enterprise-support team mailing list archive

Thread
Date

[Bug 1511222] [NEW] Please include patch for Apache PR 54651 in trusty-updates

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: William Shallum <loumzie+launchpad@xxxxxxxxx>
Date: Thu, 29 Oct 2015 05:32:46 -0000
Reply-to: Bug 1511222 <1511222@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Hi,

I checked and the latest version in trusty-updates is missing the patch
for PR 54651 (link below):

https://svn.apache.org/viewvc?view=revision&revision=1569006

This fixes the case where mod_remoteip  trusts multiple IP addresses in
X-Forwarded-For if the client IP is trusted. This allows anyone to spoof
the remote address by sending an X-Forwarded-For header to a trusted
proxy (which will append its own IP to it).

Is it possible to ship this patch in trusty-updates?

To answer the common questions:

$ lsb_release -rd
Description:    Ubuntu 14.04.3 LTS
Release:        14.04

$ apt-cache policy apache2-bin
apache2-bin:
  Installed: 2.4.7-1ubuntu4.8
  Candidate: 2.4.7-1ubuntu4.8
  Version table:
 *** 2.4.7-1ubuntu4.8 0
        500 http://kartolo.sby.datautama.net.id/ubuntu/ trusty-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.4.7-1ubuntu4.5 0
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
     2.4.7-1ubuntu4 0
        500 http://kartolo.sby.datautama.net.id/ubuntu/ trusty/main amd64 Packages

Expected to happen:  mod_remoteip should use the rightmost X-Forwarded-
For entry if the client IP is in the trusted proxy list. It should then
use the second rightmost entry if the rightmost entry is in the trusted
proxy list, and so on.

What happened instead: mod_remoteip always checks the client IP against
the trusted proxy list as it goes down the X-Forwarded-For entries. It
will always set the remote IP to the leftmost entry in X-Forwarded-For
if the client IP is trusted.

Regards,
William

** Affects: apache2 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1511222

Title:
  Please include patch for Apache PR 54651 in trusty-updates

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1511222/+subscriptions

Follow ups

[Bug 1511222] Re: Incorrect trusted proxy match test in mod_remoteip
From: Bryce Harrington, 2021-09-22
[Bug 1511222] Re: Incorrect trusted proxy match test in mod_remoteip
From: Robie Basak, 2015-10-30