From ${URL} : It was found that redirect() in bottle.py doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect("233\r\nSet-Cookie: name=salt") call. Upstream bug: https://github.com/bottlepy/bottle/issues/913 Upstream patch: https://github.com/bottlepy/bottle/commit/6d7e13da0f998820800ecb3fe9ccee4189aefb54 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
@ Maintainer(s: Please bump to >=dev-python/bottle-0.12.11
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=95bde71ab7a933fccd4635ebdc6d09b6b223a758 commit 95bde71ab7a933fccd4635ebdc6d09b6b223a758 Author: Mike Gilbert <floppym@gentoo.org> Date: Sun Jan 8 19:38:20 2017 -0500 dev-python/bottle: bump to 0.12.12 Package-Manager: Portage-2.3.3_p19, Repoman-2.3.1_p12 dev-python/bottle/Manifest | 1 + dev-python/bottle/{bottle-0.12.9.ebuild => bottle-0.12.12.ebuild} | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-)
@ Arches, please test and mark stable: =dev-python/bottle-0.12.12
An automated check of this bug failed - repoman reported dependency errors (5 lines truncated): > dependency.bad dev-python/bottle/bottle-0.12.12.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['dev-python/mako[python_targets_python2_7(-)?,-python_single_target_python2_7(-),python_targets_python3_4(-)?,-python_single_target_python3_4(-),python_targets_python3_5(-)?,-python_single_target_python3_5(-)]'] > dependency.bad dev-python/bottle/bottle-0.12.12.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland) ['dev-python/mako[python_targets_python2_7(-)?,-python_single_target_python2_7(-),python_targets_python3_4(-)?,-python_single_target_python3_4(-),python_targets_python3_5(-)?,-python_single_target_python3_5(-)]'] > dependency.bad dev-python/bottle/bottle-0.12.12.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop) ['dev-python/mako[python_targets_python2_7(-)?,-python_single_target_python2_7(-),python_targets_python3_4(-)?,-python_single_target_python3_4(-),python_targets_python3_5(-)?,-python_single_target_python3_5(-)]']
@ Arches, hppa and ppc64 also need to stabilized missing required =dev-python/mako-1.0.0 package
amd64 stable
x86 stable
arm stable
ppc stable
Stable for HPPA.
Stable on alpha.
ia64 stable
sparc stable
ppc64 stable. Maintainer(s), please cleanup. Security, please vote.
commit 1622c3d10b3d3e52fad66c27e2931ca8d97b157a Author: David Seifert <soap@gentoo.org> Date: Wed Jan 18 11:10:55 2017 +0100 dev-python/bottle: Remove old vulnerable versions Gentoo-bug: 603096
GLSA Vote: No