CVE-2015-7519 in Ubuntu

CVE-2015-7519

Priority

Description

agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60
and 5.0.x before 5.0.22, when used in Apache integration mode or in
standalone mode without a filtering proxy, allows remote attackers to spoof
headers passed to applications by using an _ (underscore) character instead
of a - (dash) character in an HTTP header, as demonstrated by an X_User
header.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7519
https://bugzilla.suse.com/show_bug.cgi?id=956281
https://github.com/phusion/passenger/commit/ddb8ecc4ebf260e4967f57f271d4f5761abeac3e

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807354

Notes

Package

Source: passenger (LP Ubuntu Debian)

Upstream:	released (5.0.22-1)
Ubuntu 14.04 ESM:	DNE
Ubuntu 20.04 FIPS Compliant:	not-affected (5.0.22-1)

Patches:

Upstream:

https://github.com/phusion/passenger/commit/ddb8ecc4ebf260e4967f57f271d4f5761abeac3e

More Information

Updated: 2022-04-13 12:06:18 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)