-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2531-1 [email protected] https://www.debian.org/lts/security/ Utkarsh Gupta January 24, 2021 https://wiki.debian.org/LTS - -----------------------------------------------------------------------
Package : python-bottle Version : 0.12.13-1+deb9u1 CVE ID : CVE-2020-28473 The package src:python-bottle before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. For Debian 9 stretch, this problem has been fixed in version 0.12.13-1+deb9u1. We recommend that you upgrade your python-bottle packages. For the detailed security status of python-bottle please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-bottle Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmANtoUACgkQgj6WdgbD S5YWeA//cGFSBMHf2GqnRWAeUuBWCEtQHxgukTCMig+W5VduyMzzHSw7X0I5IiO0 aFZU2DICGDo87u7f670Sl6AqcEjgZHsHW+jt3pCOErhjwIoFOSIpNzW2s2npCOrU hjTrJm3TNVuOlNArh+ttaUFoF5D5WwkH9Rr4wXelkxrYAvvABXfcePhIVCN/oMld qHnJ5IJuW/PRocAxCEJDs8t+glSgTwEHVj8y92K5joz1eZ0XaAoBgJ0ALPJbX7ay aNnymGUk/crFZcyRYBtoeXthzLpmPD10kFX7SXAql/H/+d6uhzHYN1bPpd/x25G0 QHT4RXzXJNFGx9FFiXz1QvZtoKyx2ShOgZ2TW2htPwr/XQcLbjHYtlnKZ8kufv65 Oa6wE2xhH/o8opKoI6jtJSnCMYL1vwBRPTFSysR0WG2nry5wzpEAfE1+n5NODjCv 5cuPpAwuk7OM5p67lbfP0efEcSBWU446LYEOBWI4dVTcVv+kuTKlPbmbmzRMAOaH zl11FJ4q50e9gcqyWO5Ln3fTbM7h0SAAFHnUz4tL/MG8JVbsG/UaOTiJ8uSuvUkQ Zko+s8OmPYh3JHJ5dmM551VGtK4VRbueJ+EnQ+CeyRiGSlm66uvvE167I2DZOuMA oI/S/kf7azc/Al+Pv2m3lRcr4WOuZpzyXKQCH3uG1w+fGiM6owI= =bApF -----END PGP SIGNATURE-----
