Bump passenger from 6.0.23 to 6.0.26

[dependabot]

Bumps passenger from 6.0.23 to 6.0.26.

Release notes

Sourced from passenger's releases.

Release 6.0.26

• [CVE-2025-26803] The http parser (from Passenger 6.0.21-6.0.25) was susceptible to a denial of service attack when parsing a request with an invalid HTTP method.

Release 6.0.25

• Fixes compilation with clang 19 (latest Fedora update) by dropping a buggy stddev function from the moving average header. Closes GH-2580.
• [Standalone] Adds a config option to specify the stop timeout for Passenger: --stop-timeout 120 or PASSENGER_STOP_TIMEOUT=120.
• [Standalone] Changes Passenger's (not apps') start timeout to 25s (from 15s), stop timeouts default to 60s.
• [Ruby] Fixes an issue where Bundler would try to re-exec the process name instead of the script. Closes GH-2567 and GH-2577.
• [Enterprise] Adds a temporary flag to allow reverting to previous routing behaviour, in order to mitigate possible performance regressions, this flag will become a no-op and eventually removed once the routing issues have been fixed. Closes GH-2579.
  • Apache: PassengerOldRouting on
  • Nginx: passenger_old_routing on;
  • Standalone: --old-routing
• Updated various library versions used in precompiled binaries (used for e.g. gem installs):
  • cmake: 3.31.2 -> 3.31.3
  • curl: 8.11.0 -> 8.11.1
  • libiconv: 1.17 -> 1.18
  • rubygems: 3.5.23 -> 3.6.2
  • rubies:
    • added 3.4.1

Release 6.0.24

• [Nginx] Upgrades preferred Nginx to 1.26.2 from 1.26.1.
• [Enterprise] Smarter rolling restarts for better performance and reliability. We changed the way we route requests. Instead of picking the least-busy process, we now first prioritize new processes first. During a rolling restart, this new behavior leads to more efficient utilization of application caches, faster validation of new rollouts, and faster recovery from problematic deployments. Closes GH-2551.
• Fix a regression from 6.0.10 where running passenger-config system-properties would throw an error. Closes GH-2565.
• [Enterprise] Fix a memory corruption-related crash that could occur during rolling restarting.
• [Ubuntu] Add packages for Ubuntu 24.10 "oracular".
• [Ruby] Specify rackup version to avoid broken 1.0 gem. Closes GH-2559.
• Fixes compatibility with Ruby apps whose Gemfile.lock depends on base64.
• Upgrades Boost from 1.85 -> 1.86.
• Updated various library versions used in precompiled binaries (used for e.g. gem installs):
  • ccache 4.10.1 -> 4.10.2
  • cmake 3.30.1 -> 3.31.2
  • curl 8.8.0 -> 8.11.0
  • git 2.45.2 -> 2.47.1
  • gnupg 2.4.5 -> 2.4.7
  • libgpg_error 1.50 -> 1.51
  • npth 1.7 -> 1.8
  • openssl 3.3.1 -> 3.4.0
  • rubygems 3.5.16 -> 3.5.23
  • rubies:
    • 3.2.4 -> 3.2.6
    • 3.3.4 -> 3.3.6

Changelog

Sourced from passenger's changelog.

Release 6.0.26

• [CVE-2025-26803] The http parser (from Passenger 6.0.21-6.0.25) was susceptible to a denial of service attack when parsing a request with an invalid HTTP method.

Release 6.0.25

• Fixes compilation with clang 19 (latest Fedora update) by dropping a buggy stddev function from the moving average header. Closes GH-2580.
• [Standalone] Adds a config option to specify the stop timeout for Passenger: --stop-timeout 120 or PASSENGER_STOP_TIMEOUT=120.
• [Standalone] Changes Passenger's (not apps') start timeout to 25s (from 15s), stop timeouts default to 60s.
• [Ruby] Fixes an issue where Bundler would try to re-exec the process name instead of the script. Closes GH-2567 and GH-2577.
• [Enterprise] Adds a temporary flag to allow reverting to previous routing behaviour, in order to mitigate possible performance regressions, this flag will become a no-op and eventually removed once the routing issues have been fixed. Closes GH-2579.
  • Apache: PassengerOldRouting on
  • Nginx: passenger_old_routing on;
  • Standalone: --old-routing
• Updated various library versions used in precompiled binaries (used for e.g. gem installs):
  • cmake: 3.31.2 -> 3.31.3
  • curl: 8.11.0 -> 8.11.1
  • libiconv: 1.17 -> 1.18
  • rubygems: 3.5.23 -> 3.6.2
  • rubies:
    • added 3.4.1

Release 6.0.24

• [Nginx] Upgrades preferred Nginx to 1.26.2 from 1.26.1.
• [Enterprise] Smarter rolling restarts for better performance and reliability. We changed the way we route requests. Instead of picking the least-busy process, we now first prioritize new processes first. During a rolling restart, this new behavior leads to more efficient utilization of application caches, faster validation of new rollouts, and faster recovery from problematic deployments. Closes GH-2551.
• Fix a regression from 6.0.10 where running passenger-config system-properties would throw an error. Closes GH-2565.
• [Enterprise] Fix a memory corruption-related crash that could occur during rolling restarting.
• [Ubuntu] Add packages for Ubuntu 24.10 "oracular".
• [Ruby] Specify rackup version to avoid broken 1.0 gem. Closes GH-2559.
• Fixes compatibility with Ruby apps whose Gemfile.lock depends on base64.
• Upgrades Boost from 1.85 -> 1.86.
• Updated various library versions used in precompiled binaries (used for e.g. gem installs):
  • ccache 4.10.1 -> 4.10.2
  • cmake 3.30.1 -> 3.31.2
  • curl 8.8.0 -> 8.11.0
  • git 2.45.2 -> 2.47.1
  • gnupg 2.4.5 -> 2.4.7
  • libgpg_error 1.50 -> 1.51
  • npth 1.7 -> 1.8
  • openssl 3.3.1 -> 3.4.0
  • rubygems 3.5.16 -> 3.5.23
  • rubies:
    • 3.2.4 -> 3.2.6
    • 3.3.4 -> 3.3.6

Commits

• bb15591 Fix header parser
• e9eb752 bump passenger in gemfile.lock
• 8fdd6b9 remove packagecloud_proxy
• ad1d5ea Post release tasks
• 3aca8bb Allow opting out of new routing algorithm via a flag (#2590)
• bf08ffa CI: use Github-hosted ARM runners
• 0326f4a Fix Passenger Enterprise tests
• f360d4a Debian and RPM packaging CI: only update cache when building succeeds
• 9470695 Debian packages: unset env vars that break passenger_system_ruby
• 6a2330a fixup ruby tests
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.