-
Notifications
You must be signed in to change notification settings - Fork 1
/
CHANGELOG
3324 lines (2694 loc) · 187 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Release 6.0.24 (Not yet released)
-------------
* [Nginx] Upgrades preferred Nginx to 1.26.2 from 1.26.1.
* [Enterprise] Smarter rolling restarts for better performance and reliability. We changed the way we route requests. Instead of picking the least-busy process, we now first prioritize new processes first. During a rolling restart, this new behavior leads to more efficient utilization of application caches, faster validation of new rollouts, and faster recovery from problematic deployments. Closes GH-2551.
* Fix a regression from 6.0.10 where running `passenger-config system-properties` would throw an error. Closes GH-2565.
* [Enterprise] Fix a memory corruption-related crash that could occur during rolling restarting.
* [Ubuntu] Add packages for Ubuntu 24.10 "oracular".
* [Ruby] Specify rackup version to avoid broken 1.0 gem. Closes GH-2559.
* Fixes compatibility with Ruby apps whose Gemfile.lock depends on base64.
* Upgrades Boost from 1.85 -> 1.86.
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- ccache 4.10.1 -> 4.10.2
- cmake 3.30.1 -> 3.31.2
- curl 8.8.0 -> 8.11.0
- git 2.45.2 -> 2.47.1
- gnupg 2.4.5 -> 2.4.7
- libgpg_error 1.50 -> 1.51
- npth 1.7 -> 1.8
- openssl 3.3.1 -> 3.4.0
- rubygems 3.5.16 -> 3.5.23
- rubies:
- 3.2.4 -> 3.2.6
- 3.3.4 -> 3.3.6
Release 6.0.23
-------------
* [Enterprise] The rolling restart feature now replaces app processes in newest-to-oldest order, to make more efficient use of alive processes during the rolling-restart's duration. Closes GH-2551.
* [Ruby] Improve Rack 3 compatibility.
* [Nginx] Upgrades preferred Nginx to 1.26.1 from 1.26.0.
* [Debian] Remove packages for Debian 10 Buster. (EOL 2024-07).
* [Ubuntu] Add packages for Ubuntu 24.04 "noble".
* [RPMs] Remove EL7 RPMs, CentOS7 is EOL.
* Fixes compatibility with Ruby apps whose Gemfile.lock depends on strscan.
* Adds option to render a custom error page when app fails to launch. Closes GH-2515.
- Apache: PassengerCustomErrorPage "public/error.html"
- Nginx: passenger_custom_error_page public/error.html;
- Standalone: --custom-error-page public/error.html
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- glibc 2.17 -> 2.28
- ccache 4.9.1 -> 4.10.1
- cmake 3.29.3 -> 3.30.1
- curl 8.7.1 -> 8.8.0
- git 2.45.0 -> 2.45.2
- openssl 3.3.0 -> 3.3.1
- pcre2 10.43 -> 10.44
- libassuan 2.5.7 -> 3.0.1
- libgcrypt 1.10.3 -> 1.11.0
- libgpg_error 1.49 -> 1.50
- libksba 1.6.6 -> 1.6.7
- pinentry 1.3.0 -> 1.3.1
- rubygems 3.5.10 -> 3.5.16
- rubies:
- dropped 3.0.7
- 3.1.5 -> 3.1.6
- 3.3.1 -> 3.3.4
Release 6.0.22
-------------
* [RPM] Fix dependency on selinux-policy. Closes GH-2545.
* Fix Amazon Linux detection. Closes GH-3296.
Release 6.0.21
-------------
* [Python] Fix version of Python when imp module is replaced with importlib. Contributed by Grigory Ponomarenko.
* [Ubuntu] Remove packages for Ubuntu 23.10 "mantic".
* [Nginx] Upgrades preferred Nginx to 1.26.0 from 1.24.0.
* [Nginx] Switch to using PCRE2 instead of PCRE.
* [RPM] The Passenger Nginx module rpm package for EL9 (RHEL, Rocky, Alma) will now require Nginx 1.24.0 as per the policy of supporting the newest Nginx module stream available.
* [Standalone] Fixes security update checker with builtin engine.
* [Enterprise] Ability to enforce hard memory limits on application processes (`PassengerHardMemoryLimit`/`passenger_hard_memory_limit`/`--hard-memory-limit``). Unlike the soft memory limit, the hard memory limit doesn't wait for the request to finish. Useful for preventing high memory usage from taking down the entire machine or container.
* [Enterprise] Ability to throttle memory metrics collection (`PassengerAnalyticsCollectionRate`/`passenger_analytics_collection_rate`). This allows you to control the frequency that Passenger Enterprise measures the app memory use at.
* Swaps http-parser for llhttp.
* Fixes crash-watch hanging when lldb is used as the backend.
* Fixes Apache module unload crash due to not properly cleaning up all threads.
* Workaround compilation error on clang on x86_64.
* Upgrades Boost from 1.83 -> 1.85.
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- ccache: 4.6.3 -> 4.9.1
- cmake: 3.28.1 -> 3.29.3
- curl: 8.5.0 -> 8.7.1
- git: 2.43.0 -> 2.45.0
- gnupg: 2.4.3 -> 2.4.5
- libassuan: 2.5.6 -> 2.5.7
- libffi: 3.4.4 -> 3.4.6
- libgpg_error: 1.47 -> 1.49
- libksba: 1.6.5 -> 1.6.6
- libpsl: 0.21.5
- npth: 1.6 -> 1.7
- openssl: 3.2.0 -> 3.3.0
- pcre2: 10.42 -> 10.43
- pinentry: 1.2.1 -> 1.3.0
- rubygems: 3.5.4 -> 3.5.10
- zlib: 1.3 -> 1.3.1
- zstd: 1.5.5 -> 1.5.6
- rubies:
- 3.0.6 -> 3.0.7
- 3.1.4 -> 3.1.5
- 3.2.3 -> 3.2.4
- 3.3.0 -> 3.3.1
Release 6.0.20
-------------
* Upgrades Boost from 1.81 -> 1.83.
* Upgrades http-parser from 2.3.0 -> 2.9.4.
* [Ubuntu] Adds packages for Ubuntu 23.10 "mantic".
* [Python] Address use of binary strings and file reads in python3.
* [Ruby] Address use of deprecated ActiveRecord method. Closes GH-2516.
* [ARM] fix arch for apache module on Arm Macs.
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- cmake: 3.27.7 -> 3.28.1
- curl: 8.4.0 -> 8.5.0
- git: 2.42.0 -> 2.43.0
- libgcrypt: 1.10.2 -> 1.10.3
- libksba: 1.6.4 -> 1.6.5
- ntbtls: 0.3.1 -> 0.3.2
- openssl: 3.1.4 -> 3.2.0
- rubygems: 3.4.21 -> 3.5.4
- s3cmd: 2.3.0 -> 2.4.0
- rubies:
- 3.2.2 -> 3.2.3
- 3.3.0
Release 6.0.19
-------------
* [Ruby] Fix compatibility with Rack 3 header array. Closes GH-2503.
* [Ruby] Preserve `SIGPROF` signal handlers. Contributed by Ivo Anjo. Closes GH-2489.
* [Python] Replaces use of imp module with importlib in Python 3. Contributed by Rongxin Liu. Closes GH-2399 and GH-2501.
* [Ubuntu] Removes packages for Ubuntu 18.04 "Bionic" (EOL June 2023).
* Fixed a memory allocation bug in the security update checker.
* [Debian] Add Debian 12 Bookworm packages. Closes GH-2488.
* [RPM] Published arm64/aarch64 rpms for EL8 & EL9 (RHEL, Rocky, Alma). Closes GH-2452.
* [ARM] Publishes prebuilt arm64/aarch64 binaries for Passenger gem installs. Closes GH-2288.
* [ARM] Fixes a regression in Passenger 6.0.7 where strict-aliasing archs (notably: aarch64 aka ARM64) builds of Passenger were always building for big-endian archs. Closes GH-2451 and GH-2419.
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- ccache: 4.6.3 -> 4.8.3
- cmake: 3.26.4 -> 3.27.7
- curl: 8.1.2 -> 8.4.0
- git: 2.41.0 -> 2.42.0
- gnupg: 2.4.2 -> 2.4.3
- libassuan: 2.5.5 -> 2.5.6
- libksba: 1.6.3 -> 1.6.4
- openssl: 3.1.1 -> 3.1.4
- rubygems: 3.4.13 -> 3.4.21
- zlib: 1.2.13 -> 1.3
Release 6.0.18
-------------
* Adds Ubuntu 23.04 "Lunar" packages, removes Ubuntu 22.10 "Kinetic" packages.
* Removes packages for Debian 9 "Stretch" (EOL June 2022).
* [RPM] Changes to building Nginx module packages for the latest supported Nginx module stream instead of the default.
* [Ruby] Makes Passenger more resilient to invalid byte sequences when loading the Ruby native extension. Contributed by Drew Wells.
* [Ruby] Add an `unhandled_exception_before_exit` event callback. Contributed by James Tomson.
* [Nginx] Upgrades preferred Nginx to 1.24.0 from 1.22.1.
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- cmake: 3.25.1 -> 3.26.4
- curl: 7.87.0 -> 8.1.2
- git: 2.39.0 -> 2.41.0
- gnupg: 2.4.0 -> 2.4.2
- libgcrypt: 1.10.1 -> 1.10.2
- libgpg_error: 1.46 -> 1.47
- openssl: 3.0.7 -> 3.1.1
- rubygems: 3.4.3 -> 3.4.13
- zstd: 1.5.2 -> 1.5.5
- rubies:
- 2.7.7 -> 2.7.8
- 3.0.5 -> 3.0.6
- 3.1.3 -> 3.1.4
- 3.2.0 -> 3.2.2
Release 6.0.17
-------------
* [Enterprise] The `debug` gem is now supported for debugging on Ruby 3.1.
* Removed use of deprecated 'File.exists?' method for Ruby 3.2.0.
* Upgrades Boost to 1.81.
* Upgrades preferred Nginx to 1.22.1 from 1.20.2.
* Changes minimum supported macOS version to 10.14 Mojave.
* Adds support for a `PASSENGER_MAX_LOG_LINE_LENGTH_BYTES` environment variable. The default length remains at 8KB. Closes GH-2413.
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- curl: 7.86.0 → 7.87.0
- git: 2.38.1 → 2.39.0
- gnupg: 2.3.8 → 2.4.0
- libksba: 1.6.2 → 1.6.3
- openssl: 1.1.1s → 3.0.7
- rubygems: 3.3.26 → 3.4.3
- rubies: added 3.2.0
Release 6.0.16
-------------
* Adds ARM64 (aarch64) packages for Ubuntu and Debian.
* Adds Ubuntu 22.10 "Kinetic" packages, removes Ubuntu 16.04 "Xenial" packages.
* Adds systemd private tmpdir workaround on Ubuntu/Debian. Closes GH-2397.
* Downgrade jsoncpp to 1.8.1 from 1.9.5 to fix invalid json generation bug. Closes GH-2445.
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- cmake: 3.24.2 → 3.25.1
- curl: 7.85.0 → 7.86.0
- git 2.37.3 → 2.38.1
- gnupg: 2.3.7 → 2.3.8
- libgpg_error 1.45 → 1.46
- libksba 1.6.1 → 1.6.2
- openssl: 1.1.1q → 1.1.1s
- rubygems 3.3.22 → 3.3.26
- s3cmd 2.2.0 → 2.3.0
- zlib: 1.2.12 → 1.2.13
- rubies:
- 2.7.6 → 2.7.7
- 3.0.4 → 3.0.5
- 3.1.2 → 3.1.3
Release 6.0.15
-------------
* Restore ability to build against upstream libev. Contributed by Antonio Terceiro. Closes GH-1544.
* Improve rvm gemset detection. Closes GH-2420.
* Fix watchdog error on disable-log-prefix flag. Contributed by Paul Hanyzewski. Closes GH-2363.
* Upgrades Boost to 1.80.
* Fixed compilation on some platforms by explicitly using the stl queue. Closes GH-2440.
* Raise an error in case rack gets an ENOBUFS error. Contributed by Mathieu Jobin.
* Fixes interaction between preload bundler option and setenv RUBYOPT option. Closes GH-2424.
* Add rpm packages for el9 (RHEL, Rocky, Alma). Closes GH-2431.
* Upgrade jsoncpp to 1.9.5.
* Improve Solaris support for 11.3 & 11.4.
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- ccache: 4.6 → 4.6.3
- cmake: 3.23.1 → 3.24.2
- curl: 7.82.0 → 7.85.0
- git: 2.36.0 → 2.37.3
- gnupg: 2.3.5 → 2.3.7
- libiconv: 1.16 → 1.17
- libksba: 1.6.0 → 1.6.1
- openssl: 1.1.1n → 1.1.1q
- pinentry: 1.2.0 → 1.2.1
- rubygems: 3.3.12 → 3.3.22
Release 6.0.14
-------------
* Removes use of rexml in passenger restart command, because it was removed from Ruby 3. Closes GH-2415.
* Adds Ubuntu 22.04 "Jammy" packages, and removes Ubuntu 21.10 "Impish" packages.
* Fixes a use after free regression introduced in 6.0.12.
* Fixed a warning about ERB.new argument deprecation in Ruby 3.1. Closes GH-2417.
* Removed google apis from error pages for easier GDPR compliance.
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- cmake 3.22.3 → 3.23.1
- git 2.35.1 → 2.36.0
- gnupg 2.3.4 → 2.3.5
- libgcrypt 1.9.4 → 1.10.1
- libgpg_error 1.44 → 1.45
- ntbtls 0.3.0 → 0.3.1
- rubygems 3.3.9 → 3.3.12
- zlib 1.2.11 → 1.2.12
- ruby
- 2.6.9 → 2.6.10
- 2.7.5 → 2.7.6
- 3.0.3 → 3.0.4
- 3.1.1 → 3.1.2
Release 6.0.13
-------------
* Add WASM mime type, Closes GH-2398.
* Fix compilation on FreeBSD 13. Closes GH-2402.
* [Ruby] Fixes app process crash when ECONNRESET received.
* Fix automated fetching of pcre source for installer scripts.
* Bump preferred nginx 1.20.1 → 1.20.2.
* [Ruby] Add option to preload bundler. Closes GH-2409.
- Apache: PassengerPreloadBundler
- Nginx: passenger_preload_bundler
- Standalone: --preload_bundler
* [Node] Suppresses the winston circular dependency warning.
* [RPMs] EL8 RPMs are now built on Rocky linux, and should be compatible with Alma, Rocky, CentOS, and RHEL.
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- ccache 4.4.2 → 4.6
- cmake 3.21.4 → 3.22.3
- curl 7.79.1 → 7.82.0
- git 2.33.1 → 2.35.1
- gnupg 2.3.3 → 2.3.4
- libgpg_error 1.42 → 1.44
- ntbtls 0.2.0 → 0.3.0
- openssl 1.1.1l → 1.1.1n
- rubygems 3.2.30 → 3.3.9
- zstd 1.5.0 → 1.5.2
- ruby
- dropped 2.4.10
- dropped 2.5.9
- 2.6.8 → 2.6.9
- 2.7.4 → 2.7.5
- 3.0.2 → 3.0.3
- added 3.1.1
Release 6.0.12
-------------
* [Debian] Fix compilation on 32 bit arm. Contributed by Antonio Terceiro.
* [Debian] Add Bullseye Debian packages.
* Add formatted error messages to responses. Contributed by Mohammad Aboelnour.
* Fixes for running under WSL 1. Contributed by Luke Pearce. Closes GH-2036.
* Upgrades Boost to 1.77. To go along with 32 bit arm fix.
* [MacOS] Fixes autodetection of openssl lib on apple silicon. Contributed by Taketo Takashima. Closes GH-2389.
* Reconnect to mongoid databases after fork, like we do for ActiveRecord. Contributed by Mohammad Aboelnour.
* [Ubuntu] add missing apache name in instance registry dir detection.
* [Ubuntu] replace hirsute apt packages with impish.
* [Nginx] add new config option to choose the status code returned when application spawning fails. (passenger_spawn_exception_status_code).
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- ccache: 4.4.1 → 4.4.2
- cmake: 3.21.2 → 3.21.4
- curl: 7.78.0 → 7.79.1
- git: 2.33.0 → 2.33.1
- gnupg: 2.3.2 → 2.3.3
- rubygems: 3.2.27 → 3.2.30
- s3cmd: 2.1.0 → 2.2.0
Release 6.0.11
-------------
* Fix compilation on GCC 4.4, fixes a regression in 6.0.8 where Passenger would no longer compiler without a C++11 compiler.
* [CentOS] Fix version detection on CentOS Stream. Contributed by Taketo Takashima. Closes GH-2377.
* [MacOS] Additionally look for PCRE in the new location that Homebrew has split it's packages into.
* Fix compilation on GCC < 4.5.
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- ccache: 4.3 → 4.4.1
- cmake: 3.20.5 → 3.21.2
- curl: 7.77.0 → 7.78.0
- git: 2.32.0 → 2.33.0
- gnupg: 2.3.1 → 2.3.2
- libgcrypt: 1.9.3 → 1.9.4
- openssl: 1.1.1k → 1.1.1l
- pinentry: 1.1.1 → 1.2.0
- rubygems: 3.2.21 → 3.2.27
- rubies:
- 2.6.7 → 2.6.8
- 2.7.3 → 2.7.4
- 3.0.1 → 3.0.2
Release 6.0.10
-------------
* [Debian/Ubuntu] Fix a regression in `passenger_system_ruby` where Ruby 3 couldn't be found.
* [CentOS/RHEL] Bump rpm nginx dependency to match EPEL nginx (was 1.16.1 now 1.20.1). Closes GH-2364.
* [Nginx] The preferred PCRE version is now 8.45 (previously 8.44).
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- cmake 3.20.3 → 3.20.5
- git 2.31.1 → 2.32.0
- libksba 1.5.1 → 1.6.0
- rubygems 3.2.19 → 3.2.21
- pcre 8.44 → 8.45
Release 6.0.9
-------------
* Upgrades Boost to 1.76. Fixes a regression where some boost headers for comatibility with older distros were missing.
* Make building on Apple Silcon using homebrew openssl work. Contributed by TheBerg.
* Add Support for Ubuntu Hirsute.
* Remove prebuilt packages for Ubuntu Groovy.
* Properly support HTTP 418. Contributed by Thomas Pfister.
* Fix several C++ warnings about implicit copy operators/constructors.
* Bump preferred nginx 1.18.0 → 1.20.1.
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- ccache 4.2 → 4.3
- cmake 3.19.7 → 3.20.3
- curl 7.75.0 → 7.77.0
- git 2.31.0 → 2.31.1
- gnupg 2.2.27 → 2.3.1
- libgcrypt 1.9.2 → 1.9.3
- libksba 1.5.0 → 1.5.1
- ntbTLS added → 0.2.0
- zlib 1.4.9 → 1.5.0
- rubygems 3.2.15 → 3.2.19
- ruby:
- 2.3.8 → removed
- 2.5.8 → 2.5.9
- 2.6.6 → 2.6.7
- 2.7.2 → 2.7.3
- 3.0.0 → 3.0.1
Release 6.0.8
-------------
* [Apache] Fixes crash when restarting Apache on CentOS 8. Closes GH-2318.
* [Standalone] fix abort websockets on shutdown. Closes GH-2211.
* Fixes application process titles. They are now properly set to something like "Passenger RubyApp: ..." instead of "Passenger AppPreloader: ... (forking)".
* Upgrades Boost to 1.74.
* Allow passenger-status to detect passenger instance registry dir when systemd PrivateTmp dir is in use.
* Reduce the likelihood of a crash when using systemd PrivateTmp dir with Apache.
* Removed CentOS 6, and Debian Jessie prebuilt binaries and packages. Both are EOL.
* No-longer build 32 bit prebuilt binaries, as HBB dropped support.
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- ccache_version: 4.0 → 4.2
- cmake_version: 3.18.4 → 3.19.7
- curl_version: 7.73.0 → 7.75.0
- git_version: 2.29.1 → 2.31.0
- gnupg_version: 2.2.23 → 2.2.27
- libassuan_version: 2.5.4 → 2.5.5
- libgcrypt_version: 1.8.7 → 1.9.2
- libgpg_error_version: 1.39 → 1.42
- libksba_version: 1.4.0 → 1.5.0
- openssl_version: 1.1.1h → 1.1.1k
- pinentry_version: 1.1.0 → 1.1.1
- rubygems_version: 3.1.4 → 3.2.15
- zstd_version: 1.4.5 → 1.4.9
- ruby_versions + 3.0.0
Release 6.0.7
-------------
* Addresses regression introduced in 6.0.5 when attempting to establish database connection after fork and activerecord is not configured in the expected way. Closes GH-2281.
* Addresses regression introduced in 5.1.5 where hook scripts would fail to run. As a result the PASSENGER_ERROR_PAGE and PASSENGER_CONFIG_MANIFEST env vars have been removed from the passenger hook script environment.
* Match static rails assets on 8-digit content hash. Contributed by @mattozinga.
* Allow skipping the Apache/Nginx sections of the `passenger-memory-stats` output, through the `--no-apache` and `--no-nginx` commandline options. Closes GH-2306. Contributed by Saverio Miroddi (@saveriomiroddi).
* Fixes an issue where `passenger-memory-stats` would throw an error if a process went away while it was running. Closes GH-2305.
* Fixes a formatting issue with apr-1 include flags on macOS.
* Fixes a warning about BOOST_*_ENDIAN macros being deprecated by migrating to new suggested macros.
* Fixes an occasional issue with the node loader where the startup handshake would fail to record progress.
* Adds an option for specifying the address to bind ruby apps to, for sending requests directly to specific app instances:
- Standalone: direct_instance_request_address
- Nginx: passenger_direct_instance_request_address
- Apache: PassengerDirectInstanceRequestAddress
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- ccache: 4.0 (was: 3.7.10)
- curl: 7.73.0 (was: 7.71.1)
- git: 2.29.1 (was: 2.27.0)
- gnupg: 2.2.23 (was: 2.2.21)
- libgpg_error: 1.39 (was: 1.38)
- ruby: 2.7.2 (was: 2.7.1)
- libassuan 2.5.4 (was: 2.5.3)
- libgcrypt 1.8.7 (was 1.8.6)
- OpenSSL 1.1.1h (was 1.0.2u)
Release 6.0.6
-------------
* Update gemspec with up to date metadata.
* Reverts the addition of the 'etc' gem to the Passenger gemspec, because it broke on normal ruby installs. Closes GH-2283.
* Builds Ubuntu focal Nginx dynamic module package against Nginx 1.18.0. Closes GH-2291.
* No longer providing prebuilt Ruby 2.1 or 2.2 binaries, they have been EOL for years and rubygems no longer supports them.
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- ccache 3.7.10 (was 3.7.9)
- Curl 7.71.1 (was 7.69.1)
- Git 2.27.0 (was 2.26.2)
- GnuPG 2.2.21 (was 2.2.20)
- libgpg_error 1.38 (was 1.37)
- libgcrypt 1.8.6 (was 1.8.5)
- RubyGems 3.1.4 (was 3.0.8)
Release 6.0.5
-------------
* [Enterprise] Fixed a regression (introduced in 5.0.0) where Flying Passenger could not update the Passenger configuration. Closes GH-1554.
* Adds Ubuntu 20.04 "Focal" packages, and removes Ubuntu 19.04 "Disco" packages.
* Adds RHEL / CentOS 8 packages.
* [Nginx] Converts CentOS 7 packages to provide a dynamic module instead of a full Nginx install.
* Fixes the encoding name for xml output from the `passenger-status --show=xml` command. Closes GH-2248.
* Adds the 'etc' gem as an explicit dependency. Closes GH-2124.
* Adds a user agent to the passenger pre-spawn script. Closes GH-1534.
* Fixes a compilation issue on FreeBSD. Closes GH-2240.
* Fixes an issue where rack bodies may not be processed correctly.
* Improves the database reconnection speed in forked processes. closes GH-2253.
* [Nginx] Adds a config option `passenger_temp_path` to set the path used for the disk backed response cache. Re-Closes GH-2075.
* [Apache] Protects the path info and script name passed to the app from modifications done by mod_security. Closes GH-2198.
* Ensures baseuri is set per request, even if config is loaded from cache. Closes GH-2117.
* Make temp dir toucher cleanup code more resilient to permissions issues.
* [Nginx] Bumps the preferred Nginx version to 1.18.0 (previously 1.17.3).
* [Nginx] The preferred PCRE version is now 8.44 (previously 8.43).
* Removed deprecated rubyforge gemspec property. Contributed by @olleolleolle.
* Adds an option for specifying the attributes on the sticky session cookie:
- Apache: PassengerStickySessionsCookieAttributes "SameSite=Lax; Secure;"
- Nginx: passenger_sticky_sessions_cookie_attributes "SameSite=Lax; Secure;"
- Standalone: --sticky-sessions-cookie-attributes "SameSite=Lax; Secure;"
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- ccache 3.7.9 (was 3.7.3)
- Curl 7.69.1 (was 7.66.0)
- Git 2.26.2 (was 2.23.0)
- GnuPG 2.2.20 (was 2.2.17)
- libgpg_error 1.37 (was 1.36)
- OpenSSL 1.0.2u (was 1.0.2t)
- PCRE 8.44 (was 8.43)
- s3cmd 2.1.0 (was 2.0.2)
- RubyGems 3.0.8 (was 3.0.6)
- Rubies:
- 2.4.6 -> 2.4.10
- 2.5.5 -> 2.5.8
- 2.6.3 -> 2.6.6
+ 2.7.1
Release 6.0.4
-------------
* Adds Debian 10 "Buster" packages.
Release 6.0.3
-------------
* Add an option to specify the spawn dir during startup, which is specifically useful for CageFS users. Contributed by @plmnikulin. Closes GH-2145.
- Apache: `PassengerSpawnDir`
- Nginx: `passenger_spawn_dir`
* [Nginx] Bumps the preferred Nginx version to 1.17.3 (previously 1.15.8).
* [Nginx] The preferred PCRE version is now 8.43 (previously 8.42).
* Adds Ubuntu 19.04 "Disco" packages, and removes Ubuntu 18.10 "Cosmic" and Ubuntu 14.04 "Trusty" packages.
* Changes minimum supported macOS version to 10.12 Sierra.
* Improves container detection and fixes a compilation warning in GCC 8+. Closes GH-2186.
* Allowed externally specifying an app instance to send a request to. Contributed by Mark R. James (@mrj).
* Fixed an incompatibility with sending requests to specific app instances, when using the rails web-console gem. Contributed by Mark R. James (@mrj).
* Fixed a regression (introduced in 5.1.9) where some hooks were not called. Closes GH-2103. Contributed by Mark R. James (@mrj).
* Fixes compilation with clang 8 (latest macOS update) by updating vendored boost library from 1.67 to 1.69.
* Reverts a regression intruduced in 6.0.2 where Passenger would crash if it had to use the disk backed response cache. Closes GH-2189.
* [Nginx] Adds an option `passenger_buffer_upload` to allow buffering uploaded data in Passenger before forwarding it to the app. As a workaround for apps that cannot handle chunked data.
* [Enterprise] When using deferred port binding, no longer binds port if all apps do not start up.
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- PCRE 8.43 (was 8.42)
- Curl 7.65.1 (was 7.64.0)
- ccache 3.7.3 (was 3.6)
- Git 2.22.0 (was 2.20.1)
- OpenSSL 1.0.2s (was 1.0.2q)
- RubyGems 3.0.6 (was 3.0.2)
- GnuPG 2.2.16 (was 2.2.13)
- libgcrypt 1.8.5 (was 1.8.4)
- libgpg_error 1.36 (was 1.35)
- libiconv 1.16 (was 1.15)
- Ruby:
- 2.4.5 -> 2.4.6
- 2.5.3 -> 2.5.5
- 2.6.1 -> 2.6.3
Release 6.0.2
-------------
* Allow compilation to work when Apple messed up their system ruby headers.
* Only try to read pid 1's /proc files as root, in container detection. Closes GH-2168.
* Add an option to disable prefixing application logs with "App PID stdout". Contributed by Ian Kottman. Closes GH-1915.
- Apache: `PassengerDisableLogPrefix`
- Nginx: `passenger_disable_log_prefix`
* Add support for identifying the Passenger instance by PID. Closes GH-2146. Contributed by Saverio Miroddi (@saveriomiroddi).
* [Ruby] Made Passenger more resiliant to Rack bugs. Closes GH-2150.
* [Nginx] Do not touch Nginx's proxy_temp_path var in Passenger's nginx modules. Closes GH-2075. Contributed by Roman Berestnikov-Sivolov (@ROMB).
* Updated Ruby versions used in precompiled binaries (used for e.g. gem installs) to include 2.6.1.
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- Curl: 7.64.0 (was: 7.63.0)
- Ruby: 2.6.1 (was: 2.6.0)
- RubyGems 3.0.2 (was: 3.0.1)
- ccache 3.6 (was: 3.5)
- GnuPG 2.2.13 (was: 2.2.12)
- libassuan 2.5.3 (was: 2.5.2)
- libgpg_error 1.35 (was: 1.33)
Release 6.0.1
-------------
* Adds Ubuntu 18.10 "Cosmic" packages.
* Skips trying to set oom score in LXC container environments. Closes GH-2143.
* Fixes an issue during the GLS startup handshake where ephemeral ports could be exhausted. Closes GH-2144.
* Updated Ruby versions used in precompiled binaries (used for e.g. gem installs) to include 2.5.3, and 2.4.5 (removed: 2.4.4).
* Bumps the preferred Nginx version to 1.15.8.
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- Curl: 7.62.0 -> 7.63.0
- Git: 2.19.2 -> 2.20.1
- Gnupg: 2.2.11 -> 2.2.12
- libassuan: 2.5.1 -> 2.5.2
- libgpg_error: 1.32 -> 1.33
- Ruby: 2.4.4 -> 2.4.5, + 2.5.3
- RubyGems: 2.7.6 -> 3.0.1
Release 6.0.0
-------------
* Introduces support for *all* programming languages. Yes that's right... Java, Elixir, Go — Passenger now supports them all! This effort is called "generic language support".
* Bumps the preferred Nginx version to 1.15.7.
* Introduces anonymous usage telemetry, which helps us improve Passenger. Please read the docs on what data is collected and how to disable this.
* [Nginx] Introduces a new option "passenger_request_buffering on|off", to allow disabling request body buffering. This is only supported in Nginx >= 1.15.3. Closes GH-2121.
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- OpenSSL: 1.0.2q (was: 1.0.2p)
- libcurl: 7.62.0 (was: 7.61.1)
- Ruby: 2.3.8 (was: 2.3.7)
Release 5.3.7
-------------
* Fixes package installation issues on Ubuntu 18.04. These issues were caused by an update released by Ubuntu on the nginx-common package. Closes GH-2122, GH-2140.
* Fixes compilation problems and warnings with GCC 8.2. Tested on Alpine Linux edge 2018-11-05. Closes GH-2139.
* Fixes compatibility with libcurl 7.62.0. Contributed by Po-Chuan Hsieh (@sunpoet).
* Changes minimum supported macOS version to 10.11 El Capitan.
* Removes packages for Ubuntu 17.10 Artful.
Release 5.3.6
-------------
* Fixes smart spawning. A regression in 5.3.5 (due to a refactoring) made it so that Passenger only used the direct spawning method. This issue was mostly noticeable in the form of increased process spawning times between 5.3.4 and 5.3.5.
* Fixes Passenger Core and application processes staying on the Watchdog's OOM score (unkillable). Closes GH-2105.
* Fixes "mach_vm_map failed" warnings on macOS >= High Sierra. These warnings were harmless, but annoying. Closes GH-2101.
* Fixes `passenger-config compile-agent` compilation with optimizations. The optimization flags were not properly passed to the compiler.
* Fixes a crash that could occur when HTTP clients send a chunked transfer-encoding body containing a chunk larger than 429496729 bytes.
* Improves detection of the system Apache's include headers on macOS High Sierra and later.
* Fixes RVM gemset detection on RVM 1.29.
* No longer supplies precompiled Ruby extensions for Ruby 1.9.3 and 2.0.0. When running Ruby 1.9.3 and 2.0.0, Passenger will attempt to compile from source instead.
Release 5.3.5
-------------
* Fixes Ubuntu 18.04 package installation problems due to Nginx version mismatch. Closes GH-2122.
* Improves usability of crash reports. Crash reports are no longer dumped in one big chunk to stderr. Instead, they are now dumped into multiple files, making it easy to inspect relevant reports.
* Fixes some crashes that only occur with log level 7.
* Downloads binaries from the newly-introduced Github mirror. This improves the reliability of binary downloads.
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- OpenSSL: 1.0.2p (was: 1.0.2o)
- libcurl: 7.61.1 (was: 7.60.0)
Release 5.3.4
-------------------------------
* Fixes a crash during startup on FreeBSD 11.2 and recent OpenBSD versions due to C++11 compatibility issues in the code. Closes GH-2097.
* Updates Boost to version 1.67.0.
* [Apache] Fixes the handling of HTTP requests with chunked bodies in combination with `PassengerBufferUploads off`. Closes GH-2102.
Release 5.3.3
-------------
* [Apache, Nginx] Fixes the passenger-install-*-module scripts. (Regression in 5.3.2) Closes GH-2093.
* [Nginx] Fixed nginx module building on CentOS 6. Closes GH-2081. Thanks to defanator for contributing this.
Release 5.3.2
-------------
This release contains many security updates. Users are advised to upgrade as soon as possible. See our blog for more information on the vulnerabilities.
* [Nginx] Fixes CVE-2018-12029, a local privilege escalation vulnerability in the Nginx module that occurs when `passenger_instance_registry_dir` is configured to a directory with insufficiently strict permissions.
* Fixes CVE-2018-12026, 12027, and 12028. These are local denial of service, local information disclosure and local privilege escalation vulnerabilities that could be exploited by malicious applications or malicious users on the system.
* Updated various library versions used in precompiled binaries (used for e.g. gem installs):
- OpenSSL (Linux only): 1.0.2o (was: 1.0.2k; on macOS it was already 1.0.2o)
- GeoIP: 1.6.12 (was: 1.6.11)
- libcurl: 7.60.0 (was: 7.56.1)
* Fixes Meteor support in non-bundled mode (regression from 5.3.0). Closes GH-2082.
* Fixes the fact that the error page (which is shown when an app fails to spawn) sometimes contains unsufficient analysis details about the app.
* [Apache] Fixes PassengerMaxInstancesPerApp not being respected (regression from config refactor in 5.2.0). Closes GH-2059.
* [Enterprise, Apache] Fixes PassengerMaxInstances not being respected (regression from config refactor in 5.2.0).
* [Enterprise] Fixes passenger-irb being unable to connect to an app process (regression from 5.3.0). Closes GH-2087.
Release 5.3.1
-------------
* Fixes a regression from 5.3.0: a crash that occurs if the user that an application should run under, does not have a shell configured. Closes GH-2078.
* Fixes a regression from 5.3.0: setting supplementary group IDs during user switching. Closes GH-2077.
Release 5.3.0
-------------
* Adds Ubuntu 18.04 "Bionic" packages.
* Removes packages for Debian 7 "Wheezy" (EOL May 2018).
* Vastly improves spawning error page: quick overview of where the problem is, and the option to drill down in extensive troubleshooting information.
* Fuse Panel support: fixes a crash that occurs when you shut down Passenger right after it fails to connect to Fuse Panel.
* [Nginx] Updates the preferred Nginx version to 1.14.0 (from 1.12.2).
* [Apache] Updates the recommended package for apache dev headers on debian >= 9.4. Closes GH-2048.
* [Enterprise] Fix licensing proxy warning to refer to licensing_proxy_url instead of licensing_proxy.
* [Enterprise] Add new `PassengerAppLogFile` (Apache) / `passenger_app_log_file` (Nginx) config option to specify a file for app-specific logs. Closes GH-1279.
Release 5.2.3
-------------
* Fuse Panel support: fixes a few bugs with handling small log files and with apps that don't output any messages.
* Python app support: fixes a Python 3 compatibility issue w.r.t. writing data over the socket.
* macOS support: fixes a crash in the `passenger-config compile-nginx-engine` command which only occurs on macOS >= 10.13. This crash was caused by a missing `require` call in our code, and affects users who compile Passenger from source, e.g. users of the Passenger Enterprise Homebrew formula.
* Fixes a small memory corruption issue (dangling pointer) in the ApplicationPool subsystem.
* Improves support for the $TMPDIR environment variable by removing leftover hardcoded references to /tmp. Closes GH-2052.
* Updated PCRE version to 8.42 (was: 8.41) across the board.
Release 5.2.2
-------------
* Adds an option for dumping the web server config manifest to a given file: `PassengerDumpConfigManifest` (Apache) / `passenger_dump_config_manifest` (Nginx). This option is mostly useful for Passenger developers.
* [Nginx] Fixes support for configurations that have two `passenger_base_uri` options in a single virtual host, without corresponding `passenger_app_group_name` and `passenger_app_root` directives. Closes GH-2043.
* [Enterprise] Improved support for RAM-based pricing on Heroku (now using officially recommended memory limit reporting via CGROUP).
* (added in CHANGELOG after release) Four new options to connect to the new Fuse Panel: admin_panel_url, admin_panel_auth_type, admin_panel_username, admin_panel_password
* (added in CHANGELOG after release) Updated OpenSSL version used in precompiled binaries (used for e.g. gem installs) to 1.0.2o (was: 1.0.2m).
Release 5.2.1
-------------
* Fixes a regression from 5.1.11 that prevented Passenger from compiling on FreeBSD in some cases. Closes GH-2031.
* Fixes a bounds issue in printing an error message that could occur in some cases when spawning a child process fails. Issue was present from 5.1.11.
* Fixes a regression from 5.2.0 which prevented setting the max pool idle time to 0. Closes GH-2020.
* Warns if using an incompatible compiler on macOS < 10.13. Closes GH-2017.
* No longer uses Security Framework on macOS 10.13+. This will prevent further keychain warnings from appropriately compiled Passengers.
* Fixes warning on macOS about /proc/self access (excluded some code that was intended only for Linux).
* `passenger-install-nginx-module` now downloads the preferred Nginx version via https. Thanks to smiba for pointing this out.
* [Apache] Fixes a regression from 5.2.0 that caused a crash on startup when no top-level ServerName is set. Closes GH-2029.
* [Enterprise] Adds support for using RAM-based pricing on Heroku.
Release 5.2.0
-------------
* [Apache] Breaking change: to avoid configuration ambiguity, options that act on a per-process level (rather than per-request level) can no longer be used in .htaccess. See the Passenger Library -> configuration -> intro for more info (https://www.phusionpassenger.com/library/config/apache/intro.html#global-per-application-and-per-request-options).
* [Apache] Breaking change: the option PassengerResolveSymlinksInDocumentRoot has been removed (old Passenger 2 compatibility option, see PassengerAppRoot for new method).
* [Apache] Option handling has been refactored to avoid silent conflicts and errors: warnings are now generated for global config options in <VirtualHost> (they conflict between VHosts) and per-application options in <Files>, <FilesMatch> and <If> (silently failed before).
* [Apache] Fixes compilation issues on some systems with macOS 10.13 High Sierra (in addition to the fixes from 5.1.11).
* [Enterprise] Fixes two unnecessary warnings about failure to contact the licensing server, one occurring since version 5.1.8 ("3 days out of contact"), the other since 5.1.11 + Apache ("failure to contact").
* [Nginx] Fixes the default for the `passenger_app_group_name` to start with the `passenger_app_root` rather than the document root (the end remains the same: `passenger_app_env`).
* [Standalone] Adds command line support for `start_timeout` in Passenger Standalone (also removes unnecessary warning when using it in `Passengerfile.json`).
* [Standalone, Nginx] Waits for Nginx to exit before cleaning up temp dir (started happening more since the switch to Nginx graceful shutdown in 5.1.6). Closes GH-1970.
* Deprecated options for Union Station.
* Ruby 2.5 compatibility: handle case where an exception's backtrace may be nil. Closes GH-2011.
* Adds JSON mime type for static file serving. Closes GH-2018.
* Removes packages for Ubuntu 17.04 "Zesty" (EOL 13-jan-2018).
Release 5.1.12
--------------
* Changes the Debian/Ubuntu install script to completely restart Apache upon upgrade. This prevents issues due to a "half upgraded" state (old Passenger Apache module + new Passenger core). Closes GH-2000.
* Adds Ubuntu 17.10 "Artful" packages.
* Fixes a case in which -- when Passenger is configured with user switching turned off -- it is unable to open the web server log file and aborts during startup. This regression was introduced in 5.1.8. Closes GH-1990.
* [Nginx] The preferred Nginx version is now 1.12.2
* [Nginx] The preferred PCRE version is now 8.41 (previously 8.39).
* [Standalone] Adds support for using `start_timeout` in Passengerfile.json.
* [Enterprise] Uses libuv to detect total system RAM, allows for compilation on pre-10.11 macOS.
* [Enterprise] Added a max request queue time option, to limit time requests spend in the request queue. Closes GH-1688.
* Updated libcurl version used in precompiled binaries (used for e.g. gem installs) to 7.56.1 (was: 7.54.1).
* Updated OpenSSL version used in precompiled binaries (used for e.g. gem installs) to 1.0.2m (was: 1.0.2l).
* Updated PCRE version used in precompiled binaries (used for e.g. gem installs) to 8.41 (was: 8.40).
* Updated Ruby versions used in precompiled binaries (used for e.g. gem installs) to include 2.1.10, 2.2.8, 2.3.5, and 2.4.2 (removed: 2.1.9, 2.2.7, 2.3.4, and 2.4.1).
Release 5.1.11
--------------
* [Apache] Fixes a race condition (segfault) on startup, which primarily affected macOS hosts (regression in 5.1.8 due to the logging improvements). Closes GH-1973.
* [Apache] Fixes compilation on macOS 10.13 High Sierra.
* [Nginx] It is now allowed to specify `passenger_enabled` in the `http` context as well.
* [Nginx] Namespaced Jsoncpp under the Passenger namespace to avoid collisions with Google Pagespeed's copy when linked into Nginx.
* [Standalone] Enables HTTP/2 support in the Nginx template. Support is only active if SSL is used, to avoid potential issues with HTTP/2 on HTTP ports. Closes GH-1945.
* [Enterprise, Standalone] Adds a new feature that is especially useful on Heroku: deferred port binding. When `--defer-port-binding` is set, Passenger does not listen on the given port until the application has finished spawning. If the application starts slowly then this mechanism can prevent the Heroku request timeout from killing the dyno (the boot timeout still applies).
* [Enterprise, Standalone] Fixes duplicate warnings when Passengerfile.json contains errors.
* [Standalone] `passenger start` now accepts the `--start-timeout` configuration option.
* Adds support for Bundler 2.0's new `gems.rb` and `gems.locked`. Learn more about these in [Gemfile's new clothes](https://depfu.com/blog/2017/09/06/gemfiles-new-clothes). Closes GH-1982.
* Removes Debian packages for Ubuntu 12.04 Precise.
* Fixes compilation warnings on macOS + Clang 9.0.
* Introduces a new check that logs a vulnerability warning if Passenger is run with root permissions while the directory permissions of (parts of) its root dir allow modifications by non-root users.
* Fixes an arbitrary file read vulnerability (if Passenger is running as root and the attacker has access to a user account that hosts an application).
Release 5.1.10
--------------
* This was an Enterprise-only hotfix release (no changes in Passenger Open Source).
Release 5.1.9
-------------
* This was an Enterprise-only hotfix release (no changes in Passenger Open Source).
Release 5.1.8
-------------
* Introduces a shorter and more informative log format. The new format significantly shortens the thread ID, and includes the message's log level (critical, error, warning, notice, etc) so that users can more easily filter out uninteresting messages.
* [Nginx] The Phusion Nginx APT package is upgraded to Nginx version 1.12.1 (previously pinned at 1.10.3 while waiting for a compatible lua module release).
* [Standalone] Automatically uses Nginx to serves static asset URLs that conform to the [webpacker](https://github.com/rails/webpacker) gem's format. Closes GH-1966.
* [Standalone] If configured to listen on a Unix domain socket, properly cleans up this socket on Nginx shutdown. Fixes a regression from 5.1.6. Closes GH-1969.
* [Standalone] Fixes the `--max-requests` option when using the builtin engine. Fixes a regression from 5.1.4.
* [Enterprise] Fixes a potential use-after-free bug when reporting usage data to the Phusion licensing server. This bug only occurs when Passenger Enterprise is running inside a container.
Release 5.1.7
-------------
* Fixes compilation problems on some systems.
* Upgrades the JSON parser (json-cpp) to version 1.8.1. This makes parsing slightly faster, adds various security checks and fixes some JSON generation issues.
* [Enterprise] Fixes an SSL certificate issue in the license usage data reporter, which only occurs when Passenger Enterprise installed from gem or tarball. The license usage data reporter now searches for the correct system CA path.
* [Enterprise] Fixes a potential use-after-free bug when reporting usage data to the Phusion licensing server, and improves reliability of usage data recording.
Release 5.1.6
-------------
* Fixes a typo that causes a looping crash when long security update information is sent by the server. In practice we will keep the messages shorter to avoid triggering this until there has been ample time to upgrade.
* Fixes unnecessary process respawn if it was detached and min_instances is set to 0. Closes GH-1735.
* Introduces APT packages for Debian 9 "Stretch", with Passenger built as dynamic module. Closes GH-1960.
* Changes APT packages for Ubuntu 17.04 "Zesty" from static to dynamic module.
* [Standalone] Now uses graceful shutdown for the Nginx engine under the hood (requested as part of GH-1598). Thanks to PikachuEXE for contributing this.
* [Standalone] Fixes a memory corruption issue in the builtin engine. The issue was introduced in 5.1.5 (settings handling refactoring).
* [Standalone] Cleanup the temp dir before aborting when startup cannot continue, e.g. when Passenger is already running. Closes GH-1953.
* Fixes WSGI crash with Python 3 and non-ASCII characters in headers or the URL. Closes GH-1935. Thanks to n4nn31355 for the assistance.
* [Nginx] The preferred Nginx version is now 1.12.1 (previously 1.10.3), except for the Phusion Nginx APT package, which is pinned at 1.10.3 until an 1.12.x compatible lua module becomes available.
* [Nginx] Fixes CVE-2017-7529, an integer overflow vulnerability in the Nginx range filter module. This is accomplished by upgrading to Nginx 1.12.1, or applying the patch (Phusion Nginx APT package).
* Updated libcurl version used in precompiled binaries (used for e.g. gem installs) to 7.54.1 (was: 7.54.0).
* Updated OpenSSL version used in precompiled binaries (used for e.g. gem installs) to 1.0.2l (was: 1.0.2k).
* Updated GeoIP version used in precompiled binaries (used for e.g. gem installs) to 1.6.11 (was: 1.6.9).
* Updated PCRE version used in precompiled binaries (used for e.g. gem installs) to 8.40 (was: 8.39).
* Adds support for building with MacPorts' OpenSSL. Closes GH-1959.
Release 5.1.5
-------------
* Updated Boost to version 1.64.0, which fixed a compilation issue on certain Gentoo based setups. Closes GH-1942.
* Improved the error message shown when an app fails to start in time.
* [Apache] Remove option to configure PassengerAppGroupName from .htaccess because, assuming AllowOverride Options is set, malicious users (having an account on the same server) can sometimes collide app group names of other users and capture their traffic.
* Major internal refactoring of settings handling, to prepare for supporting settings changes without restart.
Release 5.1.4
-------------
* Updated zlib version used in building precompiled binaries (used for e.g. gem installs) to 1.2.11 (was: 1.2.8).
* Updated openssl version used in building precompiled binaries (used for e.g. gem installs) to 1.0.2k (was: 1.0.2j).
* Updated curl version used in building precompiled binaries (used for e.g. gem installs) to 7.54.0 (was: 7.51.0).
* Added support for rbenv when building precompiled binaries (passenger_binary_build_automation submodule).
* Fixes issue when building precompiled binaries (used for e.g. gem installs) found in release 5.1.3.
* Added Ruby 2.4.1 precompiled native extension.
Release 5.1.3
-------------
* [Standalone] Fixes `install-standalone-runtime` command after regression in 5.1.2.
* Removes unnecessary logging of "No Error" from macOS Security Update Checker.
* Adds support for compiling against the built-in Apache installation supplied with macOS 10.12 Sierra. Previous versions of Passenger failed because macOS Sierra's Apache installation is incomplete and does not supply the apr-config tool. We now work around this by using hardcoded default values for macOS.
* Don't output colorized text during dependency check when output isn't a TTY, unless forced. Closes GH-1902.
* [Nginx] The preferred Nginx version is now 1.10.3 (previously 1.10.2).
* Adds Ubuntu 17.04 "Zesty" packages.
* [Enterprise] Fixes `send-cloud-usage` command when Passenger is installed from gem.
* [Enterprise] Improves robustness of machine properties reporting for pay-as-you-go cloud-license holders.
* [Enterprise] Adds support for reporting available RAM, and CONTAINER_HOST_IDENTIFIER envvar, to support RAM-based pricing model.
* Added additional debug level logging for troubleshooting issues with bash scripts. Closes GH-1928.
* Revert private keychain use in the Security Update Checker when run as root on macOS, in order to avoid changing the default System Keychain. Closes GH-1922. Remove Cert and Key from keychain separately, to avoid errors when clearing the client certificate.
* Fix missing openssl check in `passenger-install-apache2-module` dependency checker. Closes GH-1934.
Release 5.1.2
-------------
* Improve curl check for passenger-install- scripts to catch (very old) curl versions that won't compile against 5.1+.
* Fixes remaining false positives (logging) from the new Meteor cluster warning system. Closes GH-1905.
* Create a private keychain on macOS when the system keychain is defaulted to, this avoids a permissions issue with the system keychain when performing the Security Update Check. This is necessary because the system keychain is the default keychain of daemon users and root on macOS.
* Improve `passenger-memory-stats` to include JRuby processes that fail to rename as expected. Closes GH-1878.
* [Standalone] Don't download or compile Nginx when using the builtin engine. Closes GH-1910.
* [Standalone] Fixes `--nginx-tarball` option of `passenger start` and `passenger-config install-standalone-runtime` (wasn't working). Also verifies that `--nginx-version` is explicitly specified as it should be.
Release 5.1.1
-------------
* The precompiled version of the PassengerAgent binary (used for e.g. gem installs) now configures (statically linked) libcurl with system keystore, so that the new security update check can successfully validate certs.
* Fixes some false positives (logging) from the new Node and Meteor cluster warning system. Logging is less repetitive and has extra debug info. Closes GH-1905.
* Updates the upload-progress module in the Nginx Debian package. The module version that we linked against in 5.1.0 was 0.9.2, but due to a bug in that version the module didn't work.
* The security update check now reports whether libcurl + SSL backend are statically linked to Passenger, in which case the check also needs to warn about relevant OpenSSL vulnerabilities in the linked library.
* Increases the allowed line lengths emitted by apps at startup.
* Adds support for the unary 'not' operator in the Union Station filter language.
* [Enterprise] Add missing flying-passenger integration mode to security update check.
* Fixes support for Rails 5.0.1 Action Cable. Specifically, we now support the `options` argument in the `write_nonblock` method in hijacked Rack IO sockets.
* [Apache] Introduces a small delay to prevent running the Security Update Checker twice at startup.
Release 5.1.0
--------------
* Upgrades union_station_hooks_core to version 2.1.2.
* [Enterprise] When running a Rails app in multithreaded mode, Passenger Enterprise automatically tags Rails logs with the current thread number. This makes it possible to distinguish logs generated by different threads.
* Fixes permissions issue on Linux when setting OOM score after lowering privileges. Closes GH-1858.
* [Standalone] Allows raw json envvars in Passengerfile.json. Closes GH-1837.
* [Standalone] Make the `max_requests` option available on the command line as well.
* Fixes unaligned memory access in base64 decoder on platforms that have strict aliasing requirements (non x86/x86_64). Closes GH-1646.
* Introduces daily Passenger security update check to warn (error log) if there are newer Passenger versions with important security fixes (describing what was discovered, what is affected, which version has the fix).
* Fixes compilation on Linux when a non-glibc C library is in use. Closes GH-1870.
* `passenger-install-nginx-module` and the standalone compiler now add the http v2, realip and addition module flags for Nginx (just like the APT/RPM/autobuilder already had). Closes GH-1788.
* [Apache] Fixes PassengerShowVersionInHeader option. Thanks to Sebastian Welther for contributing this.
* Passenger now reports when you try to use Node.js or Meteor clustering, and tries to continue with just a nonfunctional shim in place, so that if your code uses the clustering APIs your app may still work.
* Updates libev config.sub and config.guess to support newer platforms such as the IBM power 8.
* Fixes an issue where passenger-config couldn't restart an app if the TMPDIR variable was set to /tmp
* `passenger-install-apache-module` now suggests the correct apache package on Ubuntu Xenial. Closes GH-1884.
* [Standalone] The TempDirToucher will now spend most of its time with reduced privileges, except when it's actively touching files. This allows it to be killed when Passenger is quit in most circumstances. Closes GH-1678.
* Fixes a file overwrite vulnerability (CVE-2016-10345) caused by a predictable temporary file being written by `passenger-install-nginx-module`. Thanks to Jeremy Evans for reporting this.
* [Standalone] Fixes starting Passenger as a non-extant user. Closes GH-1849.
* Improved look of the error pages for failing to spawn an application (development & production mode), and Error ID is now also shown in production mode.
* [Standalone] Enable ipv6 support by default in builtin nginx. Closes GH-1873.
* [Nginx] Updates to APT package builder (Debian & Ubuntu) with fix for www-data to root privilege escalation via log file handling (CVE-2016-1247/USN-3114-1).
* [Nginx] Updates to RPM package builder (CentOS & RHEL) with fix for 1.10.x system nginx package overriding the nginx from the Passenger repo. Closes GH-1895.
* [Nginx] The preferred Nginx version is now 1.10.2 (previously 1.10.1).
* RPM pkg builder fix for breaking SELinux change in RHEL 7.3.
* RPM pkg builder fix for RHEL6/CentOS6 incompatibility and replacement in Passenger.
* Adds Ubuntu 16.10 "Yakkety" packages.
Release 5.0.30
--------------
* Changes mbuf block size from 512 to 4096 bytes to better fit modern requests and significantly speed up disk buffering.
* [Nginx] Fixes PCRE checksum after the preferred version update in 5.0.29 (contributed by: clemensg).
* [Apache] Fixes buffer limit crash on large file upload (when core disk buffer can't keep up with client for some time), and limits per-client buffer memory usage to 130 KB. Closes GH-1620.
* Fixes potential hang when an UnseekableSocket gets serialized to json. Closes GH-1838.
Release 5.0.29
--------------
* Fixes the FreeBSD build breaking due to the `-ldl` flag introduced by the LVE integration patch (5.0.28). Closes GH-1805.
* Fixes per-application interpreter override (ruby, node, python) being ignored in mass deployment mode. Closes GH-1818.
* Fixes incomplete refactor from 5.0.27 that could, under specific conditions, lead to a Passenger crash. Closes GH-1794.
* [Apache] Remove unused code that caused a crash in configurations with thousands of VirtualHost entries. Closes GH-1676.
* [Nginx] Fixes use of invalid logfile name (memory already released) in backup log redirection code. Possibly related to GH-1774.
* [Nginx] The preferred Nginx version is now 1.10.1 (previously 1.10.0).
* [Nginx] The preferred PCRE version is now 8.39 (previously 8.34).
* [Standalone] Passenger Standalone now supports /dev/stdout and /dev/stderr as log file path (via `--log-file` or Passengerfile.json). This is especially useful in Docker containers. In previous versions logging to those paths did not work, resulting in nothing getting logged at all.
* Adds Ubuntu 16.04 "Xenial" packages, deprecates Ubuntu 15.10 “Wily” packages (in accordance with LTS support policy).
Release 5.0.28
--------------
* Finalizes the fix (5.0.26) for the `rails server` command integration to prevent "missing on_event" errors. Closes GH-1768.
* Fixes missing -fPIC in Nginx dynamic module compilation (5.0.26) on Linux (rewrite of a patch by Andrei Belov). Closes GH-1793.
* Fixes memory leak that could occur whenever more than 1024 concurrent requests are handled (more likely since the higher concurrency support options from 5.0.24). Closes GH-1797.
* Integrates with CloudLinux LVE and CageFS (security checks and a new option PassengerLveMinUid). Thanks to Oleksiy Shchukin from CloudLinux Inc. for contributing this.
* Fixes the Nginx build when the PCRE library is not available (such as when compiling with `--without-http_rewrite_module`). Closes GH-1796.
* Extends `passenger-memory-stats` filter to show the instance dir toucher too (as well as the core in valgrind debug runs).
* Changes the default for friendly error pages to "off" unless the environment is set to "development", rather than "on" unless "staging" or "production". Closes GH-1782.
* [Nginx] The preferred Nginx version is now 1.10.0 (previously 1.8.1).
Release 5.0.27
--------------
* Fixes encoding issue for Ruby apps that resulted in a 0-byte response body. This occurred when the Ruby native support lib was not used and the app outputted an encoding that doesn't mix with UTF-8 (like UTF-16). Closes GH-1763.
* Fixes Passenger Core and application processes staying on the Watchdogs OOM score (unkillable) when user switching is set to off. Closes GH-1631.
* Supports Debian GNU/kFreeBSD build. Based on contribution by stevenc99.
* Switches a number of places in the Passenger Core over to using the monotonic clock instead of the wallclock for robustness against clock time-stepping.
* Slightly improves out-of-memory detection in some subroutines.
* Fixes incomplete libuv upgrade: some build files were not autoregenerated during the upgrade from 1.5.0 to 1.8.0 in the previous release.
* Warnings about 502 responses that are caused by applications aborting their output while the client is no longer connected (e.g. due to half-close event, reported since 5.0.26) are now reduced to debug level.
* Fixes automatic compilation of Ruby's native_support library in case Passenger was installed through Debian or RPM packages. Closes GH-1778.
* Fixes memory leak when buffering large request/response bodies to disk (which happens as soon as the 100 KB memory buffer is full).
* Fixes crash if an application spawn fails and a non-UTF8 character appears in the spawn output. Closes GH-1601.
* Updates the `rails server` command integration (from 5.0.25) to prevent "missing on_event" errors. Closes GH-1768. Update: not all required code made it to the release, the final fix is delivered in 5.0.28.
* [Union Station] Fixes a crash that occurs if all of the following conditions are met: 1) Union Station support is enabled, 2) the client sent at least one header containing the empty string, 3) the application responds with a 4xx or 5xx status. Closes GH-1776.
Release 5.0.26
--------------
* `passenger-status --show=server` now reports the speed at which new requests are accepted.
* `passenger-status --show=server` now reports `last_data_send_time` and `last_data_receive_time` which can be used to troubleshoot long-running requests (for example, to see if a websocket heartbeat is stuck).
* Passenger now reports TCP half-closing events to Node.js and Meteor applications, which allows them to detect request body and WebSocket closes without having to send data to the client.
* Fixes outputting Content-Length and Transfer-Encoding headers on HEAD requests for Ruby apps. These headers were omitted in previous versions on HEAD requests.
* Bumps the default socket backlog size from 1024 to 2048.
* Upgrades libuv to version 1.8.0.
* When using our RPM packages, system SELinux policy upgrades no longer break the Passenger SELinux policy. Closes GH-1663.
* [Apache] Fixes compilation against Apache installations which include `-pie` in CFLAGS. Closes GH-1756.
* [Nginx, Standalone] Bumps default Nginx worker_connections from 1024 to 4096 (effectively 2048 because of internal reverse proxy)
* [Nginx, Standalone] Introduces the option `core_file_descriptor_ulimit` and `app_file_descriptor_ulimit`, for setting the file descriptor ulimits of the Passenger core and the application, respectively.
* [Nginx] Passenger can now be [compiled as an Nginx dynamic module](https://www.phusionpassenger.com/library/install/nginx/install_as_nginx_module.html#dynamic-module). Thanks to Ruslan Ermilov from NGINX Inc for contributing this.
* [Standalone] Prints a warning when an unsupported configuration option in Passengerfile.json is set.
* [Standalone] Fixes "address already in use" errors when using the builtin engine.
* [Enterprise] The rolling restart feature now waits until the old process is completely gone (drained its request queue, process exited) before proceeding with rolling restarting the next process. This results in friendlier resource usage during rolling restart.
* [Union Station] Fixes custom logging time arguments getting overwritten by current time for Ruby apps (so some sub-blocks like "framework request processing" appeared shorter than they were). This could happen since the switch to monotonic clock in 5.0.22.