CVE-2015-7519

NameCVE-2015-7519
Descriptionagent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X_User header.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1399-1, DLA-394-1
Debian Bugs807354, 864651

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
passenger (PTS)stretch (security), stretch (lts), stretch5.0.30-1+deb9u1fixed
buster5.0.30-1.1fixed
bullseye5.0.30-1.2+deb11u1fixed
bookworm6.0.17+ds-1fixed
sid, trixie6.0.20+ds-1fixed
ruby-passenger (PTS)jessie, jessie (lts)4.0.53-1+deb8u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
passengersourcesqueeze2.2.11debian-2+deb6u1DLA-394-1
passengersource(unstable)5.0.22-1807354
ruby-passengersourcejessie4.0.53-1+deb8u1DLA-1399-1
ruby-passengersource(unstable)(unfixed)864651

Notes

[wheezy] - ruby-passenger <no-dsa> (Minor issue)
https://bugzilla.suse.com/show_bug.cgi?id=956281
https://github.com/phusion/passenger/commit/c04590871ca0878d4d3ac1220c5a554b049056b4 (4.x)
https://github.com/phusion/passenger/commit/ddb8ecc4ebf260e4967f57f271d4f5761abeac3e (5.x)

Search for package or bug name: Reporting problems