file is not writable, then this can cause
   Rails to crash with a bizarre and unhelpful error message whenever it tries
   to write to STDERR:

       /!\ FAILSAFE /!\  Thu Aug 20 14:58:39 +1000 2009
       Status: 500 Internal Server Error
       undefined method `[]' for nil:NilClass

   Some applications reopen STDERR to a log file. This didn't work.

   Of all of these problems have been fixed now. (Bug #332)

 * Fixed some bugs in application sources preloading
   Rails >= 2.2 already preloads the application sources, in which case Phusion
   Passenger wasn't supposed to perform it's own preloading, but the Rails
   >= 2.2 detection code was bugged. This has been fixed.

   Rails < 2.2 doesn't preload the application sources by itself, but there
   should be a certain order with which the sources are preloaded, otherwise
   preloading could fail in some applications. We now enforce a specific load
   order: first models, then controllers, then helpers.

   Bug #359.
 
 * Fixed a few bugs in WSGI compliance
   PATH_INFO is supposed to be set to the request URI, but without the query
   string and without the base URI. This has been fixed: bug #360.

 * Fixed some Ruby 1.9-specific crashes caused by encoding issues. Bug #354.
 * Fixed loading of config/environment.rb on Ruby 1.9.2, because Ruby 1.9.2
   no longer has "." in the default load path. Patch by metaljastix, issue #368.
 * The Users Guide for Apache now mentions something about correct permissions
   for application directories.
 * Fixed compilation problems on IA-64 (bug #118). We also reduced the stack
   sizes for the threads by half, so Phusion Passenger should use even less
   virtual memory now.
 * Fixed compilation problems on Linux systems with ARM CPU.
 * Fixed a few compatibility problems with 64-bit OpenBSD.
 * Fixed a few typos and minor bugs.


Older releases
--------------
Please consult the blog posts on http://old.blog.phusion.nl/ for the information about older releases.