Bug 6165

Summary: python-tornado new security issue CVE-2012-2374
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, jani.valimaa, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/499171/
Whiteboard: mga2-64-OK, mga2-32-OK
Source RPM: python-tornado-2.1.1-2.mga2.src.rpm CVE:
Status comment:

Description David Walser 2012-05-29 23:27:54 CEST 
Fedora has issued an advisory on May 21:
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081486.html

The solution is to upgrade to 2.2.1 (also needed in Cauldron).
Comment 1 Jani Välimaa 2012-06-09 09:51:11 CEST 
Pushed new release [1] to core/updates_testing. Updated also to latest version (2.3) in Cauldron.

[1] python-tornado-2.2.1-1.mga2

CC: (none) => jani.valimaa
Assignee: bugsquad => qa-bugs

Comment 2 David Walser 2012-06-09 13:48:25 CEST 
Thanks Jani.

Advisory:
========================

Updated python-tornado package fixes security vulnerability:

CRLF injection vulnerability in the
tornado.web.RequestHandler.set_header function in Tornado before 2.2.1
allows remote attackers to inject arbitrary HTTP headers and conduct
HTTP response splitting attacks via crafted input (CVE-2012-2374).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2374
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081486.html
Comment 3 claire robinson 2012-06-14 15:21:28 CEST 
Testing complete x86_64 using the hello world example here: http://www.tornadoweb.org/

No PoC so just testing it works.

$ python helloworld.py

Verified by browsing to localhost:8888

Whiteboard: (none) => mga2-64-OK

Comment 4 Dave Hodgins 2012-06-15 04:29:29 CEST 
Same testing completed on i586.

Could someone from the sysadmin team push the srpm
python-tornado-2.2.1-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated python-tornado package fixes security vulnerability:

CRLF injection vulnerability in the
tornado.web.RequestHandler.set_header function in Tornado before 2.2.1
allows remote attackers to inject arbitrary HTTP headers and conduct
HTTP response splitting attacks via crafted input (CVE-2012-2374).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2374
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081486.html

https://bugs.mageia.org/show_bug.cgi?id=6165

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: mga2-64-OK => mga2-64-OK, mga2-32-OK

Comment 5 Thomas Backlund 2012-06-19 18:35:30 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0117

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED