Debian Bug report logs -
#848392
python-bottle: CVE-2016-9964: redirect() doesn't filter "\r\n" which allows for CRLF attack
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, David Paleino <dapal@debian.org>:
Bug#848392; Package src:python-bottle.
(Sat, 17 Dec 2016 06:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, David Paleino <dapal@debian.org>.
(Sat, 17 Dec 2016 06:39:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: python-bottle
Version: 0.12.7-1
Severity: important
Tags: security upstream patch
Forwarded: https://github.com/bottlepy/bottle/issues/913
[apologies if this arrives doubled, will merge the two in case yes]
Hi,
the following vulnerability was published for python-bottle.
CVE-2016-9964[0]:
redirect() doesn't filter "\r\n" which allows for CRLF attack
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9964
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9964
[1] https://github.com/bottlepy/bottle/issues/913
[2] https://github.com/bottlepy/bottle/commit/6d7e13da0f998820800ecb3fe9ccee4189aefb54
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Federico Ceratto <federico@debian.org>:
You have taken responsibility.
(Sun, 18 Dec 2016 12:36:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 18 Dec 2016 12:36:08 GMT) (full text, mbox, link).
Message #10 received at 848392-close@bugs.debian.org (full text, mbox, reply):
Source: python-bottle
Source-Version: 0.12.11-1
We believe that the bug you reported is fixed in the latest version of
python-bottle, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 848392@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Federico Ceratto <federico@debian.org> (supplier of updated python-bottle package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 18 Dec 2016 11:55:28 +0000
Source: python-bottle
Binary: python-bottle python3-bottle python-bottle-doc
Architecture: source all
Version: 0.12.11-1
Distribution: unstable
Urgency: high
Maintainer: David Paleino <dapal@debian.org>
Changed-By: Federico Ceratto <federico@debian.org>
Description:
python-bottle - fast and simple WSGI-framework for Python
python-bottle-doc - fast and simple WSGI-framework for Python - documentation
python3-bottle - fast and simple WSGI-framework for Python3
Closes: 848392
Changes:
python-bottle (0.12.11-1) unstable; urgency=high
.
* New upstream release (Closes: #848392)
* Add python-setuptools dependency
Checksums-Sha1:
0956899393fdfe3e9cce979c4096c3bb4e6be5df 2383 python-bottle_0.12.11-1.dsc
bfddf9c0ad99b555ff076ecf1602af0d369d3cd5 289102 python-bottle_0.12.11.orig.tar.gz
f8067321f525d6052a96ea9709461c404a1d916a 5948 python-bottle_0.12.11-1.debian.tar.xz
d394876f4aaeb662c2db4f9a5d623246da34ed6b 189590 python-bottle-doc_0.12.11-1_all.deb
6ce40c89f572d60b9d9aa09f9b1cb066f1a9cff8 46268 python-bottle_0.12.11-1_all.deb
6f9e62e71dabd4775ac601905848ed21cec6aa4d 7719 python-bottle_0.12.11-1_amd64.buildinfo
ed84b74062faaca6b2ed2e4855a048d8ba9a01eb 46332 python3-bottle_0.12.11-1_all.deb
Checksums-Sha256:
3f442167166068d2a1aa149cdc84885d8eeb7fc9170fbdcdb1ec2f5c07642bd5 2383 python-bottle_0.12.11-1.dsc
c815cfd1bd0757f4bc9e3d71973477373efba531bb63a8abc320e5550d8403b8 289102 python-bottle_0.12.11.orig.tar.gz
3c5728dacdecc465e4e4b810688aaf52bceccae59838de18bcf56756509e3a66 5948 python-bottle_0.12.11-1.debian.tar.xz
1c59bd90be5ef16d23aff3ab4f37342353750f5848bc0098d57b946eccab0e4d 189590 python-bottle-doc_0.12.11-1_all.deb
3f8eebe29bc94291586e0f7b6944045c553f42ddf22a6afc910b9906284acd44 46268 python-bottle_0.12.11-1_all.deb
dad40ef898dc44843112378862284c50e91424052dd9149bd62c85cf3f72c861 7719 python-bottle_0.12.11-1_amd64.buildinfo
5e00d349dc17f1cc44ae5f5e5081bb573cdc1b5b64cd9eb889794961370f81e3 46332 python3-bottle_0.12.11-1_all.deb
Files:
16c2e1b4531248adf830298b8ea7fca9 2383 python optional python-bottle_0.12.11-1.dsc
887b907d4f38fa3ab8c8a044c4b846a6 289102 python optional python-bottle_0.12.11.orig.tar.gz
c3b1144217878c9977c33176dda13ff8 5948 python optional python-bottle_0.12.11-1.debian.tar.xz
0741e392572d457328c54311d5a70f19 189590 doc optional python-bottle-doc_0.12.11-1_all.deb
ceb0d970c63e8cd8d8fa2069b5ec17b3 46268 python optional python-bottle_0.12.11-1_all.deb
e2b6b35b01db08a94f22f000a42ecd61 7719 python optional python-bottle_0.12.11-1_amd64.buildinfo
bbe4dc27d35ad299fe67cfb8519ebe03 46332 python optional python3-bottle_0.12.11-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfKfd+zM5IUCMbyuWbzG8RPUXfaoFAlhWfSgACgkQbzG8RPUX
faovqg//ZbPIpo553EqVj0HcXlslsMhu+TkgxEGsC3Lhs+f76UggQEfFzTk3HzDO
pExsVyrypTtCRIu7ngPBZiOOGKtn69PGnXg1GfUQvPCSjld8o0k684iZCO2U/YUX
Dkd//o7KDCfXcR7P1gHTWUa/2Lbpc2sQs4+vcftQ5HZKrqtKOnQ4yY3V+OosTy2S
HyKBkWiiOYk2B+pjlfT/2L3fEiN7sujeWsrAOgGsTgRdtj2CK7JlRGiDNpCajHFV
1ZyWp2IJekJxlwkntFYZdHGYJuAjQ/YSTqhg2AAHPuDlvBNbf++q9xva6Pb0KTsf
whA2JiB+5T5+Zso5pNnDLGdfrY4OJhY8gG1suVeAatFuEsMVQbUY3thYV7V94D+s
5+zeutpweBRTmEjUfBUPi18lORc75ZXQuc2CmQSuYPqZFJkHW6Spqv9h7e8H6pNb
oQ/Vb5xIi3vYWmbcv8Cp8EIbitwn1Zd5vy101NcNTqi3bCUntgp/ModDuDZ5vbR2
m7Kgz8+SF8drdeo/bgSM4D4fe/b2+gUFGuoK7T2Jc4fdIhMR4BKSbmjIlirOXe5M
w1P100Pxd9r74ib/ePPMX2IN/j0q7l/VJFQz575UdNuo5iQ982AP+nI5Hc/QURnE
HgJM0ipn2tM4LorjIvpna4SDLskpsN4veke1Z1muI+8urTuM+y8=
=1vOj
-----END PGP SIGNATURE-----
Reply sent
to Federico Ceratto <federico@debian.org>:
You have taken responsibility.
(Fri, 23 Dec 2016 18:33:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 23 Dec 2016 18:33:06 GMT) (full text, mbox, link).
Message #15 received at 848392-close@bugs.debian.org (full text, mbox, reply):
Source: python-bottle
Source-Version: 0.12.7-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
python-bottle, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 848392@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Federico Ceratto <federico@debian.org> (supplier of updated python-bottle package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 18 Dec 2016 13:03:44 +0000
Source: python-bottle
Binary: python-bottle python3-bottle python-bottle-doc
Architecture: source all
Version: 0.12.7-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: David Paleino <dapal@debian.org>
Changed-By: Federico Ceratto <federico@debian.org>
Description:
python-bottle - fast and simple WSGI-framework for Python
python-bottle-doc - fast and simple WSGI-framework for Python - documentation
python3-bottle - fast and simple WSGI-framework for Python3
Closes: 848392
Changes:
python-bottle (0.12.7-1+deb8u1) jessie-security; urgency=high
.
* Fix header filtering: CVE-2016-9964 (Closes: #848392)
Checksums-Sha1:
7605b6c5cd7e8d242b5a3bed282248a497b0996a 2390 python-bottle_0.12.7-1+deb8u1.dsc
8df12c518b8978dfe803eb2f448ff68e3f6160ac 286656 python-bottle_0.12.7.orig.tar.gz
b9b7883fe55e5aefffb9310e5ca5dcb823b1a792 7504 python-bottle_0.12.7-1+deb8u1.debian.tar.xz
51bd791f7d1c8b79dfd1bec12c9b41626aafeeea 45992 python-bottle_0.12.7-1+deb8u1_all.deb
e36d7dcb0bb659c493b25d0232dec222a20f94c6 46056 python3-bottle_0.12.7-1+deb8u1_all.deb
e369dfb81054da4b9bbabb3f5235fed7ae53dd72 189514 python-bottle-doc_0.12.7-1+deb8u1_all.deb
Checksums-Sha256:
dd89aa76f194251b32cf18426469be34f48eb039ca93732ec4a529eb8fdfe13b 2390 python-bottle_0.12.7-1+deb8u1.dsc
4a16aaa6601e27f91f2d35d73929c7093fc475a31be63ea94a082c56ca8ebc76 286656 python-bottle_0.12.7.orig.tar.gz
bcd3ceecb44bc0c8e8591af97922dc97952bb60b2161a56e2ebdf43d08d606ef 7504 python-bottle_0.12.7-1+deb8u1.debian.tar.xz
58e54e851beabc14b1c9e8eccb7395e1eda9fc2dcfaee55880795d2b0e158a21 45992 python-bottle_0.12.7-1+deb8u1_all.deb
957df51f60cff6d347d2229bf165421983cb7e93d185b5657140529d20edb851 46056 python3-bottle_0.12.7-1+deb8u1_all.deb
0dd5ee17e48d5ee008377daa8a7c2c65b3cdfbec4e386ca5bbbf5a62d8458617 189514 python-bottle-doc_0.12.7-1+deb8u1_all.deb
Files:
3b47edf6f34473534ac205cee365b27b 2390 python optional python-bottle_0.12.7-1+deb8u1.dsc
bb2a4883adf4c5cd3dbd33a20b57480a 286656 python optional python-bottle_0.12.7.orig.tar.gz
d5a8b1edb87fb138b3c9b581278f0910 7504 python optional python-bottle_0.12.7-1+deb8u1.debian.tar.xz
f9c464e1c90f81f2dab46b825822e30d 45992 python optional python-bottle_0.12.7-1+deb8u1_all.deb
399beb7d43b16f14b3b9c57269753d77 46056 python optional python3-bottle_0.12.7-1+deb8u1_all.deb
2d3bb1b47b861f16fb4d7d1aa1a7129d 189514 doc optional python-bottle-doc_0.12.7-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfKfd+zM5IUCMbyuWbzG8RPUXfaoFAlhYDZYACgkQbzG8RPUX
fariLg//eokMcq0fQ09EjkuH1FLuYW2JLg6U8SN5C2jiXZ4oykdiXx6Rjn02T/tq
Ul6olgPJFjiOFd6olFvh4yMZouycatjU5WbdqkSVhVuqFPCugeAyD2+dKY4ZKDTV
nFzXzre33ICeDzDJpo7rIEN7IyqbHI1xk2mqZyQh9N9Ue4MkknXWF2H7UrZjhSkG
eTGKDcNIe0Dv9r/HpruSk+Kbbdd4CMOzexYxpOID4ZuIGRh+NqDUo2Q6LrT/Mx4A
oECYHxLu8fZkyJPHJZg0iKyooi3YQkhtR73parLSTyeIE1KEwPQwnmWNh7kbA6cX
YkLitD0mXbOCkjzleKI4ryiVCFmUFkzlGDKyklg/4Qk9UttUqHrbu2iXKiS+cRLZ
RVDyfXF/cu4xnxjOqnvZJIKGNnnW/+4o4I0rC6wKftHlPYxRkubhRiKYYEYapYnt
iinLnelWtPDisVV26YI1zDf7y7V7a/zUDuhjuBTaZHGaDYl13Am5soW7+rgbg76P
SfhABlzI8nBkG8l1fRo6EpcX5ghP1DTp3jikh4QDucX3iLn0dyXup4n8vNGfa5xs
cAvwwC98P5AtmLH3BSxk6MfoEEdf50yiOWjmJvYgevlDimOQNrFxoagoTxbCh40J
mxIgKakLsXGjeo7MV+DRkuJHNCzP+zTN03fR5BHVNmUzN9Js920=
=bCbM
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 18 Feb 2017 07:36:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:29:13 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon