Adrian Schröter

**Name of the Vulnerable Software and Affected Versions** Open Build Service API versions prior to 2.4.4 **Description** The issue concerns a missing write permission check in the controller of the Open Build Service API. This allows an authenticated attacker to modify user roles associated with packages and/or project meta data. **Recommendations** For versions prior to 2.4.4, update to version 2.4.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Phusion Passenger versions prior to 4.0.60 Phusion Passenger versions 5.0.x prior to 5.0.22 **Description** The issue allows remote attackers to spoof headers passed to applications by using an (underscore) character instead of a - (dash) character in an HTTP header. This can be demonstrated by an X User header. The problem occurs when Phusion Passenger is used in Apache integration mode or in standalone mode without a filtering proxy. **Recommendations** For Phusion Passenger versions prior to 4.0.60, update to version 4.0.60 or later. For Phusion Passenger versions 5.0.x prior to 5.0.22, update to version 5.0.22 or later.