This affects <=2.1.1. Remote attackers can read arbitrary files by supplying '../' sequences. Upstream has confirmed, and released patches and upgraded versions.
x86, please mark at least version 2.1.1 stable, thank you
on x86: [ebuild N ] dev-python/cherrypy-2.1.1 Passes all tests and installs fine. When running the HelloWorld example from the cherrypy website I didn't notice any problems. The output mentioned the server was running at port 8080 so I connected to the port with a browser and saw the webpage with the correct content.
x86 done... thanks Sander...
ready for glsa vote, tend to say no
I tend to vote yes
I vote yes since you might be able to reveal DB passwords and other stuff like that.
k, lets have a glsa
GLSA 200605-16 Thanks everybody