| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| fix_install_path.patch | Install in vendor_ruby directory and install common files in non-versioned path | Laurent Bigonville <bigon@debian.org> | no | 2015-05-02 | ||
| bin_load_path.patch | do not mess with LOAD_PATH in bin/* files | Cédric Boutillier <boutil@debian.org> | no | 2014-01-16 | ||
| nodejs_bin_name.patch | The node.js binary is called nodejs in Debian. | Felix Geyer <fgeyer@debian.org> | no | |||
| CVE-2017-16355.patch | arbitrary file read via REVISION symlink https://github.com/phusion/passenger/commit/947af424330f5d5f5006860b2f0140bbba153e42 [carnil: false is actually a defined macro, but the key part of the fix is the emoval of the call to inferApplicationInfo() to adress the issue. |
"Daniel Knoppel (Phusion)" <daniel@phusion.nl> | no | debian | https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf, | 2017-10-11 |
| Fix-privilege-escalation-in-the-Nginx-module.patch | Fix privilege escalation in the Nginx module The vulnerability is exploitable with a non-standard passenger_instance_registry_dir, via a race condition where after a file was created, it was chowned via the path not the file descriptor. The chown entered the code in 2010, so Passenger 4 + 5 all affected. |
Camden Narzt <c.narzt@me.com> | no | debian | https://github.com/phusion/passenger/commit/207870f5b7f5cc240587ab0977d6046782ae1d86 | 2018-05-14 |
| fix-arm-cmsg.patch | Fix the CMSG related FTBFS on Debian arm* and raspbian The CMSG code has two codepaths, the "workaround" code path which upstream currently uses on OS X, Solaris and all arm systems and the "main" codepath used everywhere else. . Unfortunately the "workaround" codepath no longer builds on Debian, presumbally due to changes in glibc. . I do not know for sure, but I belive that the problem that the developers were trying to solve when they made arm systems use the "workaround" codepath was an alignment issue. The "main" codepath used a char array as a buffer which is not alignment safe. . This patch changes the "main" codepath to use a union for the buffer as used in the example in current versions of the cmsg manpage and changes the conditional defines so that arm Linux systems no longer use the "workaround" codepath. |
Peter Michael Green <plugwash@debian.org> | no | |||
| python3.diff | no | |||||
| 0008-node-loader.js-drop-usage-of-deprecated-GLOBAL-varia.patch | node-loader.js: drop usage of deprecated GLOBAL variable This enables running NodeJS apps in passenger using a newer NodeJS than the one in Debian bullseye. Even in the NodeJS version in stable, `GLOBAL` is already deprecated in favor or `global`, and using the former gets you a warning. Newer NodeJS versions drop `GLOBAL` completely, so passenger doesn't work at all with those. |
Antonio Terceiro <terceiro@debian.org> | no | 2022-12-13 |