Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump passenger from 5.1.12 to 5.3.2 #50

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump passenger from 5.1.12 to 5.3.2 #50

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github Jun 17, 2022

Bumps passenger from 5.1.12 to 5.3.2.

Changelog

Sourced from passenger's changelog.

Release 5.3.2

This release contains many security updates. Users are advised to upgrade as soon as possible. See our blog for more information on the vulnerabilities.

  • [Nginx] Fixes CVE-2018-12029, a local privilege escalation vulnerability in the Nginx module that occurs when passenger_instance_registry_dir is configured to a directory with insufficiently strict permissions.

  • Fixes CVE-2018-12026, 12027, and 12028. These are local denial of service, local information disclosure and local privilege escalation vulnerabilities that could be exploited by malicious applications or malicious users on the system.

  • Updated various library versions used in precompiled binaries (used for e.g. gem installs):

    • OpenSSL (Linux only): 1.0.2o (was: 1.0.2k; on macOS it was already 1.0.2o)
    • GeoIP: 1.6.12 (was: 1.6.11)
    • libcurl: 7.60.0 (was: 7.56.1)

  • Fixes Meteor support in non-bundled mode (regression from 5.3.0). Closes GH-2082.

  • Fixes the fact that the error page (which is shown when an app fails to spawn) sometimes contains unsufficient analysis details about the app.

  • [Apache] Fixes PassengerMaxInstancesPerApp not being respected (regression from config refactor in 5.2.0). Closes GH-2059.

  • [Enterprise, Apache] Fixes PassengerMaxInstances not being respected (regression from config refactor in 5.2.0).

  • [Enterprise] Fixes passenger-irb being unable to connect to an app process (regression from 5.3.0). Closes GH-2087.

Release 5.3.1

  • Fixes a regression from 5.3.0: a crash that occurs if the user that an application should run under, does not have a shell configured. Closes GH-2078.
  • Fixes a regression from 5.3.0: setting supplementary group IDs during user switching. Closes GH-2077.

Release 5.3.0

  • Adds Ubuntu 18.04 "Bionic" packages.
  • Removes packages for Debian 7 "Wheezy" (EOL May 2018).
  • Vastly improves spawning error page: quick overview of where the problem is, and the option to drill down in extensive troubleshooting information.
  • Fuse Panel support: fixes a crash that occurs when you shut down Passenger right after it fails to connect to Fuse Panel.
  • [Nginx] Updates the preferred Nginx version to 1.14.0 (from 1.12.2).
  • [Apache] Updates the recommended package for apache dev headers on debian >= 9.4. Closes GH-2048.
  • [Enterprise] Fix licensing proxy warning to refer to licensing_proxy_url instead of licensing_proxy.
  • [Enterprise] Add new PassengerAppLogFile (Apache) / passenger_app_log_file (Nginx) config option to specify a file for app-specific logs. Closes GH-1279.

Release 5.2.3

  • Fuse Panel support: fixes a few bugs with handling small log files and with apps that don't output any messages.
  • Python app support: fixes a Python 3 compatibility issue w.r.t. writing data over the socket.
  • macOS support: fixes a crash in the passenger-config compile-nginx-engine command which only occurs on macOS >= 10.13. This crash was caused by a missing require call in our code, and affects users who compile Passenger from source, e.g. users of the Passenger Enterprise Homebrew formula.
  • Fixes a small memory corruption issue (dangling pointer) in the ApplicationPool subsystem.
  • Improves support for the $TMPDIR environment variable by removing leftover hardcoded references to /tmp. Closes GH-2052.
  • Updated PCRE version to 8.42 (was: 8.41) across the board.

... (truncated)

Commits
  • 5e4d605 Prepare for release
  • d98fafe Fix compilation problem in SchemaPrinterMain
  • e83a117 Update CHANGELOG
  • 1cfb17a Upgrade passenger_binary_build_automation
  • b970339 SpawningKit properties.json validation handling: correctly set errored journe...
  • a4f2b12 SpawningKit HandshakePerform: add more trace points
  • bd77908 SpawningKit HandshakePerform: ensure that more SpawnExceptions contain inform...
  • c3fa512 Warn if instance registry dir insecure
  • 1e7c82d SpawningKit: do not allow killing the PID returned by the preloader until we ...
  • 3f270a9 SpawningKit: sanity-check Unix domain socket addresses reported by the app
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump passenger from 5.1.12 to 5.3.2
5a438fd 
Bumps [passenger](https://github.com/phusion/passenger) from 5.1.12 to 5.3.2.
- [Release notes](https://github.com/phusion/passenger/releases)
- [Changelog](https://github.com/phusion/passenger/blob/stable-6.0/CHANGELOG)
- [Commits](phusion/passenger@release-5.1.12...release-5.3.2)

---
updated-dependencies:
- dependency-name: passenger
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Jun 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants