Hello Robie, I just had a look at the proposed package and it fixes the issue for me. To test the patch I followed the steps as explained in the bug description, first with apache2/xenial-updates,now 2.4.18-2ubuntu3.14 amd64 and the issue could be reproduced with the command
$ curl 192.168.1.129/test -H 'X-Forwarded-For: 1.1.1.1' > 1.1.1.1 After upgrading the package to apache2/xenial-proposed,now 2.4.18-2ubuntu3.15 amd64 and running the same curl command as before, the output was the expected real IP addresss of the client. $ curl 192.168.1.129/test -H 'X-Forwarded-For: 1.1.1.1' > 192.168.1.100 Regards -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1875299 Title: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1875299/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs