Debian 10261 Published by

A mod-wsgi security update has been released for Debian GNU/Linux 9 Extended LTS to address an issue where a request from an untrusted proxy does not remove the X-Client-IP header and thus allowing this header to be passed to the target WSGI application.



ELA-659-1 mod-wsgi security update

Package mod-wsgi
Version 4.5.11-1+deb9u1 (stretch)
Related CVEs CVE-2022-2255

An issue has been found in mod-wsgi, a Python WSGI adapter module for Apache. A request from an untrusted proxy does not remove the X-Client-IP header and thus allowing this header to be passed to the target WSGI application.

For Debian 9 stretch, these problems have been fixed in version 4.5.11-1+deb9u1.

We recommend that you upgrade your mod-wsgi packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/.

  ELA-659-1 mod-wsgi security update