[Bug 1511222] [NEW] Please include patch for Apache PR 54651 in trusty-updates

William Shallum Wed, 28 Oct 2015 22:41:11 -0700

Public bug reported:

Hi,


I checked and the latest version in trusty-updates is missing the patch
for PR 54651 (link below):

https://svn.apache.org/viewvc?view=revision&revision=1569006

This fixes the case where mod_remoteip  trusts multiple IP addresses in
X-Forwarded-For if the client IP is trusted. This allows anyone to spoof
the remote address by sending an X-Forwarded-For header to a trusted
proxy (which will append its own IP to it).

Is it possible to ship this patch in trusty-updates?

To answer the common questions:

$ lsb_release -rd
Description:    Ubuntu 14.04.3 LTS
Release:        14.04

$ apt-cache policy apache2-bin
apache2-bin:
  Installed: 2.4.7-1ubuntu4.8
  Candidate: 2.4.7-1ubuntu4.8
  Version table:
 *** 2.4.7-1ubuntu4.8 0
        500 http://kartolo.sby.datautama.net.id/ubuntu/ trusty-updates/main 
amd64 Packages
        100 /var/lib/dpkg/status
     2.4.7-1ubuntu4.5 0
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 
Packages
     2.4.7-1ubuntu4 0
        500 http://kartolo.sby.datautama.net.id/ubuntu/ trusty/main amd64 
Packages

Expected to happen:  mod_remoteip should use the rightmost X-Forwarded-
For entry if the client IP is in the trusted proxy list. It should then
use the second rightmost entry if the rightmost entry is in the trusted
proxy list, and so on.

What happened instead: mod_remoteip always checks the client IP against
the trusted proxy list as it goes down the X-Forwarded-For entries. It
will always set the remote IP to the leftmost entry in X-Forwarded-For
if the client IP is trusted.

Regards,
William

** Affects: apache2 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/1511222

Title:
  Please include patch for Apache PR 54651 in trusty-updates

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1511222/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1511222] [NEW] Please include patch for Apache PR 54651 in trusty-updates

Reply via email to