FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-19 20:48:44 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
84fdd1bb-9d37-11e5-8f5c-002590263bf5	passenger -- client controlled header overwriting Daniel Knoppel reports: It was discovered by the SUSE security team that it was possible, in some cases, for clients to overwrite headers set by the server, resulting in a medium level security issue. CVE-2015-7519 has been assigned to this issue. Affected use-cases: Header overwriting may occur if all of the following conditions are met: Apache integration mode, or standalone+builtin engine without a filtering proxy Ruby or Python applications only (Passenger 5); or any application (Passenger 4) The app depends on a request header containing a dash (-) The header is supposed to be trusted (set by the server) The client correctly guesses the header name This vulnerability has been fixed by filtering out client headers that do not consist of alphanumeric/dash characters (Nginx already did this, so Passenger+Nginx was not affected). If your application depends on headers that don't conform to this, you can add a workaround in Apache specifically for those to convert them to a dash-based format. Discovery 2015-12-07 Entry 2015-12-07 rubygem-passenger ge 5.0.0 lt 5.0.22 < 4.0.60 CVE-2015-7519 https://blog.phusion.nl/2015/12/07/cve-2015-7519/

VuXML ID

Description

84fdd1bb-9d37-11e5-8f5c-002590263bf5

passenger -- client controlled header overwriting

Daniel Knoppel reports:

It was discovered by the SUSE security team that it was possible, in some cases, for clients to overwrite headers set by the server, resulting in a medium level security issue. CVE-2015-7519 has been assigned to this issue.

Affected use-cases:

Header overwriting may occur if all of the following conditions are met:

Apache integration mode, or standalone+builtin engine without a filtering proxy

Ruby or Python applications only (Passenger 5); or any application (Passenger 4)

The app depends on a request header containing a dash (-)

The header is supposed to be trusted (set by the server)

The client correctly guesses the header name

This vulnerability has been fixed by filtering out client headers that do not consist of alphanumeric/dash characters (Nginx already did this, so Passenger+Nginx was not affected). If your application depends on headers that don't conform to this, you can add a workaround in Apache specifically for those to convert them to a dash-based format.

Discovery 2015-12-07
Entry 2015-12-07
rubygem-passenger

ge 5.0.0 lt 5.0.22

< 4.0.60

CVE-2015-7519
https://blog.phusion.nl/2015/12/07/cve-2015-7519/