Bug 19865

Summary: [Update Request] python-tornado
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED DUPLICATE QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia
Version: 5   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://www.linuxsecurity.com/content/view/169968/
Whiteboard:
Source RPM: python-tornado CVE:
Status comment:

Description Zombie Ryushu 2016-11-29 14:53:40 CET 
Update to 4.4.2:  Security fixes  *   A difference in cookie parsing between
Tornado and web browsers (especially when combined with Google Analytics) could
allow an attacker to set arbitrary cookies and bypass XSRF protection. The
cookie parser has been rewritten to fix this attack.  Backwards-compatibility
notes  *  Cookies containing certain special characters (in particular semicolon
and square brackets) are now parsed differently. *  If the cookie header
contains a combination of valid and invalid cookies, the valid ones will be
returned (older versions of Tornado would reject the entire header for a single
invalid cookie).
Comment 1 Nicolas Lécureuil 2016-11-29 15:25:56 CET 
Fixed by Philippe in mga5 updates_testing

SRPMS:  python-tornado-3.2.2-4.1.mga5

CC: (none) => mageia

Comment 2 David Walser 2016-11-29 16:39:57 CET 
Bug already filed yesterday.

*** This bug has been marked as a duplicate of bug 19859 ***

Status: NEW => RESOLVED
Resolution: (none) => DUPLICATE