[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


Hi Linus,

as others might be interested in the answer as well, I also send it to debian-lts@.

On irc you wrote:
15:05 < Nirkus> have some old redmine running on squeeze-lts (yeah..) and since the update yesterday the following redmine code bails out with "private method `split' called for nil:NilClass" at the following line: 15:06 < Nirkus> @env['QUERY_STRING'].present? ? @env['QUERY_STRING'] : (@env['REQUEST_URI'].split('?', 2)[1] || '') 15:11 < Nirkus> ah, the code is actually from: libactionpack-ruby1.8: /usr/lib/ruby/1.8/action_controller/request.rb 15:51 < Nirkus> downgrading to libapache2-mod-passenger=2.2.11debian-2 fixes the above issue...

In CVE-2015-7519[1] it was detected, that it is possible to obtain
unauthorized access if you send http variables with "_" instead of "-". More information can be found here[2]. As a solution it was proposed to simply filter out all variables containing an "_". This was already done in mod_cgi of apache[3] and now I applied a similar patch to libapache2-mod-passenger as well.

Unfortunately there seems to be software that relies on underscores in variable names. So if you need such variables you might want to use the workaround for apache, described in[2].


[1] https://security-tracker.debian.org/tracker/CVE-2015-7519
[2] https://blog.phusion.nl/2015/12/07/cve-2015-7519/
[3] http://mail-archives.apache.org/mod_mbox/httpd-dev/201010.mbox/<201010121630.19406.mss@apache.org>

Reply to: