Bug 851768 - Review Request: mod_rpaf - Changes the remote IP in Apache to use client IP and not proxy IP
Review Request: mod_rpaf - Changes the remote IP in Apache to use client IP a...
Status: CLOSED NOTABUG
Product: Fedora EPEL
Classification: Fedora
Component: Package Review (Show other bugs)
el6
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Nobody's working on this, feel free to take it
Fedora Extras Quality Assurance
:
Depends On:
Blocks: FE-DEADREVIEW
  Show dependency treegraph
 
Reported: 2012-08-25 09:40 EDT by Sebastien Caps
Modified: 2012-12-31 05:16 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-31 04:22:21 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sebastien Caps 2012-08-25 09:40:40 EDT
SPEC:
http://repo.virer.net/PackagesReviews/2012082217/mod_rpaf.spec
SRPMS:
http://repo.virer.net/PackagesReviews/2012082217/mod_rpaf-0.6-1.el6.src.rpm

Description:
mod_rpaf changes the remote address of the client visible to other
Apache modules when two conditions are satisfied. First condition is
that the remote client is actually a proxy that is defined in
httpd configuration file. 
Secondly if there is an incoming X-Forwarded-For header and the proxy 
is in it's list of known proxies it takes the last IP from the incoming 
X-Forwarded-For header and changes the remote address of the client in 
the request structure. It also takes the incoming X-Host header and 
updates the virtual host settings accordingly.
For Apache2 mod_proxy it takes the X-Forwared-Host header and updates 
the virtual hosts.

Fedora Account System Username: virer
Comment 1 Sebastien Caps 2012-08-29 11:28:37 EDT
el6 build ok 
http://koji.fedoraproject.org/koji/taskinfo?taskID=4434512
Comment 2 Ville Skyttä 2012-12-29 16:41:49 EST
Is this version vulnerable to CVE-2012-3526?

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3526
Comment 3 Sebastien Caps 2012-12-31 04:18:58 EST
It is not affected since this version does not use debian custom patch
Comment 4 Sebastien Caps 2012-12-31 04:22:21 EST
Since I still lack of sponsor and I have no more time to spend on it, I close it.

Note You need to log in before you can comment on or make changes to this bug.