passenger 6.0.25 → 6.0.26

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '0864392c22c6c48427a4ab0e8eeb4254fbb2f6cbb6d07c13570bc9f54b710dd6'
-  data.tar.gz: ecff7e5b78e2a08f93fb73c12126964d29cc80065aaa96e0153505db63f3c066
+  metadata.gz: 0715fd22339d788849a10399857aa8cacbcf6720fe409d7a94a3760aa5233597
+  data.tar.gz: 4a37b6dbe1d2631dfd4fc9b20a610beffc631466ec419bfaa2e65fe82eae4847
 SHA512:
-  metadata.gz: 24706e10441ff794e17f663197c57ad276b18588fc3f31fade19475ad834c7e08470d63d275639ba4a97bc4f76152af477c9fd1297ff637afe086c1957e78d71
-  data.tar.gz: 61d9e594cf3487de28fa37c19398408685d0e1a74d3ffcd5d388c3f0fc5dd59b1a173a814f4c77298a11de7394ea7d677cb353308d8b7bb70e39cfe16296f2c0
+  metadata.gz: ea4c77be27c6cf6ef4148c33704382b0119bbe56ec40d9d3ec2e69e87a28dce4ecf23474826634930dd0f452074bf09404e6e7c75a8bc49f51107a01bb51b964
+  data.tar.gz: 2baf57d7686439f951da69c5d02dfd9f092a00ea306e9e16060b916418f55c7b815ad63f27eb80c89e17fb2046e62f1fb63b73e7a8ee33f0ad70857697d0baae

data/CHANGELOG

@@ -1,4 +1,9 @@
-Release 6.0.25 (Not yet released)
+Release 6.0.26 (Not yet released)
+-------------
+ * [CVE-2025-26803] The http parser (from Passenger 6.0.21-6.0.25) was susceptible to a denial of service attack when parsing a request with an invalid HTTP method.
+
+
+Release 6.0.25
 -------------
  * Fixes compilation with clang 19 (latest Fedora update) by dropping a buggy stddev function from the moving average header. Closes GH-2580.
  * [Standalone] Adds a config option to specify the stop timeout for Passenger: `--stop-timeout 120` or `PASSENGER_STOP_TIMEOUT=120`.

data/src/agent/Core/Config.h

@@ -168,7 +168,7 @@ using namespace std;
  *   security_update_checker_interval                                unsigned integer   -          default(86400)
  *   security_update_checker_proxy_url                               string             -          -
  *   security_update_checker_url                                     string             -          default("https://securitycheck.phusionpassenger.com/v1/check.json")
- *   server_software                                                 string             -          default("Phusion_Passenger/6.0.25")
+ *   server_software                                                 string             -          default("Phusion_Passenger/6.0.26")
  *   show_version_in_header                                          boolean            -          default(true)
  *   single_app_mode_app_root                                        string             -          default,read_only
  *   single_app_mode_app_start_command                               string             -          read_only

data/src/agent/Core/Controller/Config.h

@@ -118,7 +118,7 @@ parseControllerBenchmarkMode(const StaticString &mode) {
  *   old_routing                                         boolean            -          default(false),read_only
  *   request_freelist_limit                              unsigned integer   -          default(1024)
  *   response_buffer_high_watermark                      unsigned integer   -          default(134217728)
- *   server_software                                     string             -          default("Phusion_Passenger/6.0.25")
+ *   server_software                                     string             -          default("Phusion_Passenger/6.0.26")
  *   show_version_in_header                              boolean            -          default(true)
  *   start_reading_after_accept                          boolean            -          default(true)
  *   stat_throttle_rate                                  unsigned integer   -          default(10)

data/src/agent/Watchdog/Config.h

@@ -156,7 +156,7 @@ using namespace std;
  *   security_update_checker_interval                                         unsigned integer   -          default(86400)
  *   security_update_checker_proxy_url                                        string             -          -
  *   security_update_checker_url                                              string             -          default("https://securitycheck.phusionpassenger.com/v1/check.json")
- *   server_software                                                          string             -          default("Phusion_Passenger/6.0.25")
+ *   server_software                                                          string             -          default("Phusion_Passenger/6.0.26")
  *   setsid                                                                   boolean            -          default(false)
  *   show_version_in_header                                                   boolean            -          default(true)
  *   single_app_mode_app_root                                                 string             -          default,read_only

data/src/cxx_supportlib/Constants.h

@@ -83,7 +83,7 @@
 #define PASSENGER_API_VERSION_MAJOR 0
 #define PASSENGER_API_VERSION_MINOR 3
 #define PASSENGER_DEFAULT_USER "nobody"
-#define PASSENGER_VERSION "6.0.25"
+#define PASSENGER_VERSION "6.0.26"
 #define POOL_HELPER_THREAD_STACK_SIZE 262144
 #define PROCESS_SHUTDOWN_TIMEOUT 60
 #define PROCESS_SHUTDOWN_TIMEOUT_DISPLAY "1 minute"

data/src/cxx_supportlib/ServerKit/HttpHeaderParser.h

@@ -119,31 +119,26 @@ private:
 	}
 
 	static size_t http_parser_execute_and_handle_pause(llhttp_t *parser,
-		const char *data, size_t len, bool &paused)
+		const char *data, size_t len)
 	{
 		llhttp_errno_t rc = llhttp_get_errno(parser);
 		switch (rc) {
 		case HPE_PAUSED_UPGRADE:
 			llhttp_resume_after_upgrade(parser);
+			rc = llhttp_get_errno(parser);
 			goto happy_path;
 		case HPE_PAUSED:
 			llhttp_resume(parser);
+			rc = llhttp_get_errno(parser);
 			goto happy_path;
 		case HPE_OK:
+			rc = llhttp_execute(parser, data, len);
 		happy_path:
-			switch (llhttp_execute(parser, data, len)) {
-			case HPE_PAUSED_H2_UPGRADE:
-			case HPE_PAUSED_UPGRADE:
-			case HPE_PAUSED:
-				paused = true;
-				return (llhttp_get_error_pos(parser) - data);
-			case HPE_OK:
+			if (rc == HPE_OK) {
 				return len;
-			default:
-				goto error_path;
-			}
+            }
+			// deliberate fall through
         default:
-		error_path:
 			return (llhttp_get_error_pos(parser) - data);
 		}
 	}
@@ -488,20 +483,22 @@ public:
 		TRACE_POINT();
 		P_ASSERT_EQ(message->httpState, Message::PARSING_HEADERS);
 
-		size_t ret;
-		bool paused;
-
 		state->parser.data = this;
 		currentBuffer = &buffer;
-		ret = http_parser_execute_and_handle_pause(&state->parser,
-			buffer.start, buffer.size(), paused);
+		size_t ret = http_parser_execute_and_handle_pause(&state->parser,
+			buffer.start, buffer.size());
 		currentBuffer = NULL;
 
-		if (!llhttp_get_upgrade(&state->parser) && ret != buffer.size() && !paused || !paused && llhttp_get_errno(&state->parser) != HPE_OK) {
+		llhttp_errno_t llerrno = llhttp_get_errno(&state->parser);
+
+		bool paused = (llerrno == HPE_PAUSED_H2_UPGRADE || llerrno == HPE_PAUSED_UPGRADE || llerrno == HPE_PAUSED);
+
+		if ( (!llhttp_get_upgrade(&state->parser) && ret != buffer.size() && !paused) ||
+		 (llerrno != HPE_OK && !paused) ) {
 			UPDATE_TRACE_POINT();
 			message->httpState = Message::ERROR;
-			switch (llhttp_get_errno(&state->parser)) {
-			case HPE_CB_HEADER_FIELD_COMPLETE://?? does this match was HPE_CB_header_field in old one
+			switch (llerrno) {
+			case HPE_CB_HEADER_FIELD_COMPLETE:// does this match? was HPE_CB_header_field in old impl
 			case HPE_CB_HEADERS_COMPLETE:
 				switch (state->state) {
 				case HttpHeaderParserState::ERROR_SECURITY_PASSWORD_MISMATCH:
@@ -526,9 +523,10 @@ public:
 				break;
 			default:
 				default_error:
-				message->aux.parseError = HTTP_PARSER_ERRNO_BEGIN - llhttp_get_errno(&state->parser);
+				message->aux.parseError = HTTP_PARSER_ERRNO_BEGIN - llerrno;
 				break;
 			}
+			llhttp_finish(&state->parser);
 		} else if (messageHttpStateIndicatesCompletion(MessageType())) {
 			UPDATE_TRACE_POINT();
 			message->httpMajor = llhttp_get_http_major(&state->parser);

data/src/ruby_supportlib/phusion_passenger.rb

@@ -31,7 +31,7 @@ module PhusionPassenger
 
   PACKAGE_NAME = 'passenger'
   # Run 'rake src/cxx_supportlib/Constants.h configkit_schemas_inline_comments' after changing this number.
-  VERSION_STRING = '6.0.25'
+  VERSION_STRING = '6.0.26'
 
   # Tip: find the SHA-256 with ./dev/nginx_version_sha256 <VERSION>
   PREFERRED_NGINX_VERSION = '1.26.2'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: passenger
 version: !ruby/object:Gem::Version
-  version: 6.0.25
+  version: 6.0.26
 platform: ruby
 authors:
 - Phusion - http://www.phusion.nl/
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2025-02-04 00:00:00.000000000 Z
+date: 2025-02-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake