Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 851768 - Review Request: mod_rpaf - Changes the remote IP in Apache to use client IP and not proxy IP
Summary: Review Request: mod_rpaf - Changes the remote IP in Apache to use client IP a...
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: Package Review
Version: el6
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Nobody's working on this, feel free to take it
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2012-08-25 13:40 UTC by Sebastien Caps
Modified: 2012-12-31 10:16 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-12-31 09:22:21 UTC

Attachments (Terms of Use)

Description Sebastien Caps 2012-08-25 13:40:40 UTC

mod_rpaf changes the remote address of the client visible to other
Apache modules when two conditions are satisfied. First condition is
that the remote client is actually a proxy that is defined in
httpd configuration file. 
Secondly if there is an incoming X-Forwarded-For header and the proxy 
is in it's list of known proxies it takes the last IP from the incoming 
X-Forwarded-For header and changes the remote address of the client in 
the request structure. It also takes the incoming X-Host header and 
updates the virtual host settings accordingly.
For Apache2 mod_proxy it takes the X-Forwared-Host header and updates 
the virtual hosts.

Fedora Account System Username: virer

Comment 1 Sebastien Caps 2012-08-29 15:28:37 UTC
el6 build ok

Comment 2 Ville Skyttä 2012-12-29 21:41:49 UTC
Is this version vulnerable to CVE-2012-3526?

Comment 3 Sebastien Caps 2012-12-31 09:18:58 UTC
It is not affected since this version does not use debian custom patch

Comment 4 Sebastien Caps 2012-12-31 09:22:21 UTC
Since I still lack of sponsor and I have no more time to spend on it, I close it.

Note You need to log in before you can comment on or make changes to this bug.