Bug 16100

Summary:	python-tornado new security issue CVE-2014-9720
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	davidwhodgins, makowski.mageia, shlomif, sysadmin-bugs
Version:	4	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/647618/
Whiteboard:	MGA4-64-OK has_procedure MGA4-32-OK advisory
Source RPM:	python-tornado-3.1-4.mga4.src.rpm	CVE:
Status comment:

Description David Walser 2015-06-09 18:58:39 CEST

Fedora has issued an advisory on May 30:
https://lists.fedoraproject.org/pipermail/package-announce/2015-June/159805.html

The issue is fixed upstream in 3.2.2 (already in Cauldron).

The RedHat bug has a link to the upstream commit to fix the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1222816

Reproducible: 

Steps to Reproduce:

Comment 1 Philippe Makowski 2015-06-14 16:12:19 CEST

Updated packages uploaded for Mageia 4.

Advisory:
========================

Updated python-tornado
 packages fix security vulnerabilities:

Security fixes (CVE-2014-9720)

    The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack. This applies to most applications that use both the xsrf_cookies and gzip options (or have gzip applied by a proxy).

References:

- https://bugzilla.redhat.com/show_bug.cgi?id=1222816
- http://lwn.net/Vulnerabilities/647618/

Updated packages in core/updates_testing:
========================
python-tornado-3.1-4.1.mga4.noarch.rpm
python3-tornado-doc-3.1-4.1.mga4.noarch.rpm
python-tornado-doc-3.1-4.1.mga4.noarch.rpm
python3-tornado-3.1-4.1.mga4.noarch.rpm

From
python-tornado-3.1-4.1.mga4.src.rpm

Assignee: makowski.mageia => qa-bugs

Comment 2 David Walser 2015-06-14 16:34:55 CEST

Thanks Philippe!

The References should be:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9720
https://lists.fedoraproject.org/pipermail/package-announce/2015-June/159805.html

David Walser 2015-06-14 16:35:05 CEST

CC: (none) => makowski.mageia

Comment 3 David Walser 2015-06-14 16:35:53 CEST

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=6165#c3

Whiteboard: (none) => has_procedure

Comment 4 Shlomi Fish 2015-06-16 13:23:27 CEST

(In reply to David Walser from comment #3)
> Testing procedure:
> https://bugs.mageia.org/show_bug.cgi?id=6165#c3

Tested on MGA4 x86-64 in a VBox VM. Works fine with both Python 2.x and Python 3.x.

CC: (none) => shlomif
Whiteboard: has_procedure => MGA4-64-OK has_procedure

Comment 5 Shlomi Fish 2015-06-16 13:28:52 CEST

fine on an i586 VBox VM. Marking as MGA4-32-OK.

Whiteboard: MGA4-64-OK has_procedure => MGA4-64-OK has_procedure MGA4-32-OK

Dave Hodgins 2015-06-25 10:11:42 CEST

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK has_procedure MGA4-32-OK => MGA4-64-OK has_procedure MGA4-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Dave Hodgins 2015-06-25 10:15:23 CEST

Someone from the sysadmin team please push 16100.adv to updates on Mageia 4.

Comment 7 Mageia Robot 2015-07-01 14:41:09 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0251.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED