Candidate: CVE-2016-9964
PublicDate: 2016-12-16 09:59:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9964
Description:
 redirect() in bottle.py in bottle 0.12.10 doesn't filter a "\r\n" sequence,
 which leads to a CRLF attack, as demonstrated by a
 redirect("233\r\nSet-Cookie: name=salt") call.
Ubuntu-Description: 
 It was discovered that Bottle improperly handles headers. An attacker
 could possibly exploit this as a CRLF attack.
Notes: 
Bugs: 
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848392
 https://github.com/bottlepy/bottle/issues/913
Priority: medium
Discovered-by:
Assigned-to: 
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N [6.5 MEDIUM]

Patches_python-bottle:
 upstream: https://github.com/bottlepy/bottle/commit/6d7e13da0f998820800ecb3fe9ccee4189aefb54
upstream_python-bottle: released (0.12.11-1)
precise_python-bottle: ignored (reached end-of-life)
precise/esm_python-bottle: DNE (precise was needed)
trusty_python-bottle: ignored (out of standard support)
trusty/esm_python-bottle: released (0.12.0-1ubuntu0.1~esm1)
vivid/stable-phone-overlay_python-bottle: DNE
vivid/ubuntu-core_python-bottle: DNE
xenial_python-bottle: released (0.12.7-1+deb8u1build0.16.04.1)
yakkety_python-bottle: released (0.12.7-1+deb8u1build0.16.10.1)
zesty_python-bottle: not-affected (0.12.11-1)
artful_python-bottle: not-affected (0.12.11-1)
bionic_python-bottle: not-affected (0.12.11-1)
cosmic_python-bottle: not-affected (0.12.11-1)
disco_python-bottle: not-affected (0.12.11-1)
eoan_python-bottle: not-affected (0.12.11-1)
focal_python-bottle: not-affected (0.12.11-1)
groovy_python-bottle: not-affected (0.12.11-1)
hirsute_python-bottle: not-affected (0.12.11-1)
impish_python-bottle: not-affected (0.12.11-1)
jammy_python-bottle: not-affected (0.12.11-1)
devel_python-bottle: not-affected (0.12.11-1)