-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : passenger Version : 2.2.11debian-2+deb6u1 CVE ID : CVE-2015-7519
agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X_User header.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQJ8BAEBCgBmBQJWnTV6XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5 NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHOoIP/2EMeBHM3m3lUSAj7eGaSh1J ZD/Wf+s6EUXqUbOQUsQ8WMzqxRdifzn/nUA3C2RzG3rJaH9tar7fI4lrd5BVKZMj 2WlPR+lCjwu9iQMA7QOQwvrDXWL8LdE2ZUCIkD/MnUb+V+CqxCXkm0oS+sL3MOx3 D5rO+oGd5HLn4FQyW5apkRqAZh6mLmDkuTwKZ2kGn08/Gc9i2rmow47xhr/o1HVY pOoKgfYEuGdAsg8UjMhp4UgBP4zhCWZw41h6KuNKDb69g//KynTbznWbiLYlPjmK XzNa0S1ludS6WarlAZXVLoN8Q5dnIX/KIVa3jVnGafXaHdMJFKusn7Rn7GzCOiN9 z8DBalTO5ZE4H1+TI0lx7+mAIVAKEdi5mwZPJr1uY+nBRX9giOC7e69aV1LVYKVM 89Vu+dm075QXjvoaNI/c7PqcY19MmvdqGG7rJdPOyMS1S50dltj8v09n+98BUmZ8 2gNNSKEHWVWmpXsl6q5/RSWYTYyiA+2T0sTVoKD5ljaiAsEvAAmsY6lTlBDVokrp wZOL1CRXzq0hopIuYmSXxhsdkylJ4t6usFmOa41LDlAx3kzJW6vUZFtvfdHo08Du hdo8SbF1PWJZvSU99/GToygpNn9+GDHfhgKIQHo7o+UpnqsX4GIfGzVHUY7YG9XQ s6vvl481776sO7WM1V0R =8+ng -----END PGP SIGNATURE-----
