Ok, that means we need more than "just" the fix to https://bz.apache.org/bugzilla/show_bug.cgi?id=60251. Probably something else that was between 2.4.18 and 2.4.24 ...
The only other change to remoteip itself was [1], but that doesn't seem to be what we miss. This issue seemed nice - and I wanted to help to drive it to conclusion even thou it didn't seem too severe - as the fix was already identified, but right not this will need deeper analysis what fix(es) we actually need :-/ @Marcus - if you have more suggestions which might fix it I'm happy to re-build a PPA for us to test. [1]: https://github.com/apache/httpd/commit/1618a30e0d7797af2dc8f9bd18136d55c20d8f70 ** Bug watch added: bz.apache.org/bugzilla/ #60251 https://bz.apache.org/bugzilla/show_bug.cgi?id=60251 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1875299 Title: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1875299/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs