Bug 851768

Summary: Review Request: mod_rpaf - Changes the remote IP in Apache to use client IP and not proxy IP
Product: [Fedora] Fedora EPEL Reporter: Sebastien Caps <sebastien.caps>
Component: Package ReviewAssignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: el6CC: package-review, ville.skytta
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-31 04:22:21 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 201449    

Description Sebastien Caps 2012-08-25 09:40:40 EDT
SPEC:
http://repo.virer.net/PackagesReviews/2012082217/mod_rpaf.spec
SRPMS:
http://repo.virer.net/PackagesReviews/2012082217/mod_rpaf-0.6-1.el6.src.rpm

Description:
mod_rpaf changes the remote address of the client visible to other
Apache modules when two conditions are satisfied. First condition is
that the remote client is actually a proxy that is defined in
httpd configuration file. 
Secondly if there is an incoming X-Forwarded-For header and the proxy 
is in it's list of known proxies it takes the last IP from the incoming 
X-Forwarded-For header and changes the remote address of the client in 
the request structure. It also takes the incoming X-Host header and 
updates the virtual host settings accordingly.
For Apache2 mod_proxy it takes the X-Forwared-Host header and updates 
the virtual hosts.

Fedora Account System Username: virer
Comment 1 Sebastien Caps 2012-08-29 11:28:37 EDT
el6 build ok 
http://koji.fedoraproject.org/koji/taskinfo?taskID=4434512
Comment 2 Ville Skyttä 2012-12-29 16:41:49 EST
Is this version vulnerable to CVE-2012-3526?

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3526
Comment 3 Sebastien Caps 2012-12-31 04:18:58 EST
It is not affected since this version does not use debian custom patch
Comment 4 Sebastien Caps 2012-12-31 04:22:21 EST
Since I still lack of sponsor and I have no more time to spend on it, I close it.