Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
The attached debdiff for mod-wsgi fixes CVE-2022-2255 in Bullseye. This CVE has been marked as no-dsa by the security team.
The same fix has already been uploaded to Unstable/Testing, Stretch, Jessie and Buster and nobody complained yet.
Thorsten
diff -Nru mod-wsgi-4.7.1/debian/changelog mod-wsgi-4.7.1/debian/changelog --- mod-wsgi-4.7.1/debian/changelog 2020-10-15 21:48:24.000000000 +0200 +++ mod-wsgi-4.7.1/debian/changelog 2022-09-12 23:03:02.000000000 +0200 @@ -1,3 +1,11 @@ +mod-wsgi (4.7.1-3+deb11u1) bullseye; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2022-2255 (Closes: #1016476) + drop X-Client-IP header when is not a trusted header + + -- Thorsten Alteholz <deb...@alteholz.de> Mon, 12 Sep 2022 23:03:02 +0200 + mod-wsgi (4.7.1-3) unstable; urgency=medium [ Stefano Rivera ] diff -Nru mod-wsgi-4.7.1/debian/patches/CVE-2022-2255.patch mod-wsgi-4.7.1/debian/patches/CVE-2022-2255.patch --- mod-wsgi-4.7.1/debian/patches/CVE-2022-2255.patch 1970-01-01 01:00:00.000000000 +0100 +++ mod-wsgi-4.7.1/debian/patches/CVE-2022-2255.patch 2022-07-31 02:01:02.000000000 +0200 @@ -0,0 +1,18 @@ +commit af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751 +Author: Graham Dumpleton <graham.dumple...@gmail.com> +Date: Mon Jul 18 12:29:38 2022 +1000 + + Add fix to ensure that X-Client-IP header is dropped when is not a trusted header. + +Index: mod-wsgi-4.7.1/src/server/mod_wsgi.c +=================================================================== +--- mod-wsgi-4.7.1.orig/src/server/mod_wsgi.c 2022-07-31 02:00:58.799486663 +0200 ++++ mod-wsgi-4.7.1/src/server/mod_wsgi.c 2022-07-31 02:00:58.795486661 +0200 +@@ -13942,6 +13942,7 @@ + name = ((const char**)trusted_proxy_headers->elts)[i]; + + if (!strcmp(name, "HTTP_X_FORWARDED_FOR") || ++ !strcmp(name, "HTTP_X_CLIENT_IP") || + !strcmp(name, "HTTP_X_REAL_IP")) { + + match_client_header = 1; diff -Nru mod-wsgi-4.7.1/debian/patches/series mod-wsgi-4.7.1/debian/patches/series --- mod-wsgi-4.7.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ mod-wsgi-4.7.1/debian/patches/series 2022-07-31 02:00:46.000000000 +0200 @@ -0,0 +1 @@ +CVE-2022-2255.patch