CVE-2016-9964

NameCVE-2016-9964
Descriptionredirect() in bottle.py in bottle 0.12.10 doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect("233\r\nSet-Cookie: name=salt") call.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-761-1, DSA-3743-1
Debian Bugs848392

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-bottle (PTS)buster, buster (security)0.12.15-2+deb10u2fixed
bullseye (security), bullseye0.12.19-1+deb11u1fixed
bookworm0.12.23-1.1fixed
sid, trixie0.12.25-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-bottlesourcewheezy0.10.11-1+deb7u2DLA-761-1
python-bottlesourcejessie0.12.7-1+deb8u1DSA-3743-1
python-bottlesource(unstable)0.12.11-1848392

Notes

Upstream bug: https://github.com/bottlepy/bottle/issues/913
Upstream patch: https://github.com/bottlepy/bottle/commit/6d7e13da0f998820800ecb3fe9ccee4189aefb54
Search for package or bug name: Reporting problems