Bug#1020596: bullseye-pu: mod-wsgi/4.7.1-3+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for mod-wsgi fixes CVE-2022-2255 in Bullseye. This
CVE has been marked as no-dsa by the security team.
The same fix has already been uploaded to Unstable/Testing, Stretch,
Jessie and Buster and nobody complained yet.
Thorsten
diff -Nru mod-wsgi-4.7.1/debian/changelog mod-wsgi-4.7.1/debian/changelog
--- mod-wsgi-4.7.1/debian/changelog 2020-10-15 21:48:24.000000000 +0200
+++ mod-wsgi-4.7.1/debian/changelog 2022-09-12 23:03:02.000000000 +0200
@@ -1,3 +1,11 @@
+mod-wsgi (4.7.1-3+deb11u1) bullseye; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2022-2255 (Closes: #1016476)
+ drop X-Client-IP header when is not a trusted header
+
+ -- Thorsten Alteholz <debian@alteholz.de> Mon, 12 Sep 2022 23:03:02 +0200
+
mod-wsgi (4.7.1-3) unstable; urgency=medium
[ Stefano Rivera ]
diff -Nru mod-wsgi-4.7.1/debian/patches/CVE-2022-2255.patch mod-wsgi-4.7.1/debian/patches/CVE-2022-2255.patch
--- mod-wsgi-4.7.1/debian/patches/CVE-2022-2255.patch 1970-01-01 01:00:00.000000000 +0100
+++ mod-wsgi-4.7.1/debian/patches/CVE-2022-2255.patch 2022-07-31 02:01:02.000000000 +0200
@@ -0,0 +1,18 @@
+commit af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751
+Author: Graham Dumpleton <Graham.Dumpleton@gmail.com>
+Date: Mon Jul 18 12:29:38 2022 +1000
+
+ Add fix to ensure that X-Client-IP header is dropped when is not a trusted header.
+
+Index: mod-wsgi-4.7.1/src/server/mod_wsgi.c
+===================================================================
+--- mod-wsgi-4.7.1.orig/src/server/mod_wsgi.c 2022-07-31 02:00:58.799486663 +0200
++++ mod-wsgi-4.7.1/src/server/mod_wsgi.c 2022-07-31 02:00:58.795486661 +0200
+@@ -13942,6 +13942,7 @@
+ name = ((const char**)trusted_proxy_headers->elts)[i];
+
+ if (!strcmp(name, "HTTP_X_FORWARDED_FOR") ||
++ !strcmp(name, "HTTP_X_CLIENT_IP") ||
+ !strcmp(name, "HTTP_X_REAL_IP")) {
+
+ match_client_header = 1;
diff -Nru mod-wsgi-4.7.1/debian/patches/series mod-wsgi-4.7.1/debian/patches/series
--- mod-wsgi-4.7.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ mod-wsgi-4.7.1/debian/patches/series 2022-07-31 02:00:46.000000000 +0200
@@ -0,0 +1 @@
+CVE-2022-2255.patch
Reply to: