Merge ~paelzer/ubuntu/+source/apache2:lp-1875299-avoid-hiding-remote-ip into ubuntu/+source/apache2:ubuntu/xenial-devel

Proposed by Christian Ehrhardt  on 2020-06-15
Status: Merged
Approved by: Christian Ehrhardt  on 2020-06-17
Approved revision: 42fae3c0e76521b40a6fa6fad6fef90e9c37f644
Merge reported by: Christian Ehrhardt 
Merged at revision: 42fae3c0e76521b40a6fa6fad6fef90e9c37f644
Proposed branch: ~paelzer/ubuntu/+source/apache2:lp-1875299-avoid-hiding-remote-ip
Merge into: ubuntu/+source/apache2:ubuntu/xenial-devel
Diff against target: 79 lines (+57/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/lp-1875299-Merge-r1688399-from-trunk.patch (+49/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Rafael David Tinoco 2020-06-15 Approve on 2020-06-16
Canonical Server Team 2020-06-15 Pending
Canonical Server packageset reviewers 2020-06-15 Pending
Review via email: mp+385748@code.launchpad.net
To post a comment you must log in.
Christian Ehrhardt  (paelzer) wrote :

The fix looks right, but in my tests fails.

Christian Ehrhardt  (paelzer) wrote :

Actually it works, back up for review ...

Rafael David Tinoco (rafaeldtinoco) wrote :

I got this one...

Rafael David Tinoco (rafaeldtinoco) wrote :

 CHECKLIST
----------------------------
 [.] changelog entry correct:
 [.] targeted to correct codename
 [.] version number is correct
 [.] update-maintainer has been run before
 ----
 [-] changes forwarded upstream/debian (if appropriate)
 [-] patches match what was proposed upstream
 ----
 [.] patches correctly included in debian/patches/series?
 [.] patches have correct DEP3 metadata
 ----
 [.] relying on PPA only for build check ?
 [.] if relying on PPA, did it install correctly ?
 ----
 [-] building it locally ?
 [-] if building locally, was source build good ?
 [-] if building locally, was binary build good ?
 ----
 [-] was autopkgtest tested ?
 ----
 [.] is this a SRU ?
 [.] if a SRU, does the public bug have a template ?
 [-] is this a bundle of fixes ?
 [.] is this a single fix ?
 ----
 [-] if single fix, was testcase provided ?
 [-] if single fix, and testcase provided, could I reproduce it ?
 [-] if single fix, and testcase provided, did it work ?
 ----
 [-] is this a MERGE ?
 [-] if MERGE, is there a public bug referred ?
 [-] if MERGE, does it add/remove existing packages ?
 [-] if MERGE, does it bump library SONAME ?
----------------------------
 [.] = ok | [x] = not ok | [?] = question | [!] = note | [-] = n/a
----------------------------

# comments:

all good here.

review: Approve
Christian Ehrhardt  (paelzer) wrote :

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/apache2
 * [new tag] upload/2.4.18-2ubuntu3.15 -> upload/2.4.18-2ubuntu3.15

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading apache2_2.4.18-2ubuntu3.15.dsc: done.
  Uploading apache2_2.4.18-2ubuntu3.15.debian.tar.xz: done.
  Uploading apache2_2.4.18-2ubuntu3.15_source.buildinfo: done.
  Uploading apache2_2.4.18-2ubuntu3.15_source.changes: done.
Successfully uploaded packages.

Christian Ehrhardt  (paelzer) wrote :

hit -proposed

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 01afae5..6531e80 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+apache2 (2.4.18-2ubuntu3.15) xenial; urgency=medium
7+
8+ * d/p/lp-1875299-Merge-r1688399-from-trunk.patch: use r_useragent_addr as
9+ the root trusted address (LP: #1875299)
10+
11+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 15 Jun 2020 16:09:55 +0200
12+
13 apache2 (2.4.18-2ubuntu3.14) xenial; urgency=medium
14
15 * Backport mod_reqtimeout with handshake support (LP: #1846138)
16diff --git a/debian/patches/lp-1875299-Merge-r1688399-from-trunk.patch b/debian/patches/lp-1875299-Merge-r1688399-from-trunk.patch
17new file mode 100644
18index 0000000..b976533
19--- /dev/null
20+++ b/debian/patches/lp-1875299-Merge-r1688399-from-trunk.patch
21@@ -0,0 +1,49 @@
22+From 950093162e445141c5126e4d11e6466e3184b0ce Mon Sep 17 00:00:00 2001
23+From: Jim Jagielski <jim@apache.org>
24+Date: Tue, 1 Nov 2016 11:55:34 +0000
25+Subject: [PATCH] Merge r1688399 from trunk:
26+
27+mod_remoteip: Use r->useragent_addr as the root trusted address for verifying.
28+
29+This fixes issue resulting in setting of bad useragent_ip when internal
30+redirection has been generated as response to the request (typically as
31+result of "ErrorDocument 40x").
32+
33+In this case, the original request has been handled by mod_remoteip and its
34+useragent_ip has been changed properly, but when internal redirection
35+to ErrorDocument has been generated later, the mod_remoteip's handler has been
36+executed again with *the same* c->client_addr as in the original request. If
37+c->client_addr IP is trusted, this results in bad useragent_ip being set.
38+
39+When using r->useragent_addr as the root trusted address instead of
40+c->client_addr, the internal redirection uses the first non-trusted
41+IP in this particular case, so it won't change the r->useragent_ip during
42+the internal redirection to ErrorDocument.
43+
44+Submitted by: jkaluza
45+Reviewed/backported by: jim
46+
47+
48+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1767483 13f79535-47bb-0310-9956-ffa450edef68
49+
50+Backport-Note: Skipped non-functional changes in STATUS and CHANGES files
51+Origin: backport, https://github.com/apache/httpd/commit/950093162e445141c5126e4d11
52+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1875299
53+Bug-upstream: https://bz.apache.org/bugzilla/show_bug.cgi?id=60251
54+Last-Update: 2020-06-15
55+
56+---
57+ modules/metadata/mod_remoteip.c | 2 +-
58+ 3 files changed, 6 insertions(+), 8 deletions(-)
59+
60+--- a/modules/metadata/mod_remoteip.c
61++++ b/modules/metadata/mod_remoteip.c
62+@@ -242,7 +242,7 @@ static int remoteip_modify_request(reque
63+ }
64+ remote = apr_pstrdup(r->pool, remote);
65+
66+- temp_sa = c->client_addr;
67++ temp_sa = r->useragent_addr ? r->useragent_addr : c->client_addr;
68+
69+ while (remote) {
70+
71diff --git a/debian/patches/series b/debian/patches/series
72index d26b2db..6b07342 100644
73--- a/debian/patches/series
74+++ b/debian/patches/series
75@@ -43,3 +43,4 @@ CVE-2019-10098.patch
76 0001-mod-reqtimeout-revent-long-response-times.patch
77 0002-mod_reqtimeout-fix-body-timeout-disabling-for-CONNECT-request.patch
78 0003-mod_reqtimeout-Merge-r1853901-r1853906-r1853908-r1853929-r1853935-r.patch
79+lp-1875299-Merge-r1688399-from-trunk.patch

Subscribers

People subscribed via source and target branches