19865 – [Update Request] python-tornado

Bug 19865 - [Update Request] python-tornado

Summary: [Update Request] python-tornado

Status:	RESOLVED DUPLICATE of bug 19859

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Mageia Bug Squad
QA Contact:	Sec team

URL:	http://www.linuxsecurity.com/content/...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-11-29 14:53 CET by Zombie Ryushu
Modified:	2016-11-29 16:39 CET (History)
CC List:	1 user (show)

See Also:
Source RPM:	python-tornado
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Zombie Ryushu 2016-11-29 14:53:40 CET

Update to 4.4.2:  Security fixes  *   A difference in cookie parsing between
Tornado and web browsers (especially when combined with Google Analytics) could
allow an attacker to set arbitrary cookies and bypass XSRF protection. The
cookie parser has been rewritten to fix this attack.  Backwards-compatibility
notes  *  Cookies containing certain special characters (in particular semicolon
and square brackets) are now parsed differently. *  If the cookie header
contains a combination of valid and invalid cookies, the valid ones will be
returned (older versions of Tornado would reject the entire header for a single
invalid cookie).

Comment 1 Nicolas Lécureuil 2016-11-29 15:25:56 CET

Fixed by Philippe in mga5 updates_testing

SRPMS:  python-tornado-3.2.2-4.1.mga5

CC: (none) => mageia

Comment 2 David Walser 2016-11-29 16:39:57 CET

Bug already filed yesterday.

*** This bug has been marked as a duplicate of bug 19859 ***

Status: NEW => RESOLVED
Resolution: (none) => DUPLICATE

Note You need to log in before you can comment on or make changes to this bug.