Gentoo Bug 134273 - dev-python/cherrypy: directory transversal vulnerability

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bug#:	134273
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Harlan Lieberman-Berg (RETIRED) <hlieberman@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 134273 depends on:			Show dependency tree
Bug 134273 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2006-05-24 16:56 0000

This affects <=2.1.1.  Remote attackers can read arbitrary files by supplying
'../' sequences.  Upstream has confirmed, and released patches and upgraded
versions.

------- Comment #1 From Stefan Cornelius (RETIRED) 2006-05-25 10:39:02 0000 -------

x86, please mark at least version 2.1.1 stable, thank you

------- Comment #2 From Sander Knopper 2006-05-25 10:54:52 0000 -------

on x86:

[ebuild  N    ] dev-python/cherrypy-2.1.1

Passes all tests and installs fine.

When running the HelloWorld example from the cherrypy website I didn't notice
any problems. The output mentioned the server was running at port 8080 so I
connected to the port with a browser and saw the webpage with the correct
content.

------- Comment #3 From Chris Gianelloni (RETIRED) 2006-05-25 12:29:34 0000 -------

x86 done... thanks Sander...

------- Comment #4 From Stefan Cornelius (RETIRED) 2006-05-25 12:38:22 0000 -------

ready for glsa vote, tend to say no

------- Comment #5 From Thierry Carrez (RETIRED) 2006-05-26 04:00:10 0000 -------

I tend to vote yes

------- Comment #6 From Wolf Giesen (RETIRED) 2006-05-26 04:03:18 0000 -------

I vote yes since you might be able to reveal DB passwords and other stuff like
that.

------- Comment #7 From Stefan Cornelius (RETIRED) 2006-05-27 02:01:50 0000 -------

k, lets have a glsa

------- Comment #8 From Stefan Cornelius (RETIRED) 2006-05-30 06:25:02 0000 -------

GLSA 200605-16

Thanks everybody

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bugzilla Bug 134273

dev-python/cherrypy: directory transversal vulnerability

Last modified: 2006-05-30 06:25:02 0000