group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1875299] Re: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Robie Basak <1875299@xxxxxxxxxxxxxxxxxx>
Date: Wed, 27 May 2020 14:43:55 -0000
Reply-to: Bug 1875299 <1875299@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Thank you for taking the time to report this bug and helping to make
Ubuntu better.

Next steps:

1) We need to check if this problem is fixed in the current development
release of Ubuntu, and if a fix is needed in any other stable releases.

2) We need a step-by-step test case to reproduce the problem.

If you could help with either of these, this would be appreciated and
help us land a fix.

** Tags added: server-next

** Also affects: apache2 (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: apache2 (Ubuntu Xenial)
       Status: New => Triaged

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1875299

Title:
  Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when
  mod_rewrite rule is triggered

Status in apache2 package in Ubuntu:
  New
Status in apache2 source package in Xenial:
  Triaged

Bug description:
  There is a bug in mod_remoteip (a part of Apache Web Server): https://bz.apache.org/bugzilla/show_bug.cgi?id=60251
  Although the status of this bug is "NEW", actually it was fixed in Apache 2.4.24.
  Although a CVE id was not requested yet, actually it is a vulnerability.

  The fix was not backported to Ubuntu 16.04 (xenial).

  Impact: if a victim uses Apache rewrite rules, then an attacker can
  spoof his IP address for logs and PHP scripts.

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: apache2 2.4.18-2ubuntu3.14
  ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8
  Uname: Linux 4.4.0-22-generic x86_64
  Apache2ConfdDirListing: False
  ApportVersion: 2.20.1-0ubuntu2.23
  Architecture: amd64
  Date: Mon Apr 27 13:17:43 2020
  SourcePackage: apache2
  UpgradeStatus: No upgrade log present (probably fresh install)
  error.log:
   
  modified.conffile..etc.apache2.apache2.conf: [modified]
  modified.conffile..etc.apache2.mods-available.dir.conf: [modified]
  modified.conffile..etc.apache2.mods-available.ssl.conf: [modified]
  modified.conffile..etc.apache2.ports.conf: [modified]
  modified.conffile..etc.apache2.sites-available.000-default.conf: [modified]
  modified.conffile..etc.apache2.sites-available.default-ssl.conf: [modified]
  mtime.conffile..etc.apache2.apache2.conf: 2020-04-23T15:45:48.416970
  mtime.conffile..etc.apache2.mods-available.dir.conf: 2020-04-23T12:03:13.711062
  mtime.conffile..etc.apache2.mods-available.ssl.conf: 2020-04-23T12:02:44.854484
  mtime.conffile..etc.apache2.ports.conf: 2020-04-23T15:45:48.169037
  mtime.conffile..etc.apache2.sites-available.000-default.conf: 2020-04-23T15:45:48.197030
  mtime.conffile..etc.apache2.sites-available.default-ssl.conf: 2020-04-23T15:45:48.225022

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1875299/+subscriptions