Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 509350 (CVE-2014-3137) - <dev-python/bottle-{0.11.7,0.12.6}: JSON content-type not restrictive enough (CVE-2014-3137)
Summary: <dev-python/bottle-{0.11.7,0.12.6}: JSON content-type not restrictive enough ...
Alias: CVE-2014-3137
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on:
Reported: 2014-05-02 07:56 UTC by Agostino Sarubbo
Modified: 2014-08-25 22:46 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-05-02 07:56:53 UTC
From ${URL} : and report an issue where 
Bottle treated "text/plain;application/json" as JSON, allowing security 
mechanisms to be bypassed.

 From the upstream report, "For example Chrome will not allow 
cross-origin xmlhttprequests with the content type set to 
"application/json" but you can set it to "text/plain;application/json" 
instead and bottle will accept it."

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Manuel Rüger (RETIRED) gentoo-dev 2014-06-06 14:49:25 UTC
CVE-2014-3137 assigned.
Comment 2 Dirkjan Ochtman (RETIRED) gentoo-dev 2014-06-06 15:48:07 UTC
I've added 0.11.7 and 0.12.6 to the tree, I'd like to have 0.11.7 stabilized.
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-29 09:53:26 UTC
Thank you. 

Arches, please stabilize:

Targets: alpha amd64 arm ia64 ppc ppc64 sparc x86
Comment 4 Myckel Habets 2014-06-29 14:11:05 UTC
Builds fine on x86. please mark stable for x86.
Comment 5 Agostino Sarubbo gentoo-dev 2014-07-04 19:32:44 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-07-05 11:24:37 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-07-05 11:33:27 UTC
alpha stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-07-05 12:39:47 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-07-05 12:51:38 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-07-05 12:54:37 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-07-05 12:56:17 UTC
sparc stable
Comment 12 Markus Meier gentoo-dev 2014-07-06 17:44:03 UTC
arm stable, all arches done!
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-07-09 10:31:46 UTC
Cleanup, please!

GLSA vote: no.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2014-07-10 05:48:39 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.

GLSA Vote: No
Comment 15 Chris Reffett (RETIRED) gentoo-dev Security 2014-08-25 22:46:04 UTC
Maintainer timeout, cleanup done, closing noglsa.