Description: The default ssl.conf has a bad default of: Listen 443 which means that, on a server with a public IPv6 interface configured, the server will accept connections using IPv6 sockets from IPv4-mapped addresses on the SSL port by default. This means that allow/deny address matching will not work on IPv4 addresses; in a configuration like: <Location /secrets> Order allow,deny Allow from all Deny from 10.20.30.* </Location> the Deny directive will not match the IPv6-mapped addresses, so will allow clients to connect from 10.20.30.* via SSL. Affects: mod_ssl package in 8.0, 9 Mitigating factors: IPv6 not in widespread use. It is more common to use address matching in deny,allow order, with address ranges specified in "Allow" statements; a false negative match on an Allow statement is not a security issue.
This affects non-SSL connections, the default httpd.conf has the same problem: Listen 80
The theory was sound but the testing wasn't, there is code in 2.0 to deal with this correctly; an "allow" or "deny" restriction based on an IPv4 address or subnet is tested against IPv4-mapped IPv6 addresses in the expected manner.