diff --git a/CVE-2022-2255.patch b/CVE-2022-2255.patch new file mode 100644 index 0000000000000000000000000000000000000000..30e9014a84820ceb873d83a6f933ace073bf7fce --- /dev/null +++ b/CVE-2022-2255.patch @@ -0,0 +1,11 @@ +diff -Nur mod_wsgi-4.6.4.old/src/server/mod_wsgi.c mod_wsgi-4.6.4/src/server/mod_wsgi.c +--- mod_wsgi-4.6.4.old/src/server/mod_wsgi.c 2022-08-08 15:27:04.978005420 +0800 ++++ mod_wsgi-4.6.4/src/server/mod_wsgi.c 2022-08-08 15:30:20.395491862 +0800 +@@ -13897,6 +13897,7 @@ + value = apr_table_get(r->subprocess_env, name); + + if (!strcmp(name, "HTTP_X_FORWARDED_FOR") || ++ !strcmp(name, "HTTP_X_CLIENT_IP") || + !strcmp(name, "HTTP_X_REAL_IP")) { + + match_client_header = 1; diff --git a/mod_wsgi.spec b/mod_wsgi.spec index dcc6f06cc8a93545cdb1f85af91fde5c8b04e6c5..6e3e9e06d242515b54c8c7f3ffe28eda8941a73c 100644 --- a/mod_wsgi.spec +++ b/mod_wsgi.spec @@ -6,15 +6,16 @@ %global sphinxbin %{_bindir}/sphinx-build-3 Name: mod_wsgi Version: 4.6.4 -Release: 2 +Release: 3 Summary: A WSGI interface for Python web applications in Apache -License: ASL 2.0 +License: Apache-2.0 URL: https://modwsgi.readthedocs.io/ Source0: https://github.com/GrahamDumpleton/mod_wsgi/archive/%{version}.tar.gz#/mod_wsgi-%{version}.tar.gz Source1: wsgi-python3.conf Patch1: mod_wsgi-4.5.20-exports.patch Patch2: Use-official-APIs-for-accessing-interpreter-list.patch Patch3: Changed-functions-to-pre-post-actions-when-forking.patch +Patch4: CVE-2022-2255.patch BuildRequires: httpd-devel gcc %{?filter_provides_in: %filter_provides_in %{_httpd_moddir}/.*\.so$} %{?filter_setup} @@ -76,6 +77,9 @@ popd %{_bindir}/mod_wsgi-express-3 %changelog +* Mon Aug 08 2022 zhuhai95 - 4.6.4-3 +- Fix CVE-2022-2255 + * Sat Feb 27 2021 zhaorenhai - 4.6.4-2 - Add configure file