An update for mod_wsgi is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1827 Final 1.0 1.0 2022-08-13 Initial 2022-08-13 2022-08-13 openEuler SA Tool V1.0 2022-08-13 mod_wsgi security update An update for mod_wsgi is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. The mod_wsgi adapter is an Apache module that provides a WSGI compliant interface for hosting Python based web applications within Apache. The adapter is written completely in C code against the Apache C runtime andfor hosting WSGI applications within Apache has a lower overhead than using existing WSGI adapters for mod_python or CGI. Security Fix(es): A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy (trusted proxies are configured via the WSGITrustedProxies directive) allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing. References: https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941 https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082(CVE-2022-2255) An update for mod_wsgi is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium mod_wsgi https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1827 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-2255 https://nvd.nist.gov/vuln/detail/CVE-2022-2255 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS mod_wsgi-debuginfo-4.6.4-3.oe1.aarch64.rpm python3-mod_wsgi-4.6.4-3.oe1.aarch64.rpm mod_wsgi-debugsource-4.6.4-3.oe1.aarch64.rpm python3-mod_wsgi-4.6.4-3.oe1.aarch64.rpm mod_wsgi-debugsource-4.6.4-3.oe1.aarch64.rpm mod_wsgi-debuginfo-4.6.4-3.oe1.aarch64.rpm python3-mod_wsgi-4.6.4-3.oe2203.aarch64.rpm mod_wsgi-debuginfo-4.6.4-3.oe2203.aarch64.rpm mod_wsgi-debugsource-4.6.4-3.oe2203.aarch64.rpm mod_wsgi-4.6.4-3.oe1.src.rpm mod_wsgi-4.6.4-3.oe1.src.rpm mod_wsgi-4.6.4-3.oe2203.src.rpm python3-mod_wsgi-4.6.4-3.oe1.x86_64.rpm mod_wsgi-debugsource-4.6.4-3.oe1.x86_64.rpm mod_wsgi-debuginfo-4.6.4-3.oe1.x86_64.rpm python3-mod_wsgi-4.6.4-3.oe1.x86_64.rpm mod_wsgi-debuginfo-4.6.4-3.oe1.x86_64.rpm mod_wsgi-debugsource-4.6.4-3.oe1.x86_64.rpm mod_wsgi-debugsource-4.6.4-3.oe2203.x86_64.rpm python3-mod_wsgi-4.6.4-3.oe2203.x86_64.rpm mod_wsgi-debuginfo-4.6.4-3.oe2203.x86_64.rpm A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy (trusted proxies are configured via the WSGITrustedProxies directive) allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.References:https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082 2022-08-13 CVE-2022-2255 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Medium 5.6 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L mod_wsgi security update 2022-08-13 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1827