Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 603096 (CVE-2016-9964) - <dev-python/bottle-0.12.12: redirect() doesn't filter "rn" which allows for CRLF attack (CVE-2016-9964)
Summary: <dev-python/bottle-0.12.12: redirect() doesn't filter "rn" which allows for C...
Alias: CVE-2016-9964
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa cve]
Depends on:
Reported: 2016-12-19 13:40 UTC by Agostino Sarubbo
Modified: 2017-01-18 10:14 UTC (History)
1 user (show)

See Also:
Package list:
=dev-python/bottle-0.12.12 =dev-python/mako-1.0.0 hppa ppc64
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-12-19 13:40:24 UTC
From ${URL} :

It was found that redirect() in doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect("233\r\nSet-Cookie: name=salt") call.

Upstream bug:

Upstream patch:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev 2017-01-08 23:57:32 UTC
@ Maintainer(s: Please bump to >=dev-python/bottle-0.12.11
Comment 2 Mike Gilbert gentoo-dev 2017-01-09 00:40:25 UTC

commit 95bde71ab7a933fccd4635ebdc6d09b6b223a758
Author: Mike Gilbert <>
Date:   Sun Jan 8 19:38:20 2017 -0500

    dev-python/bottle: bump to 0.12.12
    Package-Manager: Portage-2.3.3_p19, Repoman-2.3.1_p12

 dev-python/bottle/Manifest                                        | 1 +
 dev-python/bottle/{bottle-0.12.9.ebuild => bottle-0.12.12.ebuild} | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)
Comment 3 Thomas Deutschmann gentoo-dev 2017-01-09 13:37:45 UTC
@ Arches,

please test and mark stable: =dev-python/bottle-0.12.12
Comment 4 Stabilization helper bot gentoo-dev 2017-01-10 05:48:27 UTC
An automated check of this bug failed - repoman reported dependency errors (5 lines truncated): 

> dependency.bad dev-python/bottle/bottle-0.12.12.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['dev-python/mako[python_targets_python2_7(-)?,-python_single_target_python2_7(-),python_targets_python3_4(-)?,-python_single_target_python3_4(-),python_targets_python3_5(-)?,-python_single_target_python3_5(-)]']
> dependency.bad dev-python/bottle/bottle-0.12.12.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland) ['dev-python/mako[python_targets_python2_7(-)?,-python_single_target_python2_7(-),python_targets_python3_4(-)?,-python_single_target_python3_4(-),python_targets_python3_5(-)?,-python_single_target_python3_5(-)]']
> dependency.bad dev-python/bottle/bottle-0.12.12.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop) ['dev-python/mako[python_targets_python2_7(-)?,-python_single_target_python2_7(-),python_targets_python3_4(-)?,-python_single_target_python3_4(-),python_targets_python3_5(-)?,-python_single_target_python3_5(-)]']
Comment 5 Thomas Deutschmann gentoo-dev 2017-01-10 13:39:59 UTC
@ Arches,

hppa and ppc64 also need to stabilized missing required =dev-python/mako-1.0.0 package
Comment 6 Agostino Sarubbo gentoo-dev 2017-01-11 16:17:46 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-01-13 15:43:40 UTC
x86 stable
Comment 8 Markus Meier gentoo-dev 2017-01-15 12:58:21 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-15 16:04:49 UTC
ppc stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-15 20:34:32 UTC
Stable for HPPA.
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-16 08:48:57 UTC
Stable on alpha.
Comment 12 Agostino Sarubbo gentoo-dev 2017-01-17 14:40:26 UTC
ia64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2017-01-18 09:51:24 UTC
sparc stable
Comment 14 Agostino Sarubbo gentoo-dev 2017-01-18 10:05:54 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 15 David Seifert gentoo-dev 2017-01-18 10:11:36 UTC
commit 1622c3d10b3d3e52fad66c27e2931ca8d97b157a
Author: David Seifert <>
Date:   Wed Jan 18 11:10:55 2017 +0100

    dev-python/bottle: Remove old vulnerable versions
    Gentoo-bug: 603096
Comment 16 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-18 10:14:29 UTC
GLSA Vote: No