python-cherrypy -- missing input sanitising

ID DSA-1481
Type debian
Reporter Debian
Modified 2008-02-05T00:00:00


It was discovered that a directory traversal vulnerability in CherryPy, a pythonic, object-oriented web development framework, may lead to denial of service by deleting files through malicious session IDs in cookies.

The old stable distribution (sarge) doesn't contain python-cherrypy.

For the stable distribution (etch), this problem has been fixed in version 2.2.1-3etch1.

We recommend that you upgrade your python-cherrypy packages.