Comment 0 for bug 1875299

There is a bug in mod_remoteip (a part of Apache Web Server): https://bz.apache.org/bugzilla/show_bug.cgi?id=60251
Although the status of this bug is "NEW", actually it was fixed in Apache 2.4.24.
Although a CVE id was not requested yet, actually it is a vulnerability.

The fix was not backported to Ubuntu 16.04 (xenial).

Impact: if a victim uses Apache rewrite rules, then an attacker can spoof his IP address for logs and PHP scripts.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: apache2 2.4.18-2ubuntu3.14
ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8
Uname: Linux 4.4.0-22-generic x86_64
Apache2ConfdDirListing: False
ApportVersion: 2.20.1-0ubuntu2.23
Architecture: amd64
Date: Mon Apr 27 13:17:43 2020
SourcePackage: apache2
UpgradeStatus: No upgrade log present (probably fresh install)
error.log:

modified.conffile..etc.apache2.apache2.conf: [modified]
modified.conffile..etc.apache2.mods-available.dir.conf: [modified]
modified.conffile..etc.apache2.mods-available.ssl.conf: [modified]
modified.conffile..etc.apache2.ports.conf: [modified]
modified.conffile..etc.apache2.sites-available.000-default.conf: [modified]
modified.conffile..etc.apache2.sites-available.default-ssl.conf: [modified]
mtime.conffile..etc.apache2.apache2.conf: 2020-04-23T15:45:48.416970
mtime.conffile..etc.apache2.mods-available.dir.conf: 2020-04-23T12:03:13.711062
mtime.conffile..etc.apache2.mods-available.ssl.conf: 2020-04-23T12:02:44.854484
mtime.conffile..etc.apache2.ports.conf: 2020-04-23T15:45:48.169037
mtime.conffile..etc.apache2.sites-available.000-default.conf: 2020-04-23T15:45:48.197030
mtime.conffile..etc.apache2.sites-available.default-ssl.conf: 2020-04-23T15:45:48.225022