From ${URL} : It was reported [1] that mod_remoteip does not properly filter the IP addresses supplied in HTTP headers, which can allow a remote attacker to hide his real IP address, or bypass IP based restrictions. This issue is fixed upstream: https://svn.apache.org/viewvc?view=revision&revision=1564052 Additional information can be found at the below bugreports: https://issues.apache.org/bugzilla/show_bug.cgi?id=54651 https://bugzilla.redhat.com/show_bug.cgi?id=1179306 [1]: http://mail-archives.apache.org/mod_mbox/httpd-users/201210.mbox/%3cCAHa2qaJSW7Hvk68grWMbbiFSA=zAxQ1nr_-A-K-pDWbAB0Gd1Q@mail.gmail.com%3e @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
2.4 versions in the tree are solved and 2.2.x is not affected by this
Added to existing GLSA.
This issue was resolved and addressed in GLSA 201610-02 at https://security.gentoo.org/glsa/201610-02 by GLSA coordinator Kristian Fiskerstrand (K_F).