[Buildroot] [PATCH] package/python-bottle: security bump to version 0.12.19

Peter Korsgaard peter at korsgaard.com
Thu Feb 4 17:10:38 UTC 2021


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security issue:
 > CVE-2020-28473: The package bottle from 0 and before 0.12.19 are vulnerable
 > to Web Cache Poisoning by using a vector called parameter cloaking.  When
 > the attacker can separate query parameters using a semicolon (;), they can
 > cause a difference in the interpretation of the request between the proxy
 > (running with default configuration) and the server.  This can result in
 > malicious requests being cached as completely safe ones, as the proxy would
 > usually not see the semicolon as a separator, and therefore would not
 > include it in a cache key of an unkeyed parameter.

 > In addition, bottle 0.12.18 fixed a compatibility issue with python 3.8+:

 > https://github.com/bottlepy/bottle/issues/1181

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard



More information about the buildroot mailing list