Your message dated Fri, 24 Jan 2014 07:48:19 +0000 with message-id <[email protected]> and subject line Bug#726529: fixed in libapache2-mod-rpaf 0.6-12 has caused the Debian Bug report #726529, regarding libapache2-mod-rpaf: failure to work with authz allow/deny to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 726529: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726529 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libapache2-mod-rpaf Version: 0.6-7 Severity: important Dear Maintainer, this is a follow up of bug #697644. I could reproduce the problem today on two up-to-date Wheezys, and here are the instructions to encounter the bug. Setup a single default Apache vhost, which we thus may reach with any name. Eg: <VirtualHost *:80> ServerName rpaf-bug DocumentRoot /var/www CustomLog /var/log/apache2/access.log combined <Location /> Order deny,allow Deny from all Allow from 1.2.3.4 </Location> </VirtualHost> ... where 1.2.3.4 is an IP address of your host. Then on this same host, try : $ curl http://localhost/ (denied with Apache default 403 page) $ curl http://1.2.3.4/ (granted, serves /var/www/default/index.html happily) So everything's fine till there. Then install libapache2-mod-rpaf and keep its default config (which trusts 127.0.0.1), and try : $ curl -H 'X-Forwarded-For: 1.2.3.4' http://localhost/ (denied with Apache default 403 page) $ tail /var/log/apache2/access.log ... 1.2.3.4 - - [09/Jan/2014:22:15:53 +0100] "GET / HTTP/1.1" 403 461 "-" "curl/7.26.0" ... where obviously mod_rpaf works fine (seeing the log) but auth is wrongfully denied. CGIs also get 1.2.3.4 in REMOTE_ADDR. I made several tests, and it's clear that Apache authz against the real client IP (127.0.0.1 above), and not the one in X-Forwarded-For. This problem bit me this afternoon with a serious security exposure while migrating a site to a new server with the help of a reverse proxy. I think this is a serious issue. -- System Information: Debian Release: 7.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libapache2-mod-rpaf depends on: ii apache2-mpm-worker [apache2-mpm] 2.2.22-13 ii libc6 2.13-38 libapache2-mod-rpaf recommends no packages. libapache2-mod-rpaf suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: libapache2-mod-rpaf Source-Version: 0.6-12 We believe that the bug you reported is fixed in the latest version of libapache2-mod-rpaf, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sergey B Kirpichev <[email protected]> (supplier of updated libapache2-mod-rpaf package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 24 Jan 2014 10:24:27 +0400 Source: libapache2-mod-rpaf Binary: libapache2-mod-rpaf Architecture: source amd64 Version: 0.6-12 Distribution: unstable Urgency: low Maintainer: Sergey B Kirpichev <[email protected]> Changed-By: Sergey B Kirpichev <[email protected]> Description: libapache2-mod-rpaf - module for Apache2 which takes the last IP from the 'X-Forwarded- Closes: 726529 Changes: libapache2-mod-rpaf (0.6-12) unstable; urgency=low . * Add transition notes * Fix lintian error: vcs-field-not-canonical * Bump up Standards-Version (to 3.9.5) * Add --no-silent to LTFLAGS * Restore 030_ipv6.patch, removed by QA upload in 0.6-1 (Closes: #726529) * Refresh patches Checksums-Sha1: 01c3ccea1948981faf79398a0130857ca710bfb8 1995 libapache2-mod-rpaf_0.6-12.dsc 60f2966fd45f846c10479766cac454cb0b485e08 6740 libapache2-mod-rpaf_0.6-12.debian.tar.xz cd69229c2d6ead4abe0f2241c22c7ba020b1178d 10726 libapache2-mod-rpaf_0.6-12_amd64.deb Checksums-Sha256: 2dcdb268a8c9116646415759902df700b940583e3aa6c896f09f2b144527c4ef 1995 libapache2-mod-rpaf_0.6-12.dsc 953da336e54bd275cd1fa7139989b53ae2662a1c6f1200ed868f483de686a982 6740 libapache2-mod-rpaf_0.6-12.debian.tar.xz baf11d15ca48c54b4d2a2c50bd7e8d44f7abb64c2cef5930cbee964f9d168276 10726 libapache2-mod-rpaf_0.6-12_amd64.deb Files: ae8dd6d1c1d52e30131fe4e0b183b474 1995 httpd extra libapache2-mod-rpaf_0.6-12.dsc de0f31ab1764c7d9ed044c5b6e650126 6740 httpd extra libapache2-mod-rpaf_0.6-12.debian.tar.xz 3068bb52d916faf4791a43fd7b63feaa 10726 httpd extra libapache2-mod-rpaf_0.6-12_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJS4gz+AAoJEDnJoLZAJirwU2EP/RSXHh8w5bf7geMvDH4zR0Sf H/gNBbJzpBo+RRODfJ2FOMdnweF3+/T0TTqf2Ztlp+ohMoiGCeobb8Nz9dI2HU/z SoQo79L7XHUxlHyoaqs3aeU1ClxYQDqEY2Ez7kDS+Wr+zscmb8rRdi5ImrpY9ADP IoZqwR3qTDs8MTU++V7ypLjFIog5IZN5qi9h3b7eC7f33POIn0ujpZeeKzdqlcit iMG8OoF5lYU3057345zKkuQzARan7t5vLlU5gEUBuFfXd/hZb9YZHdQyb/ldMVnN Ii9U1FUfzLZDg5NwG6M2ZZuuwvVSGsYBGZN0HcEALSpcnFfb5I1O3H20PYuxPX/H 5Aj9WTEcORSIdCjADfdADa+ixnruTDTFdlk1IFN3sOhPa/GwMD7lqQoWkEcyUpvS R9bv7xD+avkKcaTITnGXzI6pOCJkxcQgmkqS1gflzR+5iZMhJVXFSDqfipLY+JpQ Oe4oy6tHLsazhVZQLWP9Qz7LEK+NsEV3VJrBAO1bYplVyS4PiCDbbdu/Pl/PeDLe M2COgvsydPBhG/L2r6rhkxu5sWj6r1NMd8he2sw+/dyt4lezwknEnzrbQbGsZD7B QbJcaA8/ARwM0XVLzl+FZzXav5OpTUbEaO9dMech9NslybLxvGyiBipQZmGEw/1Q KKk/JN71ludiB8XtvNQ/ =Tg/d -----END PGP SIGNATURE-----
--- End Message ---
