Candidate: CVE-2015-7519
PublicDate: 2016-01-08 19:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7519
 https://bugzilla.suse.com/show_bug.cgi?id=956281
 https://github.com/phusion/passenger/commit/ddb8ecc4ebf260e4967f57f271d4f5761abeac3e
Description:
 agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60
 and 5.0.x before 5.0.22, when used in Apache integration mode or in
 standalone mode without a filtering proxy, allows remote attackers to spoof
 headers passed to applications by using an _ (underscore) character instead
 of a - (dash) character in an HTTP header, as demonstrated by an X_User
 header.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807354
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N [3.7 LOW]

Patches_passenger:
 upstream: https://github.com/phusion/passenger/commit/ddb8ecc4ebf260e4967f57f271d4f5761abeac3e
upstream_passenger: released (5.0.22-1)
precise_passenger: released (2.2.11debian-2+deb6u1ubuntu12.04.1)
trusty_passenger: DNE
trusty/esm_passenger: DNE
vivid_passenger: DNE
vivid/stable-phone-overlay_passenger: DNE
vivid/ubuntu-core_passenger: DNE
wily_passenger: DNE
xenial_passenger: not-affected (5.0.22-1)
devel_passenger: not-affected (5.0.22-1)