import UBI mod_wsgi-4.7.1-7.module+el8.10.0+23075+0aa18782.1

2025-05-12 12:56:01 +00:00 · 2025-05-12 12:56:01 +00:00 · 9e309f265a
commit 9e309f265a
parent 2bcf353cf5
2 changed files with 29 additions and 1 deletions
--- a/SOURCES/mod_wsgi-4.7.1-CVE-2022-2255.patch
+++ b/SOURCES/mod_wsgi-4.7.1-CVE-2022-2255.patch
@ -0,0 +1,23 @@
+From af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751 Mon Sep 17 00:00:00 2001
+From: Graham Dumpleton <Graham.Dumpleton@gmail.com>
+Date: Mon, 18 Jul 2022 12:29:38 +1000
+Subject: [PATCH] Add fix to ensure that X-Client-IP header is dropped when is
+ not a trusted header.
+
+---
+ src/server/mod_wsgi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/server/mod_wsgi.c b/src/server/mod_wsgi.c
+index 0123472b..a4b49df1 100644
+--- a/src/server/mod_wsgi.c
+++ b/src/server/mod_wsgi.c
+@@ -14055,6 +14055,7 @@ static void wsgi_process_proxy_headers(request_rec *r)
+             name = ((const char**)trusted_proxy_headers->elts)[i];
+ 
+             if (!strcmp(name, "HTTP_X_FORWARDED_FOR") ||
+                     !strcmp(name, "HTTP_X_CLIENT_IP") ||
+                      !strcmp(name, "HTTP_X_REAL_IP")) {
+ 
+                 match_client_header = 1;
+
--- a/SPECS/mod_wsgi.spec
+++ b/SPECS/mod_wsgi.spec
@ -15,7 +15,7 @@

 Name:           mod_wsgi
 Version:        4.7.1
-Release:        7%{?dist}
+Release:        7%{?dist}.1
 Summary:        A WSGI interface for Python web applications in Apache
 License:        ASL 2.0
 URL:            https://modwsgi.readthedocs.io/
@ -25,6 +25,7 @@ Source2:        wsgi-python3.conf
 Patch1:         mod_wsgi-4.5.20-exports.patch
 Patch2:         mod_wsgi-4.9.1-request-limit.patch
 Patch3:         mod_wsgi-4.7.1-remove-rpath.patch
+Patch4:         mod_wsgi-4.7.1-CVE-2022-2255.patch

 # Exclude i686 arch. Due to a modularity issue it's being added to the
 # x86_64 compose of CRB, but we don't want to ship it at all.
@ -179,6 +180,10 @@ ln -s %{_bindir}/mod_wsgi-express-2 $RPM_BUILD_ROOT%{_bindir}/mod_wsgi-express
 %endif

 %changelog
+* Wed Apr 30 2025 Luboš Uhliarik <luhliari@redhat.com> - 4.7.1-7.1
+- Resolves: RHEL-87514 - CVE-2022-2255 python39:3.9/mod_wsgi: Trusted
+  Proxy Headers Removing Bypass
+
 * Fri Jul 14 2023 Charalampos Stratakis <cstratak@redhat.com> - 4.7.1-7
 - Bump release for rebuild
 Resolves: rhbz#2213595