Re: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered
Hi
Added the package to DLA needed.
// Ola
On Thu, 30 Apr 2020 at 06:31, Salvatore Bonaccorso <carnil@debian.org> wrote:
>
> Hi,
>
> [For context, this report first reached the security team, we
> redirected to the LTS team as specific for the jessie version of
> apache2]
>
> On Wed, Apr 29, 2020 at 07:00:38AM +0000, Andrey Zelenchuk wrote:
> > Package: apache2
> > Version: 2.4.10-10+deb8u16
> > Severity: grave
> > Tags: security
> >
> > Dear Maintainer,
> >
> > There is a bug in mod_remoteip (a part of Apache Web Server):
> > https://bz.apache.org/bugzilla/show_bug.cgi?id=60251
> > Although the status of this bug is "NEW", actually it was fixed in
> > Apache 2.4.24.
> > Although a CVE id was not requested yet, actually it is a vulnerability.
>
> For this one, if there is need of a CVE, then this needs to be done by
> the Apache CNA itself, as it's a product covered by this CNA, cf.
> https://cve.mitre.org/cve/request_id.html#cna_participants
>
> So, Andrey I would suggest ask directly them if (or why not) a CVE
> might be assigned for this mod_remoteip issue.
>
> Hope this helps,
>
> Regards,
> Salvatore
>
--
--- Inguza Technology AB --- MSc in Information Technology ----
| ola@inguza.com opal@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------
Reply to: