passenger -- client controlled header overwriting

Daniel Knoppel reports:

It was discovered by the SUSE security team that it was possible,
in some cases, for clients to overwrite headers set by the server,
resulting in a medium level security issue. CVE-2015-7519 has been
assigned to this issue.
Affected use-cases:
Header overwriting may occur if all of the following conditions are met:

Apache integration mode, or standalone+builtin engine without
a filtering proxy
Ruby or Python applications only (Passenger 5); or any
application (Passenger 4)
The app depends on a request header containing a dash (-)
The header is supposed to be trusted (set by the server)
The client correctly guesses the header name

This vulnerability has been fixed by filtering out client headers
that do not consist of alphanumeric/dash characters (Nginx already
did this, so Passenger+Nginx was not affected). If your application
depends on headers that don’t conform to this, you can add a
workaround in Apache specifically for those to convert them to a
dash-based format.