From 4626062b817f4c28caf65258333f67ea6181e6c0 Mon Sep 17 00:00:00 2001
From: Jacob Wang <jacob.wang@openanolis.org>
Date: Tue, 13 May 2025 16:15:30 +0800
Subject: [PATCH] [CVE]update to mod_wsgi-4.7.1-7.1

to #IC7GXU

update to mod_wsgi-4.7.1-7.1 for CVE-2022-2255

Project: TC2024080204
Signed-off-by: Jacob Wang <jacob.wang@openanolis.org>
---
 mod_wsgi-4.7.1-CVE-2022-2255.patch | 23 +++++++++++++++++++++++
 mod_wsgi.spec                      |  7 ++++++-
 2 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 mod_wsgi-4.7.1-CVE-2022-2255.patch

diff --git a/mod_wsgi-4.7.1-CVE-2022-2255.patch b/mod_wsgi-4.7.1-CVE-2022-2255.patch
new file mode 100644
index 0000000..d0cc187
--- /dev/null
+++ b/mod_wsgi-4.7.1-CVE-2022-2255.patch
@@ -0,0 +1,23 @@
+From af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751 Mon Sep 17 00:00:00 2001
+From: Graham Dumpleton <Graham.Dumpleton@gmail.com>
+Date: Mon, 18 Jul 2022 12:29:38 +1000
+Subject: [PATCH] Add fix to ensure that X-Client-IP header is dropped when is
+ not a trusted header.
+
+---
+ src/server/mod_wsgi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/server/mod_wsgi.c b/src/server/mod_wsgi.c
+index 0123472b..a4b49df1 100644
+--- a/src/server/mod_wsgi.c
++++ b/src/server/mod_wsgi.c
+@@ -14055,6 +14055,7 @@ static void wsgi_process_proxy_headers(request_rec *r)
+             name = ((const char**)trusted_proxy_headers->elts)[i];
+ 
+             if (!strcmp(name, "HTTP_X_FORWARDED_FOR") ||
++                     !strcmp(name, "HTTP_X_CLIENT_IP") ||
+                      !strcmp(name, "HTTP_X_REAL_IP")) {
+ 
+                 match_client_header = 1;
+
diff --git a/mod_wsgi.spec b/mod_wsgi.spec
index 247a9a7..6a20ceb 100644
--- a/mod_wsgi.spec
+++ b/mod_wsgi.spec
@@ -15,7 +15,7 @@
 
 Name:           mod_wsgi
 Version:        4.7.1
-Release:        7%{?dist}
+Release:        7%{?dist}.1
 Summary:        A WSGI interface for Python web applications in Apache
 License:        ASL 2.0
 URL:            https://modwsgi.readthedocs.io/
@@ -25,6 +25,7 @@ Source2:        wsgi-python3.conf
 Patch1:         mod_wsgi-4.5.20-exports.patch
 Patch2:         mod_wsgi-4.9.1-request-limit.patch
 Patch3:         mod_wsgi-4.7.1-remove-rpath.patch
+Patch4:         mod_wsgi-4.7.1-CVE-2022-2255.patch
 
 # Exclude i686 arch. Due to a modularity issue it's being added to the
 # x86_64 compose of CRB, but we don't want to ship it at all.
@@ -179,6 +180,10 @@ ln -s %{_bindir}/mod_wsgi-express-2 $RPM_BUILD_ROOT%{_bindir}/mod_wsgi-express
 %endif
 
 %changelog
+* Wed Apr 30 2025 Luboš Uhliarik <luhliari@redhat.com> - 4.7.1-7.1
+- Resolves: RHEL-87514 - CVE-2022-2255 python39:3.9/mod_wsgi: Trusted
+  Proxy Headers Removing Bypass
+
 * Fri Jul 14 2023 Charalampos Stratakis <cstratak@redhat.com> - 4.7.1-7
 - Bump release for rebuild
 Resolves: rhbz#2213595
-- 
Gitee