The reason that ServerAlias * fixes it for some cases but not for others can be seen from the patch that addressed CVE-2009-0164:
https://bugzilla.redhat.com/attachment.cgi?id=335489 If you look at the vaild_host() function, in the case the connecting address matches 127.*.*.* [1], the ServerAlias check is completely bypassed and only "localhost" or its numerical equivalents are allowed as values of the Host: header. This breaks connection via SSH tunnels, maybe other things. I'll have to downgrade to 1.3.* until this is fixed :( Interestingly, I have apache2 set up the same way and it cares not one whit about the Host header. Perhaps the cure is worse that the disease here, given that the original vulnerability was mostly theoretical and involved broken clients? -- Ian Zimmerman <[email protected]> gpg public key: 1024D/C6FF61AD fingerprint: 66DC D68F 5C1B 4D71 2EE5 BD03 8A00 786C C6FF 61AD Ham is for reading, not for eating. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
