Headline
CVE-2022-31799: Comparing 0.12.19...0.12.20 · bottlepy/bottle
Bottle before 0.12.20 mishandles errors during early request binding.
Commits on May 24, 2022
Add ServerAdapter for CherryPy >= 9
Since CherryPy >= 9, the server part of CherryPy has been extracted and named Cheroot. Thus the old CherryPy ServerAdapter does not work for CherryPy >= 9: the import fails, and the SSL part should be different too. Cheroot can be installed (git install cheroot) without CherryPy so that we can just have a CherootServer adapter in addition to the CherryPyServer adapter for the older versions.
(cherry picked from commit b9229ee) Signed-off-by: Juerg Haefliger [email protected]
Added depr warning for the outdated cherrypy server adapter.
If you are using this adapter, simply switch to ‘cheroot’ This should fix some recent and some very old issues regarding cherrypy:
fix #947 Leave explicit the maxima version supported the CherryPy (<= 9.0.0) fix #932 Add ServerAdapter (fix CherryPy ServerAdapter) fix #685 Update CherryPy SSL to use latest API and work on Py3 fix #574 Allow custom bind_addr for CherryPy
(backported from commit be90814) [juergh: Adjust context, drop modifications of test/travis-requirements.txt which does not exist in 0.12.] Signed-off-by: Juerg Haefliger [email protected]
Related news
Ubuntu Security Notice 5532-1 - It was discovered that Bottle incorrectly handled errors during early request binding. An attacker could possibly use this issue to disclose sensitive information.
Bottle before 0.12.20 mishandles errors during early request binding.