bugs.debian.org
Open in
urlscan Pro
2607:f8f0:614:1::1274:39
Public Scan
Submitted URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683984
Effective URL: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683984
Submission: On April 24 via api from TR — Scanned from DE
Effective URL: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683984
Submission: On April 24 via api from TR — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
DEBIAN BUG REPORT LOGS - #683984
LIBAPACHE2-MOD-RPAF: POTENTIAL DENIAL OF SERVICE
Package: libapache2-mod-rpaf; Maintainer for libapache2-mod-rpaf is Debian QA
Group <packages@qa.debian.org>; Source for libapache2-mod-rpaf is
src:libapache2-mod-rpaf (PTS, buildd, popcon).
Reported by: Luciano Bello <luciano@debian.org>
Date: Mon, 6 Aug 2012 00:27:04 UTC
Severity: critical
Tags: patch, security
Found in version libapache2-mod-rpaf/0.5-3
Fixed in versions libapache2-mod-rpaf/0.6-1, libapache2-mod-rpaf/0.5-3+squeeze1
Done: Sergey B Kirpichev <skirpichev@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
View this report as an mbox folder, status mbox, maintainer mbox
--------------------------------------------------------------------------------
Report forwarded to debian-bugs-dist@lists.debian.org, Sergey B Kirpichev
<skirpichev@gmail.com>:
Bug#683984; Package libapache2-mod-rpaf. (Mon, 06 Aug 2012 00:27:07 GMT) (full
text, mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to Luciano Bello <luciano@debian.org>:
New Bug report received and forwarded. Copy sent to Sergey B Kirpichev
<skirpichev@gmail.com>. (Mon, 06 Aug 2012 00:27:07 GMT) (full text, mbox, link).
--------------------------------------------------------------------------------
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
From: Luciano Bello <luciano@debian.org>
To: submit@bugs.debian.org
Subject: libapache2-mod-rpaf: potential Denial of Service
Date: Mon, 6 Aug 2012 02:23:38 +0200
Package: libapache2-mod-rpaf
Severity: critical
Tags: security
Version: 0.5-3
Sébastien Bocahu reported to the security team:
> (...)
> A single request makes Apache segfault. On some of the environments I tested,
> it even kills all Apache processes (they become zombies).
>
> I tested three environments, all of them running Debian squeeze with latests
> Apache and mod_rpaf packages, MPM prefork only, behind haproxy.
>
> To what I understand, there is a bug in version 0.5 of mod_rpaf, but the IPv6
> patch that was applied by Debian exposes Apache to segfaults under specific
> crafted requests.
>
> The magick request is the following:
> curl -H "x-forwarded-for: 1'\"5000" -H "Host: a.vhost.example.com"
> reverseproxy
>
> Apache processes will segfault, hence a potential DOS issue.
>
> I have taken notes for myself and people I am working with.
> You can find these notes on
> http://zecrazytux.net/troubleshooting/apache2-segfault-debugging-tutorial
>
> From my experiments, version 0.6 fixes the issue (IPv6 patched or unpatched).
Please, prepare a minimal patch for stable and contact the security team to
update the package.
Thanks, luciano
--------------------------------------------------------------------------------
Marked as fixed in versions libapache2-mod-rpaf/0.6-1. Request was from Sergey B
Kirpichev <skirpichev@gmail.com> to control@bugs.debian.org. (Mon, 06 Aug 2012
19:27:08 GMT) (full text, mbox, link).
--------------------------------------------------------------------------------
Information forwarded to debian-bugs-dist@lists.debian.org, Sergey B Kirpichev
<skirpichev@gmail.com>:
Bug#683984; Package libapache2-mod-rpaf. (Tue, 07 Aug 2012 09:15:02 GMT) (full
text, mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to Sergey Kirpichev <skirpichev@gmail.com>:
Extra info received and forwarded to list. Copy sent to Sergey B Kirpichev
<skirpichev@gmail.com>. (Tue, 07 Aug 2012 09:15:03 GMT) (full text, mbox, link).
--------------------------------------------------------------------------------
Message #12 received at 683984@bugs.debian.org (full text, mbox, reply):
From: Sergey Kirpichev <skirpichev@gmail.com>
To: 683984@bugs.debian.org, Luciano Bello <luciano@debian.org>
Subject: Re: Bug#683984: libapache2-mod-rpaf: potential Denial of Service
Date: Tue, 7 Aug 2012 12:14:36 +0400
tag 683984 +pending
thanks
06.08.2012 4:27 пользователь "Luciano Bello" <luciano@debian.org> написал:
> Sébastien Bocahu reported to the security team:
> > (...)
> > A single request makes Apache segfault. On some of the environments I
> tested,
> > it even kills all Apache processes (they become zombies).
Thank you for bugreport.
> > The magick request is the following:
> > curl -H "x-forwarded-for: 1'\"5000" -H "Host: a.vhost.example.com"
> > reverseproxy
> >
> > Apache processes will segfault, hence a potential DOS issue.
This works for very typical setups. Bad news. And it looks as a ("potential",
yeh) remote hole.
> > From my experiments, version 0.6 fixes the issue (IPv6 patched or
> unpatched).
Yep. Tag this as fixed for 0.6+ debian packages.
> Please, prepare a minimal patch for stable
The "minimal" patch is to drop 030_ipv6.patch. I can't confirm that
this bug is *not* reproducible for 0.6 version *with* the above patch.
Can you ask bugreporter to report details on:
-->8--
rpaf 0.6 is available in Debian wheezy. The IPv6 patched is not applied
though. I patched myself and tested it on the
same squeeze environment: there is no more segfaults.
-->8--
?
Unmodified 030_ipv6.patch still produce segfaults on 0.6+, for me.
> and contact the security team to
> update the package.
Reply to contacts of this bugreport is ok, or I should do anything else?
--------------------------------------------------------------------------------
Added tag(s) pending. Request was from Sergey Kirpichev <skirpichev@gmail.com>
to control@bugs.debian.org. (Tue, 07 Aug 2012 09:15:04 GMT) (full text, mbox,
link).
--------------------------------------------------------------------------------
Information forwarded to debian-bugs-dist@lists.debian.org, Sergey B Kirpichev
<skirpichev@gmail.com>:
Bug#683984; Package libapache2-mod-rpaf. (Tue, 07 Aug 2012 10:15:03 GMT) (full
text, mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to Sébastien Bocahu <lists+debian@zecrazytux.net>:
Extra info received and forwarded to list. Copy sent to Sergey B Kirpichev
<skirpichev@gmail.com>. (Tue, 07 Aug 2012 10:15:03 GMT) (full text, mbox, link).
--------------------------------------------------------------------------------
Message #19 received at 683984@bugs.debian.org (full text, mbox, reply):
From: Sébastien Bocahu <lists+debian@zecrazytux.net>
To: 683984@bugs.debian.org
Subject: Re: Bug#683984: libapache2-mod-rpaf: potential Denial of Service
Date: Tue, 7 Aug 2012 12:12:51 +0200
Hi,
I am the bug reporter.
> The "minimal" patch is to drop 030_ipv6.patch. I can't confirm that
> this bug is *not* reproducible for 0.6 version *with* the above patch.
>
> Can you ask bugreporter to report details on:
> -->8--
> rpaf 0.6 is available in Debian wheezy. The IPv6 patched is not applied
> though. I patched myself and tested it on the
> same squeeze environment: there is no more segfaults.
> -->8--
> ?
> Unmodified 030_ipv6.patch still produce segfaults on 0.6+, for me.
You are right. The ipv6 patch still produce segfaults on 0.6 on my setups as
well. I had messed up while testing custom patches, sorry.
This means that I should report the bug to upstream, as there is still a bug in
the memory management or header parsing in 0.6...
Thanks for working on this
--------------------------------------------------------------------------------
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#683984; Package libapache2-mod-rpaf. (Tue, 07 Aug 2012 10:33:06 GMT) (full
text, mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to Sergey B Kirpichev <skirpichev@gmail.com>:
Extra info received and forwarded to list. (Tue, 07 Aug 2012 10:33:06 GMT) (full
text, mbox, link).
--------------------------------------------------------------------------------
Message #24 received at 683984@bugs.debian.org (full text, mbox, reply):
From: Sergey B Kirpichev <skirpichev@gmail.com>
To: 683984@bugs.debian.org, Sébastien Bocahu <lists+debian@zecrazytux.net>
Subject: Re: Bug#683984: libapache2-mod-rpaf: potential Denial of Service
Date: Tue, 7 Aug 2012 14:28:31 +0400
[Message part 1 (text/plain, inline)]
Ok, now it makes sense.
As a workaround, you should avoid using x-forwarded-for header from
untrusted sources. Usually, it is the case - you can trust your frontend
servers ;)
That means - real impact of this issue is very minor and mostly due to
misconfiguration.
07.08.2012 14:15 пользователь "Sébastien Bocahu" <
lists+debian@zecrazytux.net> написал:
> Hi,
>
> I am the bug reporter.
>
> > The "minimal" patch is to drop 030_ipv6.patch. I can't confirm that
> > this bug is *not* reproducible for 0.6 version *with* the above patch.
> >
> > Can you ask bugreporter to report details on:
> > -->8--
> > rpaf 0.6 is available in Debian wheezy. The IPv6 patched is not
> applied
> > though. I patched myself and tested it on the
> > same squeeze environment: there is no more segfaults.
> > -->8--
> > ?
> > Unmodified 030_ipv6.patch still produce segfaults on 0.6+, for me.
>
> You are right. The ipv6 patch still produce segfaults on 0.6 on my setups
> as
> well. I had messed up while testing custom patches, sorry.
>
> This means that I should report the bug to upstream, as there is still a
> bug in
> the memory management or header parsing in 0.6...
>
> Thanks for working on this
>
[Message part 2 (text/html, inline)]
--------------------------------------------------------------------------------
Information forwarded to debian-bugs-dist@lists.debian.org, Sergey B Kirpichev
<skirpichev@gmail.com>:
Bug#683984; Package libapache2-mod-rpaf. (Tue, 07 Aug 2012 10:54:05 GMT) (full
text, mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to Sébastien Bocahu <lists+debian@zecrazytux.net>:
Extra info received and forwarded to list. Copy sent to Sergey B Kirpichev
<skirpichev@gmail.com>. (Tue, 07 Aug 2012 10:54:05 GMT) (full text, mbox, link).
--------------------------------------------------------------------------------
Message #29 received at 683984@bugs.debian.org (full text, mbox, reply):
From: Sébastien Bocahu <lists+debian@zecrazytux.net>
To: Sergey B Kirpichev <skirpichev@gmail.com>
Cc: 683984@bugs.debian.org
Subject: Re: Bug#683984: libapache2-mod-rpaf: potential Denial of Service
Date: Tue, 7 Aug 2012 12:58:40 +0200
> As a workaround, you should avoid using x-forwarded-for header from
> untrusted sources. Usually, it is the case - you can trust your frontend
> servers ;)
>
> That means - real impact of this issue is very minor and mostly due to
> misconfiguration.
Excuse me ?
This is definitely _not_ a misconfiguration issue.
mod_rpaf is supposed to use the *last* X-Forwarded-For header.
There's a bug which adds some garbage to the remote_ip field, when a
specific request is sent, and a *correct* X-Forwarded-For header added by the
reverse proxy. (so the request has two X-Forwarded-For headers when it arrives
on the web front end, one is malicious, one is correct from a trusted source).
A workaround could be stripping the previous X-Forwarded-For headers on the
reverse proxy, but it shouldn't be necessary.
Real impact of this issue can be remote DOS of a LAMP cluster.
What makes you feel that this issue is "very minor" ?
--------------------------------------------------------------------------------
Added tag(s) upstream. Request was from Sergey B Kirpichev
<skirpichev@gmail.com> to control@bugs.debian.org. (Tue, 07 Aug 2012 12:15:11
GMT) (full text, mbox, link).
--------------------------------------------------------------------------------
Information stored :
Bug#683984; Package libapache2-mod-rpaf. (Tue, 07 Aug 2012 12:15:13 GMT) (full
text, mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to skirpichev@gmail.com:
Extra info received and filed, but not forwarded. (Tue, 07 Aug 2012 12:15:13
GMT) (full text, mbox, link).
--------------------------------------------------------------------------------
Message #36 received at 683984-quiet@bugs.debian.org (full text, mbox, reply):
From: Sergey B Kirpichev <skirpichev@gmail.com>
To: Sébastien Bocahu <lists+debian@zecrazytux.net>
Cc: 683984-quiet@bugs.debian.org
Subject: Re: Bug#683984: libapache2-mod-rpaf: potential Denial of Service
Date: Tue, 7 Aug 2012 15:12:26 +0400
tag 683984 +upstream
thanks
On Tue, Aug 07, 2012 at 12:58:40PM +0200, Sébastien Bocahu wrote:
> This is definitely _not_ a misconfiguration issue.
>
> mod_rpaf is supposed to use the *last* X-Forwarded-For header.
> There's a bug which adds some garbage to the remote_ip field, when a
> specific request is sent, and a *correct* X-Forwarded-For header added by the
> reverse proxy.
This "garbage" is exactly what you allowed to add via crafted request
(curl -H ... etc). Why you want to allow so?
> (so the request has two X-Forwarded-For headers when it arrives
> on the web front end, one is malicious, one is correct from a trusted source).
>
> A workaround could be stripping the previous X-Forwarded-For headers on the
> reverse proxy, but it shouldn't be necessary.
Usually, you can just ignore X-Forwarded-For, provided by client. This
case covers typical simple frontend+backend setup.
Of course, this shouldn't be necessary - but it's a good idea to expose
less headers for modification to client, right?
> Real impact of this issue can be remote DOS of a LAMP cluster.
> What makes you feel that this issue is "very minor" ?
See above. Strictly speaking, my point is that setup with modifiable by
client X-Forwarded-For header (case where it *should be* allowed, not just
"can be" configured so) is rather uncommon.
--------------------------------------------------------------------------------
Information stored :
Bug#683984; Package libapache2-mod-rpaf. (Tue, 07 Aug 2012 13:15:06 GMT) (full
text, mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to Sébastien Bocahu <lists+debian@zecrazytux.net>:
Extra info received and filed, but not forwarded. (Tue, 07 Aug 2012 13:15:06
GMT) (full text, mbox, link).
--------------------------------------------------------------------------------
Message #41 received at 683984-quiet@bugs.debian.org (full text, mbox, reply):
From: Sébastien Bocahu <lists+debian@zecrazytux.net>
To: 683984-quiet@bugs.debian.org
Subject: Re: Bug#683984: libapache2-mod-rpaf: potential Denial of Service
Date: Tue, 7 Aug 2012 15:11:46 +0200
> This "garbage" is exactly what you allowed to add via crafted request
> (curl -H ... etc). Why you want to allow so?
I don't want to. It was "allowed" until now, as X-Forwarded-For headers were not
deleted by the reverse proxy.
I still think that many people are using Debian and mod_rpaf, and are not
deleting these headers.
Won't you do anything for them ?
> > (so the request has two X-Forwarded-For headers when it arrives
> > on the web front end, one is malicious, one is correct from a trusted source).
> >
> > A workaround could be stripping the previous X-Forwarded-For headers on the
> > reverse proxy, but it shouldn't be necessary.
>
> Usually, you can just ignore X-Forwarded-For, provided by client. This
> case covers typical simple frontend+backend setup.
>
> Of course, this shouldn't be necessary - but it's a good idea to expose
> less headers for modification to client, right?
Agreed. Still, there's a bug, and this "solution" is - a "best practice" but - only a
workaround to this bug.
My point is:
allright, we should all harden our setups, but:
* many people don't and it shouldn't be necessary for Apache2 to keep running
* there are no words about it in the docs provided by Debian :
/usr/share/doc/libapache2-mod-rpaf/README.Debian
Module configuration is pretty simple, there are only two directives to
set; RPAFenable and RPAFproxy_ips. With the later you can define which
IP's are your frontend proxies that sends the correct X-Forwarded-For
headers. If you do not use the RPAFproxy_ips directive then the module
will not change the remote address of the incoming connection at any
time.
* The bug is exposed by the ipv6 patch which has been applied by Debian.
I cannot reproduce the segfaults with upstream sources.
There is likely to be an issue with upstream code, but the NULL pointer
dereference has been introduced by Debian.
Cheers
--------------------------------------------------------------------------------
Information stored :
Bug#683984; Package libapache2-mod-rpaf. (Wed, 08 Aug 2012 19:15:10 GMT) (full
text, mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to skirpichev@gmail.com:
Extra info received and filed, but not forwarded. (Wed, 08 Aug 2012 19:15:10
GMT) (full text, mbox, link).
--------------------------------------------------------------------------------
Message #46 received at 683984-quiet@bugs.debian.org (full text, mbox, reply):
From: Sergey B Kirpichev <skirpichev@gmail.com>
To: Sébastien Bocahu <lists+debian@zecrazytux.net>
Cc: 683984-quiet@bugs.debian.org
Subject: Re: Bug#683984: libapache2-mod-rpaf: potential Denial of Service
Date: Wed, 8 Aug 2012 23:12:15 +0400
On Tue, Aug 07, 2012 at 03:11:46PM +0200, Sébastien Bocahu wrote:
> I don't want to. It was "allowed" until now, as X-Forwarded-For headers were not
> deleted by the reverse proxy.
By *some* reverse proxies. It depends on configuration.
> I still think that many people are using Debian and mod_rpaf, and are not
> deleting these headers.
> Won't you do anything for them ?
Don't let me wrong - it's real bug, not a feature. Of course, I'll try
to prepare fix ASAP. Feel free to help with patch...
> Agreed. Still, there's a bug
Yep.
> and this "solution" is - a "best practice" but - only a
> workaround to this bug.
It's more then just a workarround. It's a real fix in most
cases. People should review configuration to use (nginx example)
something like this:
proxy_set_header X-Forwarded-For $remote_addr;
instead of this:
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> * there are no words about it in the docs provided by Debian :
May be we should add something...
> * The bug is exposed by the ipv6 patch which has been applied by Debian.
Yes, but this patch is just a trigger for the problem (garbage in
r->connection->remote_ip). I don't think there is something wrong
with patch itself.
> I cannot reproduce the segfaults with upstream sources.
> There is likely to be an issue with upstream code, but the NULL pointer
> dereference has been introduced by Debian.
Try to use host-based access control (directives allow/deny, etc).
--------------------------------------------------------------------------------
Information forwarded to debian-bugs-dist@lists.debian.org, Sergey B Kirpichev
<skirpichev@gmail.com>:
Bug#683984; Package libapache2-mod-rpaf. (Thu, 09 Aug 2012 20:51:03 GMT) (full
text, mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to Sergey Kirpichev <skirpichev@gmail.com>:
Extra info received and forwarded to list. Copy sent to Sergey B Kirpichev
<skirpichev@gmail.com>. (Thu, 09 Aug 2012 20:51:03 GMT) (full text, mbox, link).
--------------------------------------------------------------------------------
Message #51 received at 683984@bugs.debian.org (full text, mbox, reply):
From: Sergey Kirpichev <skirpichev@gmail.com>
To: Luciano Bello <luciano@debian.org>, 683984@bugs.debian.org
Cc: security@debian.org, Sébastien Bocahu <lists+debian@zecrazytux.net>
Subject: Re: Bug#683984: libapache2-mod-rpaf: potential Denial of Service
Date: Fri, 10 Aug 2012 00:49:29 +0400
[Message part 1 (text/plain, inline)]
On Mon, Aug 6, 2012 at 4:23 AM, Luciano Bello <luciano@debian.org> wrote:
> Sébastien Bocahu reported to the security team:
>> patch that was applied by Debian exposes Apache to segfaults under specific
>> crafted requests.
>>
>> The magick request is the following:
>> curl -H "x-forwarded-for: 1'\"5000" -H "Host: a.vhost.example.com"
>> reverseproxy
>>
>> Apache processes will segfault, hence a potential DOS issue.
>
> Please, prepare a minimal patch for stable and contact the security team to
> update the package.
Attached updated 030_ipv6.patch.
PS: Updated package (maintainer info was changed too):
http://mentors.debian.net/debian/pool/main/liba/libapache2-mod-rpaf/libapache2-mod-rpaf_0.5-3+squeeze1.dsc
[030_ipv6.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
--------------------------------------------------------------------------------
Added tag(s) patch. Request was from Sergey B Kirpichev <skirpichev@gmail.com>
to control@bugs.debian.org. (Tue, 14 Aug 2012 10:15:10 GMT) (full text, mbox,
link).
--------------------------------------------------------------------------------
Removed tag(s) upstream. Request was from Sergey B Kirpichev
<skirpichev@gmail.com> to control@bugs.debian.org. (Tue, 14 Aug 2012 11:03:04
GMT) (full text, mbox, link).
--------------------------------------------------------------------------------
Information forwarded to debian-bugs-dist@lists.debian.org, Sergey B Kirpichev
<skirpichev@gmail.com>:
Bug#683984; Package libapache2-mod-rpaf. (Wed, 22 Aug 2012 18:45:07 GMT) (full
text, mbox, link).
--------------------------------------------------------------------------------
Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Sergey B Kirpichev
<skirpichev@gmail.com>. (Wed, 22 Aug 2012 18:45:07 GMT) (full text, mbox, link).
--------------------------------------------------------------------------------
Message #60 received at 683984@bugs.debian.org (full text, mbox, reply):
From: "Thijs Kinkhorst" <thijs@debian.org>
To: 683984@bugs.debian.org
Subject: CVE name assigned
Date: Wed, 22 Aug 2012 20:36:32 +0200
This is CVE-2012-3526.
--------------------------------------------------------------------------------
Reply sent to Sergey B Kirpichev <skirpichev@gmail.com>:
You have taken responsibility. (Wed, 22 Aug 2012 21:33:03 GMT) (full text, mbox,
link).
--------------------------------------------------------------------------------
Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Wed, 22 Aug 2012 21:33:03 GMT) (full text, mbox,
link).
--------------------------------------------------------------------------------
Message #65 received at 683984-close@bugs.debian.org (full text, mbox, reply):
From: Sergey B Kirpichev <skirpichev@gmail.com>
To: 683984-close@bugs.debian.org
Subject: Bug#683984: fixed in libapache2-mod-rpaf 0.5-3+squeeze1
Date: Wed, 22 Aug 2012 21:32:04 +0000
Source: libapache2-mod-rpaf
Source-Version: 0.5-3+squeeze1
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-rpaf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 683984@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergey B Kirpichev <skirpichev@gmail.com> (supplier of updated libapache2-mod-rpaf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 09 Aug 2012 23:51:10 +0400
Source: libapache2-mod-rpaf
Binary: libapache2-mod-rpaf
Architecture: source amd64
Version: 0.5-3+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Sergey B Kirpichev <skirpichev@gmail.com>
Changed-By: Sergey B Kirpichev <skirpichev@gmail.com>
Description:
libapache2-mod-rpaf - module for Apache2 which takes the last IP from the 'X-Forwarded-
Closes: 683984
Changes:
libapache2-mod-rpaf (0.5-3+squeeze1) stable-security; urgency=high
.
* New maintainer (See: #636732)
* Edit 030_ipv6.patch to fix DOS via crafted X-Forwarded-For
header (Closes: #683984, thanks to Sébastien Bocahu)
Checksums-Sha1:
e9350b99dbd979ffbe08d892808b8be2ad459eef 1601 libapache2-mod-rpaf_0.5-3+squeeze1.dsc
0a0763c7c146e83288d2a621056da20d7b85b6cc 4482 libapache2-mod-rpaf_0.5.orig.tar.gz
7d4767bc7ab87255bd9f0d18e09b9e1a012444c3 7957 libapache2-mod-rpaf_0.5-3+squeeze1.diff.gz
b099b21690c9fed47f90a3044f68d1826f74de37 8184 libapache2-mod-rpaf_0.5-3+squeeze1_amd64.deb
Checksums-Sha256:
604632405f7b6486461e0d3328ccebb265b76cfa9ed6be61c909e85abb5341c9 1601 libapache2-mod-rpaf_0.5-3+squeeze1.dsc
5b9257b69fccd11d573b34d3a4014086abc9f2558e819005f71e44b094f5b2a5 4482 libapache2-mod-rpaf_0.5.orig.tar.gz
08726e00b6708d6e2893b802e706b6608e0c654f49b21bc2f081d40f8a338c28 7957 libapache2-mod-rpaf_0.5-3+squeeze1.diff.gz
e031b110bfa0e3ed5653c89a5f7a0267a561575bccbb63a161d5aebb89505536 8184 libapache2-mod-rpaf_0.5-3+squeeze1_amd64.deb
Files:
951a2e8feb93020c738151cf8a45e93d 1601 web extra libapache2-mod-rpaf_0.5-3+squeeze1.dsc
471fb059d6223a394f319b7c8ab45c4d 4482 web extra libapache2-mod-rpaf_0.5.orig.tar.gz
7bd926ee403fe9922c283f36eea4f055 7957 web extra libapache2-mod-rpaf_0.5-3+squeeze1.diff.gz
b436d3b11e62be2224f4429623a47d7c 8184 web extra libapache2-mod-rpaf_0.5-3+squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJQKqvcAAoJEFb2GnlAHawEcbgH/At1oaVRo9cvi5fgdrraGXa0
ZQsIwhXtEL6xFKuHqJ9PS7FndbhqP4FoXik7xJxUtF9ESb0XjNjAxownsXzlhkwU
zbQ46ybP7RhbBMeirs6jTYquDzTi29E9fp57MHLUNrCChDfcSReuna2DHYn7f0In
x5im9rvmpQyrEe6Fjb+jQZF5w/a9IYVJkwsrPerJuPwMp1oOrpND9e5vJ/M7SN9u
Vgd0eTpRxhaPYOGLaJ2bZRaQBS6A8FvEHbSsIUUqUSybILaDROuicVzkCK7BxoDc
qHoNDJNUlGWUlA9GETv9RFe0aPrd7G11RI5R+877RULD/nXDAGoRCsIjXnx0Cg0=
=Z/6v
-----END PGP SIGNATURE-----
--------------------------------------------------------------------------------
Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org. (Sun, 30 Sep 2012 07:31:52 GMT) (full text,
mbox, link).
--------------------------------------------------------------------------------
Send a report that this bug log contains spam.
--------------------------------------------------------------------------------
Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified:
Wed Apr 24 14:30:51 2024; Machine Name: buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU Public License
version 2. The current version can be obtained from
https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97
Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.