group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1769304] Re: Apache2 mod_remoteip+rewrite allows client to forge IP address

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Bryce Harrington <1769304@xxxxxxxxxxxxxxxxxx>
Date: Wed, 10 Nov 2021 17:00:36 -0000
Reply-to: Bug 1769304 <1769304@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

[Xenial has reached end of its standard support period.]

** Changed in: apache2 (Ubuntu Xenial)
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1769304

Title:
  Apache2 mod_remoteip+rewrite allows client to forge IP address

Status in apache2 package in Ubuntu:
  Fix Released
Status in apache2 source package in Xenial:
  Won't Fix

Bug description:
  Apache bug #60251 describes this problem:

  https://bz.apache.org/bugzilla/show_bug.cgi?id=60251

  mod_remoteip allows us to set the client's IP address using a trusted
  proxy's X-Forwarded-For header. However, in a location which uses a
  RewriteRule, the last IP address in the chain is incorrectly stripped
  while redirecting to the new location, allowing a caller to forge
  whatever IP address they like by including it in an X-Forwarded-For
  header.

  Version 2.4.18-2ubuntu3.8 is vulnerable to this in Xenial. This is
  fixed upstream in 2.4.24, can the fix be backported to xenial-updates?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1769304/+subscriptions