[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered

Hi,

[For context, this report first reached the security team, we
redirected to the LTS team as specific for the jessie version of
apache2]

On Wed, Apr 29, 2020 at 07:00:38AM +0000, Andrey Zelenchuk wrote:
> Package: apache2
> Version: 2.4.10-10+deb8u16
> Severity: grave
> Tags: security
> 
> Dear Maintainer,
> 
> There is a bug in mod_remoteip (a part of Apache Web Server):
> https://bz.apache.org/bugzilla/show_bug.cgi?id=60251
> Although the status of this bug is "NEW", actually it was fixed in
> Apache 2.4.24.
> Although a CVE id was not requested yet, actually it is a vulnerability.

For this one, if there is need of a CVE, then this needs to be done by
the Apache CNA itself, as it's a product covered by this CNA, cf.
https://cve.mitre.org/cve/request_id.html#cna_participants

So, Andrey I would suggest ask directly them if (or why not) a CVE
might be assigned for this mod_remoteip issue.

Hope this helps,

Regards,
Salvatore
Reply to: