From 59bcd859ac6644acb36357d4bf9a1ddff301c074 Mon Sep 17 00:00:00 2001 From: zhuhai Date: Mon, 8 Aug 2022 11:47:56 +0800 Subject: [PATCH] CVE-2022-2255 change License to git Apache-2.0 cve to CVE --- CVE-2022-2255.patch | 11 +++++++++++ mod_wsgi.spec | 8 ++++++-- 2 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 CVE-2022-2255.patch diff --git a/CVE-2022-2255.patch b/CVE-2022-2255.patch new file mode 100644 index 0000000..713316f --- /dev/null +++ b/CVE-2022-2255.patch @@ -0,0 +1,11 @@ +diff -Nur mod_wsgi-4.9.1.old/src/server/mod_wsgi.c mod_wsgi-4.9.1/src/server/mod_wsgi.c +--- mod_wsgi-4.9.1.old/src/server/mod_wsgi.c 2022-08-08 10:12:40.044127804 +0800 ++++ mod_wsgi-4.9.1/src/server/mod_wsgi.c 2022-08-08 10:14:21.532845853 +0800 +@@ -14044,6 +14044,7 @@ + name = ((const char**)trusted_proxy_headers->elts)[i]; + + if (!strcmp(name, "HTTP_X_FORWARDED_FOR") || ++ !strcmp(name, "HTTP_X_CLIENT_IP") || + !strcmp(name, "HTTP_X_REAL_IP")) { + + match_client_header = 1; diff --git a/mod_wsgi.spec b/mod_wsgi.spec index 38fb4e2..1d94beb 100644 --- a/mod_wsgi.spec +++ b/mod_wsgi.spec @@ -6,13 +6,14 @@ %global sphinxbin %{_bindir}/sphinx-build-3 Name: mod_wsgi Version: 4.9.1 -Release: 1 +Release: 2 Summary: A WSGI interface for Python web applications in Apache -License: ASL 2.0 +License: Apache-2.0 URL: https://modwsgi.readthedocs.io/ Source0: https://github.com/GrahamDumpleton/mod_wsgi/archive/refs/tags/%{version}.tar.gz Source1: wsgi-python3.conf Patch1: mod_wsgi-4.5.20-exports.patch +Patch2: CVE-2022-2255.patch BuildRequires: httpd-devel gcc perl %{?filter_provides_in: %filter_provides_in %{_httpd_moddir}/.*\.so$} %{?filter_setup} @@ -74,6 +75,9 @@ popd %{_bindir}/mod_wsgi-express-3 %changelog +* Mon Aug 08 2022 zhuhai95 - 4.9.1-2 +- Fix CVE-2022-2255 + * Tue May 17 2022 yangping - 4.9.1-1 - Update to 4.9.1 -- Gitee