Package: apache2 Version: 2.4.10-10+deb8u16 Severity: grave Tags: security Dear Maintainer,
There is a bug in mod_remoteip (a part of Apache Web Server): https://bz.apache.org/bugzilla/show_bug.cgi?id=60251 Although the status of this bug is "NEW", actually it was fixed in Apache 2.4.24. Although a CVE id was not requested yet, actually it is a vulnerability. The fix was not backported to Debian 8 (jessie). Impact: if a victim uses Apache rewrite rules, then an attacker can spoof his IP address for logs and PHP scripts. -- Andrey Zelenchuk Plesk | Security team
