RubyGems - passenger - Versions diffs - 6.0.25 → 6.0.26 - Mend

passenger 6.0.25 → 6.0.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG +6 -1
data/src/agent/Core/Config.h +1 -1
data/src/agent/Core/Controller/Config.h +1 -1
data/src/agent/Watchdog/Config.h +1 -1
data/src/cxx_supportlib/Constants.h +1 -1
data/src/cxx_supportlib/ServerKit/HttpHeaderParser.h +19 -21
data/src/ruby_supportlib/phusion_passenger.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '0864392c22c6c48427a4ab0e8eeb4254fbb2f6cbb6d07c13570bc9f54b710dd6'
-  data.tar.gz: ecff7e5b78e2a08f93fb73c12126964d29cc80065aaa96e0153505db63f3c066
+  metadata.gz: 0715fd22339d788849a10399857aa8cacbcf6720fe409d7a94a3760aa5233597
+  data.tar.gz: 4a37b6dbe1d2631dfd4fc9b20a610beffc631466ec419bfaa2e65fe82eae4847
 SHA512:
-  metadata.gz: 24706e10441ff794e17f663197c57ad276b18588fc3f31fade19475ad834c7e08470d63d275639ba4a97bc4f76152af477c9fd1297ff637afe086c1957e78d71
-  data.tar.gz: 61d9e594cf3487de28fa37c19398408685d0e1a74d3ffcd5d388c3f0fc5dd59b1a173a814f4c77298a11de7394ea7d677cb353308d8b7bb70e39cfe16296f2c0
+  metadata.gz: ea4c77be27c6cf6ef4148c33704382b0119bbe56ec40d9d3ec2e69e87a28dce4ecf23474826634930dd0f452074bf09404e6e7c75a8bc49f51107a01bb51b964
+  data.tar.gz: 2baf57d7686439f951da69c5d02dfd9f092a00ea306e9e16060b916418f55c7b815ad63f27eb80c89e17fb2046e62f1fb63b73e7a8ee33f0ad70857697d0baae

data/CHANGELOG CHANGED Viewed

@@ -1,4 +1,9 @@
-Release 6.0.25 (Not yet released)
+Release 6.0.26 (Not yet released)
+-------------
+ * [CVE-2025-26803] The http parser (from Passenger 6.0.21-6.0.25) was susceptible to a denial of service attack when parsing a request with an invalid HTTP method.
+Release 6.0.25
 -------------
  * Fixes compilation with clang 19 (latest Fedora update) by dropping a buggy stddev function from the moving average header. Closes GH-2580.
  * [Standalone] Adds a config option to specify the stop timeout for Passenger: `--stop-timeout 120` or `PASSENGER_STOP_TIMEOUT=120`.

data/src/agent/Core/Config.h CHANGED Viewed

@@ -168,7 +168,7 @@ using namespace std;
  *   security_update_checker_interval                                unsigned integer   -          default(86400)
  *   security_update_checker_proxy_url                               string             -          -
  *   security_update_checker_url                                     string             -          default("https://securitycheck.phusionpassenger.com/v1/check.json")
- *   server_software                                                 string             -          default("Phusion_Passenger/6.0.25")
+ *   server_software                                                 string             -          default("Phusion_Passenger/6.0.26")
  *   show_version_in_header                                          boolean            -          default(true)
  *   single_app_mode_app_root                                        string             -          default,read_only
  *   single_app_mode_app_start_command                               string             -          read_only

data/src/agent/Core/Controller/Config.h CHANGED Viewed

@@ -118,7 +118,7 @@ parseControllerBenchmarkMode(const StaticString &mode) {
  *   old_routing                                         boolean            -          default(false),read_only
  *   request_freelist_limit                              unsigned integer   -          default(1024)
  *   response_buffer_high_watermark                      unsigned integer   -          default(134217728)
- *   server_software                                     string             -          default("Phusion_Passenger/6.0.25")
+ *   server_software                                     string             -          default("Phusion_Passenger/6.0.26")
  *   show_version_in_header                              boolean            -          default(true)
  *   start_reading_after_accept                          boolean            -          default(true)
  *   stat_throttle_rate                                  unsigned integer   -          default(10)

data/src/agent/Watchdog/Config.h CHANGED Viewed

@@ -156,7 +156,7 @@ using namespace std;
  *   security_update_checker_interval                                         unsigned integer   -          default(86400)
  *   security_update_checker_proxy_url                                        string             -          -
  *   security_update_checker_url                                              string             -          default("https://securitycheck.phusionpassenger.com/v1/check.json")
- *   server_software                                                          string             -          default("Phusion_Passenger/6.0.25")
+ *   server_software                                                          string             -          default("Phusion_Passenger/6.0.26")
  *   setsid                                                                   boolean            -          default(false)
  *   show_version_in_header                                                   boolean            -          default(true)
  *   single_app_mode_app_root                                                 string             -          default,read_only

data/src/cxx_supportlib/Constants.h CHANGED Viewed

@@ -83,7 +83,7 @@
 #define PASSENGER_API_VERSION_MAJOR 0
 #define PASSENGER_API_VERSION_MINOR 3
 #define PASSENGER_DEFAULT_USER "nobody"
-#define PASSENGER_VERSION "6.0.25"
+#define PASSENGER_VERSION "6.0.26"
 #define POOL_HELPER_THREAD_STACK_SIZE 262144
 #define PROCESS_SHUTDOWN_TIMEOUT 60
 #define PROCESS_SHUTDOWN_TIMEOUT_DISPLAY "1 minute"

data/src/cxx_supportlib/ServerKit/HttpHeaderParser.h CHANGED Viewed

@@ -119,31 +119,26 @@ private:
 	}
 	static size_t http_parser_execute_and_handle_pause(llhttp_t *parser,
-		const char *data, size_t len, bool &paused)
+		const char *data, size_t len)
 	{
 		llhttp_errno_t rc = llhttp_get_errno(parser);
 		switch (rc) {
 		case HPE_PAUSED_UPGRADE:
 			llhttp_resume_after_upgrade(parser);
+			rc = llhttp_get_errno(parser);
 			goto happy_path;
 		case HPE_PAUSED:
 			llhttp_resume(parser);
+			rc = llhttp_get_errno(parser);
 			goto happy_path;
 		case HPE_OK:
+			rc = llhttp_execute(parser, data, len);
 		happy_path:
-			switch (llhttp_execute(parser, data, len)) {
-			case HPE_PAUSED_H2_UPGRADE:
-			case HPE_PAUSED_UPGRADE:
-			case HPE_PAUSED:
-				paused = true;
-				return (llhttp_get_error_pos(parser) - data);
-			case HPE_OK:
+			if (rc == HPE_OK) {
 				return len;
-			default:
-				goto error_path;
-			}
+            }
+			// deliberate fall through
         default:
-		error_path:
 			return (llhttp_get_error_pos(parser) - data);
 		}
 	}
@@ -488,20 +483,22 @@ public:
 		TRACE_POINT();
 		P_ASSERT_EQ(message->httpState, Message::PARSING_HEADERS);
-		size_t ret;
-		bool paused;
 		state->parser.data = this;
 		currentBuffer = &buffer;
-		ret = http_parser_execute_and_handle_pause(&state->parser,
-			buffer.start, buffer.size(), paused);
+		size_t ret = http_parser_execute_and_handle_pause(&state->parser,
+			buffer.start, buffer.size());
 		currentBuffer = NULL;
-		if (!llhttp_get_upgrade(&state->parser) && ret != buffer.size() && !paused || !paused && llhttp_get_errno(&state->parser) != HPE_OK) {
+		llhttp_errno_t llerrno = llhttp_get_errno(&state->parser);
+		bool paused = (llerrno == HPE_PAUSED_H2_UPGRADE || llerrno == HPE_PAUSED_UPGRADE || llerrno == HPE_PAUSED);
+		if ( (!llhttp_get_upgrade(&state->parser) && ret != buffer.size() && !paused) ||
+		 (llerrno != HPE_OK && !paused) ) {
 			UPDATE_TRACE_POINT();
 			message->httpState = Message::ERROR;
-			switch (llhttp_get_errno(&state->parser)) {
-			case HPE_CB_HEADER_FIELD_COMPLETE://?? does this match was HPE_CB_header_field in old one
+			switch (llerrno) {
+			case HPE_CB_HEADER_FIELD_COMPLETE:// does this match? was HPE_CB_header_field in old impl
 			case HPE_CB_HEADERS_COMPLETE:
 				switch (state->state) {
 				case HttpHeaderParserState::ERROR_SECURITY_PASSWORD_MISMATCH:
@@ -526,9 +523,10 @@ public:
 				break;
 			default:
 				default_error:
-				message->aux.parseError = HTTP_PARSER_ERRNO_BEGIN - llhttp_get_errno(&state->parser);
+				message->aux.parseError = HTTP_PARSER_ERRNO_BEGIN - llerrno;
 				break;
 			}
+			llhttp_finish(&state->parser);
 		} else if (messageHttpStateIndicatesCompletion(MessageType())) {
 			UPDATE_TRACE_POINT();
 			message->httpMajor = llhttp_get_http_major(&state->parser);

data/src/ruby_supportlib/phusion_passenger.rb CHANGED Viewed

@@ -31,7 +31,7 @@ module PhusionPassenger
   PACKAGE_NAME = 'passenger'
   # Run 'rake src/cxx_supportlib/Constants.h configkit_schemas_inline_comments' after changing this number.
-  VERSION_STRING = '6.0.25'
+  VERSION_STRING = '6.0.26'
   # Tip: find the SHA-256 with ./dev/nginx_version_sha256 <VERSION>
   PREFERRED_NGINX_VERSION = '1.26.2'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: passenger
 version: !ruby/object:Gem::Version
-  version: 6.0.25
+  version: 6.0.26
 platform: ruby
 authors:
 - Phusion - http://www.phusion.nl/
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-02-04 00:00:00.000000000 Z
+date: 2025-02-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake