Re: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered

[Ola Lundqvist <ola@inguza.com>]

Hi Chris, Utkarsh, all

In this particular case Salvatore have told that the CVE needs to be assigned by Apache CNA.

We should ask them about it I guess.

When I added it to dla-needed it looked severe enough to warrant a fix. Let me know if you have any other opinion.

If we see delays in response regarding the CVE assignment I think we can release a fix with just the bug reference, not to delay things unnecessarily.

But I do not think a few days is an issue, so try to get the CVE first.

Hope this helps.

Best regards

// Ola

On Sun, 10 May 2020 at 00:58, Chris Lamb <lamby@debian.org> wrote:

Hi Utkarsh et al.,

> Unless there's a CVE assigned for this, should I really be fixing it
> and announcing the update?

This might be conflating cause and effect. Let me ask a question in
return - did you consider applying for a CVE? If we cannot justify
applying for one on grounds of severity then by that very fact it
won't be worth fixing in Jessie LTS.

(Getting a CVE is somewhat easier than you think and my the first CVE
I was assigned was actually a nice little badge of honour.)


Regards,

--
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

--

 --- Inguza Technology AB --- MSc in Information Technology ----

|  ola@inguza.com                    opal@debian.org            |

|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

 ---------------------------------------------------------------