group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #27201
[Bug 1769304] Re: Apache2 mod_remoteip+rewrite allows client to forge IP address
This is fixed in bionic and later. Leaving a task open for xenial.
Links to the upstream fix:
https://svn.apache.org/viewvc?view=revision&revision=1767483
https://github.com/apache/httpd/commit/950093162e445141c5126e4d11e6466e3184b0ce
** Also affects: apache2 (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: apache2 (Ubuntu)
Status: Triaged => Fix Released
** Changed in: apache2 (Ubuntu Xenial)
Status: New => Triaged
** Changed in: apache2 (Ubuntu Xenial)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1769304
Title:
Apache2 mod_remoteip+rewrite allows client to forge IP address
Status in apache2 package in Ubuntu:
Fix Released
Status in apache2 source package in Xenial:
Triaged
Bug description:
Apache bug #60251 describes this problem:
https://bz.apache.org/bugzilla/show_bug.cgi?id=60251
mod_remoteip allows us to set the client's IP address using a trusted
proxy's X-Forwarded-For header. However, in a location which uses a
RewriteRule, the last IP address in the chain is incorrectly stripped
while redirecting to the new location, allowing a caller to forge
whatever IP address they like by including it in an X-Forwarded-For
header.
Version 2.4.18-2ubuntu3.8 is vulnerable to this in Xenial. This is
fixed upstream in 2.4.24, can the fix be backported to xenial-updates?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1769304/+subscriptions
