Your message dated Sat, 25 Jan 2014 15:47:06 +0000 with message-id <[email protected]> and subject line Bug#726529: fixed in libapache2-mod-rpaf 0.6-7+wheezy1 has caused the Debian Bug report #726529, regarding libapache2-mod-rpaf: failure to work with authz allow/deny to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 726529: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726529 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libapache2-mod-rpaf Version: 0.6-7 Severity: important Dear Maintainer, this is a follow up of bug #697644. I could reproduce the problem today on two up-to-date Wheezys, and here are the instructions to encounter the bug. Setup a single default Apache vhost, which we thus may reach with any name. Eg: <VirtualHost *:80> ServerName rpaf-bug DocumentRoot /var/www CustomLog /var/log/apache2/access.log combined <Location /> Order deny,allow Deny from all Allow from 1.2.3.4 </Location> </VirtualHost> ... where 1.2.3.4 is an IP address of your host. Then on this same host, try : $ curl http://localhost/ (denied with Apache default 403 page) $ curl http://1.2.3.4/ (granted, serves /var/www/default/index.html happily) So everything's fine till there. Then install libapache2-mod-rpaf and keep its default config (which trusts 127.0.0.1), and try : $ curl -H 'X-Forwarded-For: 1.2.3.4' http://localhost/ (denied with Apache default 403 page) $ tail /var/log/apache2/access.log ... 1.2.3.4 - - [09/Jan/2014:22:15:53 +0100] "GET / HTTP/1.1" 403 461 "-" "curl/7.26.0" ... where obviously mod_rpaf works fine (seeing the log) but auth is wrongfully denied. CGIs also get 1.2.3.4 in REMOTE_ADDR. I made several tests, and it's clear that Apache authz against the real client IP (127.0.0.1 above), and not the one in X-Forwarded-For. This problem bit me this afternoon with a serious security exposure while migrating a site to a new server with the help of a reverse proxy. I think this is a serious issue. -- System Information: Debian Release: 7.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libapache2-mod-rpaf depends on: ii apache2-mpm-worker [apache2-mpm] 2.2.22-13 ii libc6 2.13-38 libapache2-mod-rpaf recommends no packages. libapache2-mod-rpaf suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: libapache2-mod-rpaf Source-Version: 0.6-7+wheezy1 We believe that the bug you reported is fixed in the latest version of libapache2-mod-rpaf, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sergey B Kirpichev <[email protected]> (supplier of updated libapache2-mod-rpaf package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 20 Jan 2014 17:56:07 +0400 Source: libapache2-mod-rpaf Binary: libapache2-mod-rpaf Architecture: source amd64 Version: 0.6-7+wheezy1 Distribution: stable Urgency: low Maintainer: Sergey B Kirpichev <[email protected]> Changed-By: Sergey B Kirpichev <[email protected]> Description: libapache2-mod-rpaf - module for Apache2 which takes the last IP from the 'X-Forwarded- Closes: 726529 Changes: libapache2-mod-rpaf (0.6-7+wheezy1) stable; urgency=low . * Restore 030_ipv6.patch, removed by QA upload in 0.6-1 (Closes: #726529) Checksums-Sha1: 3d63eeaf56cba02fce43208b69835396273ca01b 2018 libapache2-mod-rpaf_0.6-7+wheezy1.dsc ff8ff3bc4188172d5d29ebc246af2b379cb3672f 5654 libapache2-mod-rpaf_0.6-7+wheezy1.debian.tar.gz 67810d6cd0c9e985e8c308c1b6bc71df09ed86e2 10272 libapache2-mod-rpaf_0.6-7+wheezy1_amd64.deb Checksums-Sha256: 319cec49bc84e5cef8cfc17b45ba6ac8dca17c347cd0e93dd459e869c13818aa 2018 libapache2-mod-rpaf_0.6-7+wheezy1.dsc 0a69a28f77ec17dfa2ca95d99c48d08696feea1d57bb35dc588b93cd17fd44cb 5654 libapache2-mod-rpaf_0.6-7+wheezy1.debian.tar.gz fff354bb91957e87b8c7d70cff8bccdad4a13d433bd5af144c238c3fc85778c2 10272 libapache2-mod-rpaf_0.6-7+wheezy1_amd64.deb Files: 528379b30c2855b0849434b9a94a7d01 2018 httpd extra libapache2-mod-rpaf_0.6-7+wheezy1.dsc e9218284c9c04b69414d56f1c3953777 5654 httpd extra libapache2-mod-rpaf_0.6-7+wheezy1.debian.tar.gz 33340011ab689144c21fd549e6a59e07 10272 httpd extra libapache2-mod-rpaf_0.6-7+wheezy1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJS4X4OAAoJEDnJoLZAJirwCr4P/01BiYy/Pxm8VthFhkmITMC0 BifFRolDhTayaoRkfWZGa7fDK9U6Fa5VRnEF59FW9JGk9Vu7RV+vPBn9+s7xiyEe dCTydc4kkeIQ43MFGE0P1j4TaCGXI9M7rxIzqg2hvmJ3A12RSHs9XIhnFkyL+xe+ qcJW4l1+behwX70uPJSA8/VclOvPH1zxEw3fxVvsJjewG3v+GTQlpPTKmj8Lr7Ia QSYvvWI6867bw2mDMteUiNrr1YQjGiO4zEeTdy3ED4FN/wE0ci/JsltNViRAmtA+ PwfQ//qD0IjegCtX0VuZGX3Bcd1UAPUYqI3ZHBWkPSZSZ/IeWAZGL03yMkbylc8E z+V1kCPXiURGcnBadPVmX5VPiwPmJHD9wjpVCK54Za1mCI0s8SV9YqASTjZor60B Ds/Cmte4DFr4myKcsoBQADTqIDTnEcux3OWsV6HXCl7aO55vSkCbP+PqUZuMXAOQ /huY1+3gCtuoynmW0hCxfdS13oeiqreLss4QzwGjaOl5gNsTe5zEns7ZL2lSEUCS 6fuCq81k5RyswydQ2yDjGQEf4kzSRARqUWiV+iATTHI8bpnRdEwNspsKlOQ3Wqtr 27QMfVNGfPv5kD13Qd/IHY9BjsGW2eaiO6NPi2rfyYo3ULCgQIUe3uJu5vPQvzWw YvoVCWgh1/xUCBhZzagi =KECw -----END PGP SIGNATURE-----
--- End Message ---
