[Bug 1769304] [NEW] Apache2 mod_remoteip+rewrite allows client to forge IP address

2018-05-04 Thread Nicholas Sherlock 
*** This bug is a security vulnerability ***

Public security bug reported:

Apache bug #60251 describes this problem:

https://bz.apache.org/bugzilla/show_bug.cgi?id=60251

mod_remoteip allows us to set the client's IP address using a trusted
proxy's X-Forwarded-For header. However, in a location which uses a
RewriteRule, the last IP address in the chain is incorrectly stripped
while redirecting to the new location, allowing a caller to forge
whatever IP address they like by including it in an X-Forwarded-For
header.

Version 2.4.18-2ubuntu3.8 is vulnerable to this in Xenial. This is fixed
upstream in 2.4.24, can the fix be backported to xenial-updates?

** Affects: apache2 (Ubuntu)
 Importance: Undecided
 Status: New

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1769304

Title:
  Apache2 mod_remoteip+rewrite allows client to forge IP address

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1769304/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1516451] Re: check_disk plugin broken after upgrade to 15.10

2016-09-01 Thread Nicholas Sherlock 
Rather than excluding tmpfs, just exclude /run/lxcfs/controllers. This
is the check_all_disks command I'm now using in my /etc/nagios-
plugins/config/disk.cfg:

# 'check_all_disks' command definition
define command{
command_namecheck_all_disks
command_line/usr/lib/nagios/plugins/check_disk -w '$ARG1$' -c 
'$ARG2$' -e -A --exclude-type=tracefs --exclude-type=cgroup 
--exclude_device=/run/lxcfs/controllers
}

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1516451

Title:
  check_disk plugin broken after upgrade to 15.10

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-plugins/+bug/1516451/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs