Bug 30532

Summary: python-bottle new security issue CVE-2022-31799
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs, yvesbrungard
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-bottle-0.12.19-4.mga9.src.rpm CVE:
Status comment:
Attachments: testfile for python-bottle

Description David Walser 2022-06-09 22:40:16 CEST 
Debian-LTS has issued an advisory today (June 9):
https://www.debian.org/lts/security/2022/dla-3048

The issue is fixed upstream in 0.12.20.

Mageia 8 is also affected.
David Walser 2022-06-09 22:40:27 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 0.12.20

Comment 1 David Walser 2022-06-10 17:15:23 CEST 
Debian has issued an advisory for this on June 9:
https://www.debian.org/security/2022/dsa-5159
Comment 2 papoteur 2022-06-20 09:49:56 CEST 
New release 0.12.20 is now built.

python3-bottle-0.12.20-1.mga8.noarch.rpm

Source:
python-bottle-0.12.20-1.mga8.src.rpm

CC: (none) => yves.brungard_mageia
Assignee: python => qa-bugs

papoteur 2022-06-20 09:50:08 CEST

Status comment: Fixed upstream in 0.12.20 => (none)

papoteur 2022-06-20 12:17:49 CEST

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 3 David Walser 2022-06-22 17:39:16 CEST 
Fedora has issued an advisory for this today (June 22):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KTLOQGMDZEPIYTFC2G53OQV2ULCGYS3F/

Severity: normal => major

Comment 4 Herman Viaene 2022-06-23 15:07:41 CEST 
Created attachment 13311 [details]
testfile for python-bottle

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2022-06-23 15:11:56 CEST 
MGA8-64 Plasma on Acer Aspire 5253
No installation issues.
Run the scriptfile both with python and python3.
$ python bottlescript.py 
Bottle v0.12.20 server starting up (using WSGIRefServer())...
Listening on http://localhost:8080/
Hit Ctrl-C to quit.
and 
$ python3 bottlescript.py 
Bottle v0.12.20 server starting up (using WSGIRefServer())...
Listening on http://localhost:8080/
Hit Ctrl-C to quit.

In both cases point the browser to http://localhost:8080/hello and the the greeting.
Looks OK.

Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2022-06-24 21:38:20 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-06-30 20:43:09 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2022-06-30 23:32:11 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0245.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED