Wednesday, April 09, 2014

Updating Phusion Passenger to Mitigate the Heartbleed Bug

Install Passenger/Nginx with Heartbleed Mitigation

The following steps may be taken to mitigate the OpenSSL vulnerability.
Compile the heartbleeder vulnerability tester
$ brew install go # Mac only
$ mkdir -p ~/Code/go
$ export GOPATH=$HOME/Code/go
$ cd $GOPATH
$ go get
$ go build heartbleeder
$ bin/heartbleeder

Update Passenger/Nginx

On your servers:
$ gem update passenger
$ passenger-install-nginx-module
# Update your nginx.conf with the new Passenger path
# Restart your nginx processes

Check your https web servers

$ bin/heartbleeder
Author: Patrick Morgan (patrick -at-
License: Creative Commons. Distribute Freely!


Hongli said...

The Nginx installed by passenger-install-nginx-module should be dynamically linked to OpenSSL. If you upgrade the system's OpenSSL your Nginx installation should be fine; no need to rerun passenger-install-nginx-module.

Unless you only have the OpenSSL static library installed, which will cause passenger-install-nginx-module to statically link to OpenSSL. In that case, you have to rerun passenger-install-nginx-module every time you upgrade OpenSSL.

Patrick said...

Thanks for the clarification. Updated my post!