[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1020596: bullseye-pu: mod-wsgi/4.7.1-3+deb11u1

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for mod-wsgi fixes CVE-2022-2255 in Bullseye. This CVE has been marked as no-dsa by the security team.
The same fix has already been uploaded to Unstable/Testing, Stretch, Jessie and Buster and nobody complained yet. 

  Thorsten

diff -Nru mod-wsgi-4.7.1/debian/changelog mod-wsgi-4.7.1/debian/changelog
--- mod-wsgi-4.7.1/debian/changelog	2020-10-15 21:48:24.000000000 +0200
+++ mod-wsgi-4.7.1/debian/changelog	2022-09-12 23:03:02.000000000 +0200
@@ -1,3 +1,11 @@
+mod-wsgi (4.7.1-3+deb11u1) bullseye; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2022-2255 (Closes: #1016476)
+    drop X-Client-IP header when is not a trusted header
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Mon, 12 Sep 2022 23:03:02 +0200
+
 mod-wsgi (4.7.1-3) unstable; urgency=medium
 
   [ Stefano Rivera ]
diff -Nru mod-wsgi-4.7.1/debian/patches/CVE-2022-2255.patch mod-wsgi-4.7.1/debian/patches/CVE-2022-2255.patch
--- mod-wsgi-4.7.1/debian/patches/CVE-2022-2255.patch	1970-01-01 01:00:00.000000000 +0100
+++ mod-wsgi-4.7.1/debian/patches/CVE-2022-2255.patch	2022-07-31 02:01:02.000000000 +0200
@@ -0,0 +1,18 @@
+commit af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751
+Author: Graham Dumpleton <Graham.Dumpleton@gmail.com>
+Date:   Mon Jul 18 12:29:38 2022 +1000
+
+    Add fix to ensure that X-Client-IP header is dropped when is not a trusted header.
+
+Index: mod-wsgi-4.7.1/src/server/mod_wsgi.c
+===================================================================
+--- mod-wsgi-4.7.1.orig/src/server/mod_wsgi.c	2022-07-31 02:00:58.799486663 +0200
++++ mod-wsgi-4.7.1/src/server/mod_wsgi.c	2022-07-31 02:00:58.795486661 +0200
+@@ -13942,6 +13942,7 @@
+             name = ((const char**)trusted_proxy_headers->elts)[i];
+ 
+             if (!strcmp(name, "HTTP_X_FORWARDED_FOR") ||
++                     !strcmp(name, "HTTP_X_CLIENT_IP") ||
+                      !strcmp(name, "HTTP_X_REAL_IP")) {
+ 
+                 match_client_header = 1;
diff -Nru mod-wsgi-4.7.1/debian/patches/series mod-wsgi-4.7.1/debian/patches/series
--- mod-wsgi-4.7.1/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ mod-wsgi-4.7.1/debian/patches/series	2022-07-31 02:00:46.000000000 +0200
@@ -0,0 +1 @@
+CVE-2022-2255.patch
Reply to: