Bug 30711 - apache-mod_wsgi new security issue CVE-2022-2255
Summary: apache-mod_wsgi new security issue CVE-2022-2255
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2022-08-05 18:33 CEST by David Walser
Modified: 2022-08-20 12:05 CEST (History)
4 users (show)

See Also:
Source RPM: apache-mod_wsgi-4.7.1-1.mga9.src.rpm
CVE: CVE-2022-2255
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-08-05 18:33:39 CEST 
Ubuntu has issued an advisory on August 4:
https://ubuntu.com/security/notices/USN-5551-1

The issue is fixed upstream in 4.9.3.

Mageia 8 is also affected.
David Walser 2022-08-05 18:33:51 CEST

Status comment: (none) => Fixed upstream in 4.9.3
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-08-06 21:09:29 CEST 
No particular packager visible for this SRPM, so obliged to assign this update globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2022-08-10 02:13:17 CEST 
Updated package built for cauldron and Mageia 8


Advisory:
========================

Patched apache-mod_wsgi package fixes security vulnerability:

It was discovered that mod-wsgi did not correctly remove the X-Client-IP header when processing requests from untrusted proxies. A remote attacker could use this issue to pass the header to WSGI applications, contrary to expectations (CVE-2022-2255).


References:
https://ubuntu.com/security/notices/USN-5551-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2255
========================

Updated packages in core/updates_testing:
========================
apache-python3-mod_wsgi-4.6.8-4.1.mga8

from apache-mod_wsgi-4.6.8-4.1.mga8.src.rpm


Test procedure: https://bugs.mageia.org/show_bug.cgi?id=13831#c6

Status comment: Fixed upstream in 4.9.3 => (none)
CVE: (none) => CVE-2022-2255
CC: (none) => mhrambo3501
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA8TOO => (none)
Keywords: (none) => has_procedure
Version: Cauldron => 8

Comment 3 Herman Viaene 2022-08-19 11:45:42 CEST 
MGA8-64 Plasma on Acer Aspire 5253
No installation issues
Followed procedure given above, noting that none of the wsgi folders existed yet on the system, created the folders and files, restarted httpd
and got in the browser "Server error!

The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there was an error in a CGI script.

If you think this is a server error, please contact the webmaster.
Error 500"
I'm stuck here.

CC: (none) => herman.viaene

Comment 4 Dave Hodgins 2022-08-20 04:43:52 CEST 
Got nowhere in my attempts to figure out how to test it.

Given that the package is only required by koji-hub, koschei-frontend, and
pagure-web-apache-httpd which are all development oriented packages, validating
on clean install over the prior version.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2022-08-20 12:05:35 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0289.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.