[SECURITY] [DLA 394-1] passenger security update

[Thorsten Alteholz <debian@alteholz.de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : passenger
Version        : 2.2.11debian-2+deb6u1
CVE ID         : CVE-2015-7519

agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 
and 5.0.x before 5.0.22, when used in Apache integration mode or in 
standalone mode without a filtering proxy, allows remote attackers to 
spoof headers passed to applications by using an _ (underscore) character 
instead of a - (dash) character in an HTTP header, as demonstrated by an 
X_User header.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJWnTV6XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHOoIP/2EMeBHM3m3lUSAj7eGaSh1J
ZD/Wf+s6EUXqUbOQUsQ8WMzqxRdifzn/nUA3C2RzG3rJaH9tar7fI4lrd5BVKZMj
2WlPR+lCjwu9iQMA7QOQwvrDXWL8LdE2ZUCIkD/MnUb+V+CqxCXkm0oS+sL3MOx3
D5rO+oGd5HLn4FQyW5apkRqAZh6mLmDkuTwKZ2kGn08/Gc9i2rmow47xhr/o1HVY
pOoKgfYEuGdAsg8UjMhp4UgBP4zhCWZw41h6KuNKDb69g//KynTbznWbiLYlPjmK
XzNa0S1ludS6WarlAZXVLoN8Q5dnIX/KIVa3jVnGafXaHdMJFKusn7Rn7GzCOiN9
z8DBalTO5ZE4H1+TI0lx7+mAIVAKEdi5mwZPJr1uY+nBRX9giOC7e69aV1LVYKVM
89Vu+dm075QXjvoaNI/c7PqcY19MmvdqGG7rJdPOyMS1S50dltj8v09n+98BUmZ8
2gNNSKEHWVWmpXsl6q5/RSWYTYyiA+2T0sTVoKD5ljaiAsEvAAmsY6lTlBDVokrp
wZOL1CRXzq0hopIuYmSXxhsdkylJ4t6usFmOa41LDlAx3kzJW6vUZFtvfdHo08Du
hdo8SbF1PWJZvSU99/GToygpNn9+GDHfhgKIQHo7o+UpnqsX4GIfGzVHUY7YG9XQ
s6vvl481776sO7WM1V0R
=8+ng
-----END PGP SIGNATURE-----