--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: buster-pu: package python-bottle/0.12.15-2+deb10u1
- From: Utkarsh Gupta <utkarsh@debian.org>
- Date: Thu, 28 Jan 2021 20:38:19 +0530
- Message-id: <CAPP0f95yd3SR8DTs3JzMCM=sdMArhHT4_j13CRYE2J3_tQUZEQ@mail.gmail.com>
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal
Hello,
python-bottle was affected by CVE-2020-28473, where the package was
vulnerable to Web Cache Poisoning by using a vector called parameter
cloaking.
This has been fixed in Sid, Bullseye, and Stretch (& Jessie).
Here's the debdiff for buster-pu:
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<
diff -Nru python-bottle-0.12.15/debian/changelog
python-bottle-0.12.15/debian/changelog
--- python-bottle-0.12.15/debian/changelog 2019-03-27
05:13:08.000000000 +0530
+++ python-bottle-0.12.15/debian/changelog 2021-01-28
20:22:22.000000000 +0530
@@ -1,3 +1,10 @@
+python-bottle (0.12.15-2+deb10u1) buster; urgency=high
+
+ * Non-maintainer upload by the Security team.
+ * Do not split query strings on `;` anymore. (Fixes: CVE-2020-28473)
+
+ -- Utkarsh Gupta <utkarsh@debian.org> Thu, 28 Jan 2021 20:22:22 +0530
+
python-bottle (0.12.15-2) unstable; urgency=medium
* Update tox dependency (Closes: #924836)
diff -Nru python-bottle-0.12.15/debian/patches/CVE-2020-28473.patch
python-bottle-0.12.15/debian/patches/CVE-2020-28473.patch
--- python-bottle-0.12.15/debian/patches/CVE-2020-28473.patch
1970-01-01 05:30:00.000000000 +0530
+++ python-bottle-0.12.15/debian/patches/CVE-2020-28473.patch
2021-01-28 20:21:24.000000000 +0530
@@ -0,0 +1,25 @@
+From 57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b Mon Sep 17 00:00:00 2001
+From: Marcel Hellkamp <marc@gsites.de>
+Date: Wed, 11 Nov 2020 19:24:29 +0100
+Subject: [PATCH] Do not split query strings on `;` anymore.
+
+Using `;` as a separator instead of `&` was allowed a long time ago,
+but is now obsolete and actually invalid according to the 2014 W3C
+recommendations. Even if this change is technically backwards-incompatible,
+no real-world application should depend on broken behavior. If you REALLY
+need this functionality, monkey-patch the _parse_qsl() function.
+---
+ bottle.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/bottle.py
++++ b/bottle.py
+@@ -2577,7 +2577,7 @@
+
+ def _parse_qsl(qs):
+ r = []
+- for pair in qs.replace(';','&').split('&'):
++ for pair in qs.split('&'):
+ if not pair: continue
+ nv = pair.split('=', 1)
+ if len(nv) != 2: nv.append('')
diff -Nru python-bottle-0.12.15/debian/patches/series
python-bottle-0.12.15/debian/patches/series
--- python-bottle-0.12.15/debian/patches/series 2019-03-27
05:13:08.000000000 +0530
+++ python-bottle-0.12.15/debian/patches/series 2021-01-28
20:21:33.000000000 +0530
@@ -1,2 +1,3 @@
0001-Remove-bottle.py-from-scripts.patch
0002-Add-CLI-manpage.patch
+CVE-2020-28473.patch
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<
- u
---
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---