Your message dated Fri, 23 Dec 2016 18:32:11 +0000
with message-id <[email protected]>
and subject line Bug#848392: fixed in python-bottle 0.12.7-1+deb8u1
has caused the Debian Bug report #848392,
regarding python-bottle: CVE-2016-9964: redirect() doesn't filter "\r\n" which
allows for CRLF attack
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
848392: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848392
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-bottle
Version: 0.12.7-1
Severity: important
Tags: security upstream patch
Forwarded: https://github.com/bottlepy/bottle/issues/913
[apologies if this arrives doubled, will merge the two in case yes]
Hi,
the following vulnerability was published for python-bottle.
CVE-2016-9964[0]:
redirect() doesn't filter "\r\n" which allows for CRLF attack
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9964
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9964
[1] https://github.com/bottlepy/bottle/issues/913
[2]
https://github.com/bottlepy/bottle/commit/6d7e13da0f998820800ecb3fe9ccee4189aefb54
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-bottle
Source-Version: 0.12.7-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
python-bottle, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Federico Ceratto <[email protected]> (supplier of updated python-bottle
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 18 Dec 2016 13:03:44 +0000
Source: python-bottle
Binary: python-bottle python3-bottle python-bottle-doc
Architecture: source all
Version: 0.12.7-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: David Paleino <[email protected]>
Changed-By: Federico Ceratto <[email protected]>
Description:
python-bottle - fast and simple WSGI-framework for Python
python-bottle-doc - fast and simple WSGI-framework for Python - documentation
python3-bottle - fast and simple WSGI-framework for Python3
Closes: 848392
Changes:
python-bottle (0.12.7-1+deb8u1) jessie-security; urgency=high
.
* Fix header filtering: CVE-2016-9964 (Closes: #848392)
Checksums-Sha1:
7605b6c5cd7e8d242b5a3bed282248a497b0996a 2390 python-bottle_0.12.7-1+deb8u1.dsc
8df12c518b8978dfe803eb2f448ff68e3f6160ac 286656
python-bottle_0.12.7.orig.tar.gz
b9b7883fe55e5aefffb9310e5ca5dcb823b1a792 7504
python-bottle_0.12.7-1+deb8u1.debian.tar.xz
51bd791f7d1c8b79dfd1bec12c9b41626aafeeea 45992
python-bottle_0.12.7-1+deb8u1_all.deb
e36d7dcb0bb659c493b25d0232dec222a20f94c6 46056
python3-bottle_0.12.7-1+deb8u1_all.deb
e369dfb81054da4b9bbabb3f5235fed7ae53dd72 189514
python-bottle-doc_0.12.7-1+deb8u1_all.deb
Checksums-Sha256:
dd89aa76f194251b32cf18426469be34f48eb039ca93732ec4a529eb8fdfe13b 2390
python-bottle_0.12.7-1+deb8u1.dsc
4a16aaa6601e27f91f2d35d73929c7093fc475a31be63ea94a082c56ca8ebc76 286656
python-bottle_0.12.7.orig.tar.gz
bcd3ceecb44bc0c8e8591af97922dc97952bb60b2161a56e2ebdf43d08d606ef 7504
python-bottle_0.12.7-1+deb8u1.debian.tar.xz
58e54e851beabc14b1c9e8eccb7395e1eda9fc2dcfaee55880795d2b0e158a21 45992
python-bottle_0.12.7-1+deb8u1_all.deb
957df51f60cff6d347d2229bf165421983cb7e93d185b5657140529d20edb851 46056
python3-bottle_0.12.7-1+deb8u1_all.deb
0dd5ee17e48d5ee008377daa8a7c2c65b3cdfbec4e386ca5bbbf5a62d8458617 189514
python-bottle-doc_0.12.7-1+deb8u1_all.deb
Files:
3b47edf6f34473534ac205cee365b27b 2390 python optional
python-bottle_0.12.7-1+deb8u1.dsc
bb2a4883adf4c5cd3dbd33a20b57480a 286656 python optional
python-bottle_0.12.7.orig.tar.gz
d5a8b1edb87fb138b3c9b581278f0910 7504 python optional
python-bottle_0.12.7-1+deb8u1.debian.tar.xz
f9c464e1c90f81f2dab46b825822e30d 45992 python optional
python-bottle_0.12.7-1+deb8u1_all.deb
399beb7d43b16f14b3b9c57269753d77 46056 python optional
python3-bottle_0.12.7-1+deb8u1_all.deb
2d3bb1b47b861f16fb4d7d1aa1a7129d 189514 doc optional
python-bottle-doc_0.12.7-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfKfd+zM5IUCMbyuWbzG8RPUXfaoFAlhYDZYACgkQbzG8RPUX
fariLg//eokMcq0fQ09EjkuH1FLuYW2JLg6U8SN5C2jiXZ4oykdiXx6Rjn02T/tq
Ul6olgPJFjiOFd6olFvh3yMZouycatjU5WbdqkSVhVuqFPCugeAyD2+dKY4ZKDTV
nFzXzre33ICeDzDJpo7rIEN7IyqbHI1xk2mqZyQh9N9Ue4MkknXWF2H7UrZjhSkG
eTGKDcNIe0Dv9r/HpruSk+Kbbdd4CMOzexYxpOID4ZuIGRh+NqDUo2Q6LrT/Mx4A
oECYHxLu8fZkyJPHJZg0iKyooi3YQkhtR73parLSTyeIE1KEwPQwnmWNh7kbA6cX
YkLitD0mXbOCkjzleKI4ryiVCFmUFkzlGDKyklg/4Qk9UttUqHrbu2iXKiS+cRLZ
RVDyfXF/cu4xnxjOqnvZJIKGNnnW/+4o4I0rC6wKftHlPYxRkubhRiKYYEYapYnt
iinLnelWtPDisVV26YI1zDf7y7V7a/zUDuhjuBTaZHGaDYl13Am5soW7+rgbg76P
SfhABlzI8nBkG8l1fRo6EpcX5ghP1DTp3jikh4QDucX3iLn0dyXup4n8vNGfa5xs
cAvwwC98P5AtmLH3BSxk6MfoEEdf50yiOWjmJvYgevlDimOQNrFxoagoTxbCh40J
mxIgKakLsXGjeo7MV+DRkuJHNCzP+zTN03fR5BHVNmUzN9Js920=
=bCbM
-----END PGP SIGNATURE-----
--- End Message ---