Bug 30711 - apache-mod_wsgi new security issue CVE-2022-2255
Summary: apache-mod_wsgi new security issue CVE-2022-2255
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Reported: 2022-08-05 18:33 CEST by David Walser
Modified: 2022-08-20 12:05 CEST (History)
4 users (show)

See Also:
Source RPM: apache-mod_wsgi-4.7.1-1.mga9.src.rpm
CVE: CVE-2022-2255
Status comment:


Description David Walser 2022-08-05 18:33:39 CEST
Ubuntu has issued an advisory on August 4:

The issue is fixed upstream in 4.9.3.

Mageia 8 is also affected.
David Walser 2022-08-05 18:33:51 CEST

Status comment: (none) => Fixed upstream in 4.9.3
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-08-06 21:09:29 CEST
No particular packager visible for this SRPM, so obliged to assign this update globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2022-08-10 02:13:17 CEST
Updated package built for cauldron and Mageia 8


Patched apache-mod_wsgi package fixes security vulnerability:

It was discovered that mod-wsgi did not correctly remove the X-Client-IP header when processing requests from untrusted proxies. A remote attacker could use this issue to pass the header to WSGI applications, contrary to expectations (CVE-2022-2255).


Updated packages in core/updates_testing:

from apache-mod_wsgi-4.6.8-4.1.mga8.src.rpm

Test procedure: https://bugs.mageia.org/show_bug.cgi?id=13831#c6

Status comment: Fixed upstream in 4.9.3 => (none)
CVE: (none) => CVE-2022-2255
CC: (none) => mhrambo3501
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA8TOO => (none)
Keywords: (none) => has_procedure
Version: Cauldron => 8

Comment 3 Herman Viaene 2022-08-19 11:45:42 CEST
MGA8-64 Plasma on Acer Aspire 5253
No installation issues
Followed procedure given above, noting that none of the wsgi folders existed yet on the system, created the folders and files, restarted httpd
and got in the browser "Server error!

The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there was an error in a CGI script.

If you think this is a server error, please contact the webmaster.
Error 500"
I'm stuck here.

CC: (none) => herman.viaene

Comment 4 Dave Hodgins 2022-08-20 04:43:52 CEST
Got nowhere in my attempts to figure out how to test it.

Given that the package is only required by koji-hub, koschei-frontend, and
pagure-web-apache-httpd which are all development oriented packages, validating
on clean install over the prior version.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2022-08-20 12:05:35 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.