[SECURITY] [DLA 3111-1] mod-wsgi security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3111-1] mod-wsgi security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Thu, 15 Sep 2022 21:43:48 +0000 (UTC)
Message-id: <[🔎] alpine.DEB.2.21.2209152141550.20406@postfach.intern.alteholz.me>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3111-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Thorsten Alteholz
September 15, 2022                            https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : mod-wsgi
Version        : 4.6.5-1+deb10u1
CVE ID         : CVE-2022-2255

An issue has been found in mod-wsgi, a Python WSGI adapter module forApache. A request from an untrusted proxy does not remove the X-Client-IPheader and thus allowing this header to be passed to the target WSGI application.



For Debian 10 buster, this problem has been fixed in version
4.6.5-1+deb10u1.

We recommend that you upgrade your mod-wsgi packages.

For the detailed security status of mod-wsgi please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mod-wsgi

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmMjnJRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEeqvQ/+PU3eTKNw5AZugJIXi+OgFC9xtsV7zW+DcrL79Q8BhESSxwYBsmd4vW7E
VTKilN96KWr9bdBy9Q2DUwIYLYCA2BU5n9LgeJxKoNndZNkZ277XA1mQd7UzeZV9
KOZ4AYwnBmcCASENG0Dq88Ia+x1A1x5oi9Y8ibl108XoCfjOc01NibK3i01xgAZL
UsuRXaKGnsXVnlu3UaH6Gz8ajfKbafdAYMeYZxSdHGzkIGOu79C8QqIIg2/wpxl5
/6RpbfSGxaLp07GYWzofjwBeU4eL8eTIflc58Vks/CAn0UPRniMM69FuTiPf795i
aDq3dAWjhm+OkXoo8ag7ekaRel8JR2IqTTgDCpMJbiN9lSQAMC9vYrmJXTMBKPbD
orpE8Fssn8iInksoa3mVRrBKzf9+tze6JjfTtPjkxvRbdZPcqVXg37y66AsrXrf6
m5XqszPmpr9vICsWxsvZK4cT7aP+moKKrRm016vJaiEbt8H6V5uHIIetq1UHvc5Q
ED01WLR90V86nt9gJH2KoB6o6Vs0uhZzxlVbR4yI8hQg0Vs5VYg+ZGyEO4+vQqZC
+Log80urvBwoTZksfEYbDCIVbWT0HVrHaE/YzKHDrUmOozyLqKOG5h3jHZA1A4+s
eNijehWgt8HUGh35MM/t3n8gfkYeTj35Quhu/iuwTaa3lTJgsnw=
=sp8+
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3110-1] glib2.0 security update
Next by Date: [SECURITY] [DLA 3112-1] bzip2 bugfix update
Previous by thread: [SECURITY] [DLA 3110-1] glib2.0 security update
Next by thread: [SECURITY] [DLA 3112-1] bzip2 bugfix update
Index(es):
- Date
- Thread