My understanding of Alex's suggestion in comment 2 is that upstream
don't consider this to be a security vulnerability and in Ubuntu the
security team doesn't see a reason to diverge from that opinion. So
we'll treat this as a non-security fix for now and follow the process
for a regular bugfix.
Note that this means that users who opt for security updates only will
not receive this fix.
If this position changes (for example if you convince upstream that it
is a security issue and a CVE is warranted) then the Ubuntu security
team can always rebuild and push the fix to the security pocket later,
to also give the fix to users opting for security updates only.
** Changed in: apache2 (Ubuntu Xenial)
Status: Incomplete => Fix Committed
** Tags added: verification-needed verification-needed-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1875299
Title:
Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when
mod_rewrite rule is triggered
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1875299/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
