Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 134273 - dev-python/cherrypy: directory transversal vulnerability
Summary: dev-python/cherrypy: directory transversal vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2006-05-24 16:56 UTC by Harlan Lieberman-Berg (RETIRED)
Modified: 2006-05-30 06:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Harlan Lieberman-Berg (RETIRED) gentoo-dev 2006-05-24 16:56:33 UTC
This affects <=2.1.1.  Remote attackers can read arbitrary files by supplying '../' sequences.  Upstream has confirmed, and released patches and upgraded versions.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-25 10:39:02 UTC
x86, please mark at least version 2.1.1 stable, thank you
Comment 2 Sander Knopper 2006-05-25 10:54:52 UTC
on x86:

[ebuild  N    ] dev-python/cherrypy-2.1.1

Passes all tests and installs fine.

When running the HelloWorld example from the cherrypy website I didn't notice any problems. The output mentioned the server was running at port 8080 so I connected to the port with a browser and saw the webpage with the correct content.
Comment 3 Chris Gianelloni (RETIRED) gentoo-dev 2006-05-25 12:29:34 UTC
x86 done... thanks Sander...
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-25 12:38:22 UTC
ready for glsa vote, tend to say no
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2006-05-26 04:00:10 UTC
I tend to vote yes
Comment 6 Wolf Giesen (RETIRED) gentoo-dev 2006-05-26 04:03:18 UTC
I vote yes since you might be able to reveal DB passwords and other stuff like that.
Comment 7 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-27 02:01:50 UTC
k, lets have a glsa
Comment 8 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-30 06:25:02 UTC
GLSA 200605-16

Thanks everybody