This bug was fixed in the package apache2 - 2.4.18-2ubuntu3.15
---
apache2 (2.4.18-2ubuntu3.15) xenial; urgency=medium
* d/p/lp-1875299-Merge-r1688399-from-trunk.patch: use r_useragent_addr as
the root trusted address (LP: #1875299)
-- Christian Ehrhardt Mon, 15 Jun
2020
Thanks for the test, marking as verified
** Tags removed: verification-needed verification-needed-xenial
** Tags added: verification-done verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
Hello Robie,
I just had a look at the proposed package and it fixes the issue for me.
To test the patch I followed the steps as explained in the bug description,
first with apache2/xenial-updates,now 2.4.18-2ubuntu3.14 amd64 and the issue
could be reproduced with the command
$ curl
My understanding of Alex's suggestion in comment 2 is that upstream
don't consider this to be a security vulnerability and in Ubuntu the
security team doesn't see a reason to diverge from that opinion. So
we'll treat this as a non-security fix for now and follow the process
for a regular bugfix.
The security Team is subscribed here, they would know where to discuss security.
But I guess Alex has given the answer in [1] already.
Next steps (for you to know) are following the SRU process [2].
TL;DR:
1. the SRU Team reviews my upload and approves/rejects
2. it will build for xenial-proposed
Glad to hear! Just out of curiosity: What will be the next steps? Should
this issue also be reported to the debian bug tracker because it affects
debain 8? If I remember correctly, the support for debian 8 should end
this month.
And also: Should there be a discussion about the security impact? If
Uploaded to xenial-unapproved for the SRU Team to consider
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1875299
Title:
Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when
@Christian I can confirm, it works as expected for external requests.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1875299
Title:
Apache's mod_remoteip: IP address spoofing via
2.4.24 30060fb18dcbb189d66bcc5a6f66f50fe7d5d3d4
2.4.18 b82d3c64494b7a59c13f03d169631177c1f6170d
Notes to not-nice-but-working build from git :-):
$ git clean -x -f -d
$ wget https://apache.mirror.digionline.de//apr/apr-util-1.6.1.tar.gz -O
/tmp/apru.tgz
$ wget
Sadly, I don't have any other ideas at the moment.
But I do think that this issue does pose a security risk that should not
be overlooked. Applications relying in any form on the source IP address
for authentication or rate limitations might be affected.
I will have another look at the sources
Ok, that means we need more than "just" the fix to
https://bz.apache.org/bugzilla/show_bug.cgi?id=60251.
Probably something else that was between 2.4.18 and 2.4.24 ...
The only other change to remoteip itself was [1], but that doesn't seem
to be what we miss.
This issue seemed nice - and I
Just tested it and the issue still exists. I added the repository,
reinstalled apache2 and restartet the service but still had the same
outcome.
apache2/xenial,now 2.4.18-2ubuntu3.15~ppa1 amd64 [installed]
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
I could test it in the evening. I assume I'd just have to add the PPA
source, apt update and reinstall apache2?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1875299
Title:
Apache's
The PPA build with the fix as referenced by the upstream bug did not fix it in
my tests :-/
Anyone up to try this as well if it is local to me?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
Updated SRU template of the bug and thrown a test build into PPA [1]
An MP with the proposed changes is at [2].
[1]: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4098/
[2]:
https://code.launchpad.net/~paelzer/ubuntu/+source/apache2/+git/apache2/+merge/385748
--
You received this
** Merge proposal linked:
https://code.launchpad.net/~paelzer/ubuntu/+source/apache2/+git/apache2/+merge/385748
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1875299
Title:
Apache's
** Description changed:
[Impact]
- * remoteip/mod_rewrite and a proxy might allow faking the source URL
+ * remoteip/mod_rewrite and a proxy might allow faking the source URL
- * TBD - once the fix was analyzed
+ * Fix by backporting an upstream change added in 2.4.24 and later (was
** Description changed:
+ [Impact]
+
+ * remoteip/mod_rewrite and a proxy might allow faking the source URL
+
+ * TBD - once the fix was analyzed
+
+ [Test Case]
+
+ $ apt install apache2 libapache2-mod-php
+
+ define /etc/apache2/sites-enabled/000-default.conf as:
+
+
Here you go, that was it.
I had not remoteip enabled.
Added to my howto (which will be part of the SRU template).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1875299
Title:
Apache's
Hi Christian,
it looks like you took the excact setup steps as I did. But just to make
sure: Have you enabled the apache2 module remote_ip?
$ a2enmod remoteip
mod_rewrite seems to be enabled, otherwise your curl commands would not return
the output of the PHP file.
Other than that everything
Hi Marcus,
I was following your howto step by step and wanted to thank you already to
provide that much details.
I was trying to simplify it further to not reach out to extra files, adding the
apt install steps and everything else.
$ apt install apache2 libapache2-mod-php
define
** Changed in: apache2 (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1875299
Title:
Apache's mod_remoteip: IP address spoofing via
After configuring nginx and apache, the file index.php has to be placed
in the document root directory (/var/www/html). This PHP file outputs
the value of the variable $_SERVER['REMOTE_ADDR'] which should always
carry the client's real IP address and should always contain trustworthy
values when
** Attachment added: "/etc/nginx/sites-enabled/nginx-default"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1875299/+attachment/5383083/+files/nginx-default
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
Hello Robie. I originally reported this issue to Andrey. I will attempt
to provide some additional information for reproducing this bug.
As already stated by Andrey, this issue affects apache versions prior to
2.4.24 and therefore distributions like ubuntu 16.04 and debian 8 seem
to be
** Attachment added: "/var/www/html/index.php"
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1875299/+attachment/5383084/+files/index.php
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: apache2 (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1875299
Thank you for taking the time to report this bug and helping to make
Ubuntu better.
Next steps:
1) We need to check if this problem is fixed in the current development
release of Ubuntu, and if a fix is needed in any other stable releases.
2) We need a step-by-step test case to reproduce the
(alternatively if you get a CVE then it can follow the separate security
update process based on Alex's comment)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1875299
Title:
Apache's
If you feel this is a real security vulnerability which has not received
a CVE, you could try discuss with the apache developers and once a CVE
has been assigned the Ubuntu Security team can fix it via a security
update for Apache. Otherwise, this could be addressed via the Stable
Release Update
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1875299
Title:
Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when
31 matches
Mail list logo