Hi, [For context, this report first reached the security team, we redirected to the LTS team as specific for the jessie version of apache2]
On Wed, Apr 29, 2020 at 07:00:38AM +0000, Andrey Zelenchuk wrote: > Package: apache2 > Version: 2.4.10-10+deb8u16 > Severity: grave > Tags: security > > Dear Maintainer, > > There is a bug in mod_remoteip (a part of Apache Web Server): > https://bz.apache.org/bugzilla/show_bug.cgi?id=60251 > Although the status of this bug is "NEW", actually it was fixed in > Apache 2.4.24. > Although a CVE id was not requested yet, actually it is a vulnerability. For this one, if there is need of a CVE, then this needs to be done by the Apache CNA itself, as it's a product covered by this CNA, cf. https://cve.mitre.org/cve/request_id.html#cna_participants So, Andrey I would suggest ask directly them if (or why not) a CVE might be assigned for this mod_remoteip issue. Hope this helps, Regards, Salvatore
