[Buildroot] [PATCH] package/python-bottle: security bump to version 0.12.19
Peter Korsgaard
peter at korsgaard.com
Thu Feb 4 17:10:38 UTC 2021
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security issue:
> CVE-2020-28473: The package bottle from 0 and before 0.12.19 are vulnerable
> to Web Cache Poisoning by using a vector called parameter cloaking. When
> the attacker can separate query parameters using a semicolon (;), they can
> cause a difference in the interpretation of the request between the proxy
> (running with default configuration) and the server. This can result in
> malicious requests being cached as completely safe ones, as the proxy would
> usually not see the semicolon as a separator, and therefore would not
> include it in a cache key of an unkeyed parameter.
> In addition, bottle 0.12.18 fixed a compatibility issue with python 3.8+:
> https://github.com/bottlepy/bottle/issues/1181
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list