[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered

Hi Chris, Utkarsh, all

In this particular case Salvatore have told that the CVE needs to be assigned by Apache CNA.
We should ask them about it I guess.

When I added it to dla-needed it looked severe enough to warrant a fix. Let me know if you have any other opinion.
If we see delays in response regarding the CVE assignment I think we can release a fix with just the bug reference, not to delay things unnecessarily.
But I do not think a few days is an issue, so try to get the CVE first.

Hope this helps.

Best regards

// Ola

On Sun, 10 May 2020 at 00:58, Chris Lamb <lamby@debian.org> wrote:
Hi Utkarsh et al.,

> Unless there's a CVE assigned for this, should I really be fixing it
> and announcing the update?

This might be conflating cause and effect. Let me ask a question in
return - did you consider applying for a CVE? If we cannot justify
applying for one on grounds of severity then by that very fact it
won't be worth fixing in Jessie LTS.

(Getting a CVE is somewhat easier than you think and my the first CVE
I was assigned was actually a nice little badge of honour.)


     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk

 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

Reply to: