[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered

Hi Utkarsh et al.,

> Unless there's a CVE assigned for this, should I really be fixing it 
> and announcing the update?

This might be conflating cause and effect. Let me ask a question in
return - did you consider applying for a CVE? If we cannot justify
applying for one on grounds of severity then by that very fact it
won't be worth fixing in Jessie LTS.

(Getting a CVE is somewhat easier than you think and my the first CVE
I was assigned was actually a nice little badge of honour.)


     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk

Reply to: