It was found that redirect() in bottle.py doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect("233\r\nSet-Cookie: name=salt") call.
Created python-bottle tracking bugs for this issue:
Affects: fedora-all [bug 1405417]
Affects: epel-all [bug 1405418]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.