Package: release.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: buster Severity: normal
Hello, python-bottle was affected by CVE-2020-28473, where the package was vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. This has been fixed in Sid, Bullseye, and Stretch (& Jessie). Here's the debdiff for buster-pu: 8<------8<------8<------8<------8<------8<------8<------8<------8<------8< diff -Nru python-bottle-0.12.15/debian/changelog python-bottle-0.12.15/debian/changelog --- python-bottle-0.12.15/debian/changelog 2019-03-27 05:13:08.000000000 +0530 +++ python-bottle-0.12.15/debian/changelog 2021-01-28 20:22:22.000000000 +0530 @@ -1,3 +1,10 @@ +python-bottle (0.12.15-2+deb10u1) buster; urgency=high + + * Non-maintainer upload by the Security team. + * Do not split query strings on `;` anymore. (Fixes: CVE-2020-28473) + + -- Utkarsh Gupta <utka...@debian.org> Thu, 28 Jan 2021 20:22:22 +0530 + python-bottle (0.12.15-2) unstable; urgency=medium * Update tox dependency (Closes: #924836) diff -Nru python-bottle-0.12.15/debian/patches/CVE-2020-28473.patch python-bottle-0.12.15/debian/patches/CVE-2020-28473.patch --- python-bottle-0.12.15/debian/patches/CVE-2020-28473.patch 1970-01-01 05:30:00.000000000 +0530 +++ python-bottle-0.12.15/debian/patches/CVE-2020-28473.patch 2021-01-28 20:21:24.000000000 +0530 @@ -0,0 +1,25 @@ +From 57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b Mon Sep 17 00:00:00 2001 +From: Marcel Hellkamp <m...@gsites.de> +Date: Wed, 11 Nov 2020 19:24:29 +0100 +Subject: [PATCH] Do not split query strings on `;` anymore. + +Using `;` as a separator instead of `&` was allowed a long time ago, +but is now obsolete and actually invalid according to the 2014 W3C +recommendations. Even if this change is technically backwards-incompatible, +no real-world application should depend on broken behavior. If you REALLY +need this functionality, monkey-patch the _parse_qsl() function. +--- + bottle.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/bottle.py ++++ b/bottle.py +@@ -2577,7 +2577,7 @@ + + def _parse_qsl(qs): + r = [] +- for pair in qs.replace(';','&').split('&'): ++ for pair in qs.split('&'): + if not pair: continue + nv = pair.split('=', 1) + if len(nv) != 2: nv.append('') diff -Nru python-bottle-0.12.15/debian/patches/series python-bottle-0.12.15/debian/patches/series --- python-bottle-0.12.15/debian/patches/series 2019-03-27 05:13:08.000000000 +0530 +++ python-bottle-0.12.15/debian/patches/series 2021-01-28 20:21:33.000000000 +0530 @@ -1,2 +1,3 @@ 0001-Remove-bottle.py-from-scripts.patch 0002-Add-CLI-manpage.patch +CVE-2020-28473.patch 8<------8<------8<------8<------8<------8<------8<------8<------8<------8< - u --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=> Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled