Bug 28219

Summary: python-bottle new security issue CVE-2020-28473
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, mageia, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: python-bottle-0.12.18-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-01-26 05:38:00 CET 
Debian-LTS has issued an advisory today (January 25):
https://www.debian.org/lts/security/2021/dla-2531

The issue is fixed upstream in 0.12.19.

Mageia 7 is also affected.
David Walser 2021-01-26 05:38:15 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 0.12.19

Comment 1 Aurelien Oudelet 2021-01-26 10:40:39 CET 
Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => ouaurelien
Assignee: bugsquad => makowski.mageia

Comment 2 Nicolas Lécureuil 2021-01-26 11:48:48 CET 
freeze push asked

CC: (none) => mageia

Comment 3 Nicolas Lécureuil 2021-01-26 12:38:44 CET 
fixed in cauldron/mga8

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 4 David Walser 2021-01-26 16:33:49 CET 
Fixed in python-bottle-0.12.19-1.mga8.
Comment 5 Nicolas Lécureuil 2021-03-04 18:40:34 CET 
fixed in mga7

src:
    - python-bottle-0.12.16-1.1.mga7

Status comment: Fixed upstream in 0.12.19 => (none)
Assignee: makowski.mageia => qa-bugs

Comment 6 David Walser 2021-03-04 22:30:16 CET 
RPMs:
python-bottle-0.12.16-1.1.mga7
python3-bottle-0.12.16-1.1.mga7
Comment 7 David Walser 2021-03-05 00:47:46 CET 
Advisory:
========================

Updated python-bottle packages fix security vulnerability:

python-bottle before 0.12.19 is vulnerable to Web Cache Poisoning by using a
vector called parameter cloaking. When the attacker can separate query
parameters using a semicolon (;), they can cause a difference in the
interpretation of the request between the proxy (running with default
configuration) and the server. This can result in malicious requests being
cached as completely safe ones, as the proxy would usually not see the
semicolon as a separator, and therefore would not include it in a cache key of
an unkeyed parameter (CVE-2020-28473).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28473
https://www.debian.org/lts/security/2021/dla-2531
Comment 8 Herman Viaene 2021-04-02 13:54:24 CEST 
MGA7-64 MATE on Peaq C1011
No installation issues.
Ref bug20004 Comment 5
Run the test wit both python and python3 and got the results as described, so OK for me.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 9 Thomas Andrews 2021-04-02 17:06:10 CEST 
Validating. Advisory in Comment 7.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-04-02 21:23:31 CEST

Keywords: (none) => advisory

Comment 10 Mageia Robot 2021-04-02 22:26:39 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0171.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED