CVE-2015-7519
Hi Linus,
as others might be interested in the answer as well, I also send it to
debian-lts@.
On irc you wrote:
15:05 < Nirkus> have some old redmine running on squeeze-lts (yeah..) and
since the update yesterday the following redmine code bails out with
"private method `split' called for nil:NilClass" at the following line:
15:06 < Nirkus> @env['QUERY_STRING'].present? ? @env['QUERY_STRING'] :
(@env['REQUEST_URI'].split('?', 2)[1] || '')
15:11 < Nirkus> ah, the code is actually from: libactionpack-ruby1.8:
/usr/lib/ruby/1.8/action_controller/request.rb
15:51 < Nirkus> downgrading to libapache2-mod-passenger=2.2.11debian-2
fixes the above issue...
In CVE-2015-7519[1] it was detected, that it is possible to obtain
unauthorized access if you send http variables with "_" instead of "-".
More information can be found here[2]. As a solution it was proposed to
simply filter out all variables containing an "_". This was already done
in mod_cgi of apache[3] and now I applied a similar patch to
libapache2-mod-passenger as well.
Unfortunately there seems to be software that relies on underscores in
variable names. So if you need such variables you might want to use the
workaround for apache, described in[2].
Thorsten
[1] https://security-tracker.debian.org/tracker/CVE-2015-7519
[2] https://blog.phusion.nl/2015/12/07/cve-2015-7519/
[3] http://mail-archives.apache.org/mod_mbox/httpd-dev/201010.mbox/<201010121630.19406.mss@apache.org>
Reply to: