CVE-2016-9964

NameCVE-2016-9964
Descriptionredirect() in bottle.py in bottle 0.12.10 doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect("233\r\nSet-Cookie: name=salt") call.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-761-1, DSA-3743-1
NVD severitymedium (attack range: remote)
Debian Bugs848392

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-bottle (PTS)wheezy0.10.11-1+deb7u1vulnerable
wheezy (security)0.10.11-1+deb7u3fixed
jessie (security), jessie0.12.7-1+deb8u2fixed
buster, sid, stretch0.12.13-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-bottlesource(unstable)0.12.11-1medium848392
python-bottlesourcejessie0.12.7-1+deb8u1mediumDSA-3743-1
python-bottlesourcewheezy0.10.11-1+deb7u2mediumDLA-761-1

Notes

Upstream bug: https://github.com/bottlepy/bottle/issues/913
Upstream patch: https://github.com/bottlepy/bottle/commit/6d7e13da0f998820800ecb3fe9ccee4189aefb54

Search for package or bug name: Reporting problems