[Secure-testing-team] Bug#848392: python-bottle: CVE-2016-9964: redirect() doesn't filter "\r\n" which allows for CRLF attack
Salvatore Bonaccorso
carnil at debian.org
Sat Dec 17 06:36:00 UTC 2016
Source: python-bottle
Version: 0.12.7-1
Severity: important
Tags: security upstream patch
Forwarded: https://github.com/bottlepy/bottle/issues/913
[apologies if this arrives doubled, will merge the two in case yes]
Hi,
the following vulnerability was published for python-bottle.
CVE-2016-9964[0]:
redirect() doesn't filter "\r\n" which allows for CRLF attack
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9964
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9964
[1] https://github.com/bottlepy/bottle/issues/913
[2] https://github.com/bottlepy/bottle/commit/6d7e13da0f998820800ecb3fe9ccee4189aefb54
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list