*** This bug is a security vulnerability *** Public security bug reported:
Apache bug #60251 describes this problem: https://bz.apache.org/bugzilla/show_bug.cgi?id=60251 mod_remoteip allows us to set the client's IP address using a trusted proxy's X-Forwarded-For header. However, in a location which uses a RewriteRule, the last IP address in the chain is incorrectly stripped while redirecting to the new location, allowing a caller to forge whatever IP address they like by including it in an X-Forwarded-For header. Version 2.4.18-2ubuntu3.8 is vulnerable to this in Xenial. This is fixed upstream in 2.4.24, can the fix be backported to xenial-updates? ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1769304 Title: Apache2 mod_remoteip+rewrite allows client to forge IP address To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1769304/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs