16100 – python-tornado new security issue CVE-2014-9720

Bug 16100 - python-tornado new security issue CVE-2014-9720

Summary: python-tornado new security issue CVE-2014-9720

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/647618/
Whiteboard:	MGA4-64-OK has_procedure MGA4-32-OK a...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-06-09 18:58 CEST by David Walser
Modified:	2015-07-01 14:41 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	python-tornado-3.1-4.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-06-09 18:58:39 CEST

Fedora has issued an advisory on May 30:
https://lists.fedoraproject.org/pipermail/package-announce/2015-June/159805.html

The issue is fixed upstream in 3.2.2 (already in Cauldron).

The RedHat bug has a link to the upstream commit to fix the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1222816

Reproducible: 

Steps to Reproduce:

Comment 1 Philippe Makowski 2015-06-14 16:12:19 CEST

Updated packages uploaded for Mageia 4.

Advisory:
========================

Updated python-tornado
 packages fix security vulnerabilities:

Security fixes (CVE-2014-9720)

    The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack. This applies to most applications that use both the xsrf_cookies and gzip options (or have gzip applied by a proxy).

References:

- https://bugzilla.redhat.com/show_bug.cgi?id=1222816
- http://lwn.net/Vulnerabilities/647618/

Updated packages in core/updates_testing:
========================
python-tornado-3.1-4.1.mga4.noarch.rpm
python3-tornado-doc-3.1-4.1.mga4.noarch.rpm
python-tornado-doc-3.1-4.1.mga4.noarch.rpm
python3-tornado-3.1-4.1.mga4.noarch.rpm

From
python-tornado-3.1-4.1.mga4.src.rpm

Assignee: makowski.mageia => qa-bugs

Comment 2 David Walser 2015-06-14 16:34:55 CEST

Thanks Philippe!

The References should be:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9720
https://lists.fedoraproject.org/pipermail/package-announce/2015-June/159805.html

David Walser 2015-06-14 16:35:05 CEST

CC: (none) => makowski.mageia

Comment 3 David Walser 2015-06-14 16:35:53 CEST

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=6165#c3

Whiteboard: (none) => has_procedure

Comment 4 Shlomi Fish 2015-06-16 13:23:27 CEST

(In reply to David Walser from comment #3)
> Testing procedure:
> https://bugs.mageia.org/show_bug.cgi?id=6165#c3

Tested on MGA4 x86-64 in a VBox VM. Works fine with both Python 2.x and Python 3.x.

CC: (none) => shlomif
Whiteboard: has_procedure => MGA4-64-OK has_procedure

Comment 5 Shlomi Fish 2015-06-16 13:28:52 CEST

fine on an i586 VBox VM. Marking as MGA4-32-OK.

Whiteboard: MGA4-64-OK has_procedure => MGA4-64-OK has_procedure MGA4-32-OK

Dave Hodgins 2015-06-25 10:11:42 CEST

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK has_procedure MGA4-32-OK => MGA4-64-OK has_procedure MGA4-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Dave Hodgins 2015-06-25 10:15:23 CEST

Someone from the sysadmin team please push 16100.adv to updates on Mageia 4.

Comment 7 Mageia Robot 2015-07-01 14:41:09 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0251.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.