Bug 32033 - python-tornado new security issue CVE-2023-28370
Summary: python-tornado new security issue CVE-2023-28370
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-06-20 15:03 CEST by David Walser
Modified: 2023-06-28 07:23 CEST (History)
5 users (show)

See Also:
Source RPM: python-tornado-6.2-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-06-20 15:03:31 CEST 
Ubuntu has issued an advisory on June 13:
https://ubuntu.com/security/notices/USN-6159-1

The issue is fixed upstream in 6.3.2:
https://github.com/tornadoweb/tornado/releases/tag/v6.3.2

Mageia 8 is also affected.
David Walser 2023-06-20 15:03:41 CEST

Status comment: (none) => Fixed upstream in 6.3.2
Whiteboard: (none) => MGA8TOO

Comment 1 David GEIGER 2023-06-20 15:49:17 CEST 
Done for both mga8 and cauldron!

freeze_move requested for cauldron.

CC: (none) => geiger.david68210

Comment 2 Lewis Smith 2023-06-20 20:22:26 CEST 
Many thanks; assigning to you.

CC: geiger.david68210 => (none)
Assignee: bugsquad => geiger.david68210

Comment 3 David Walser 2023-06-21 15:21:03 CEST 
Mageia 8 update:
python3-tornado-6.1-1.1.mga8
python3-tornado-doc-6.1-1.1.mga8

from python-tornado-6.1-1.1.mga8.src.rpm

Status comment: Fixed upstream in 6.3.2 => (none)

David GEIGER 2023-06-22 16:38:36 CEST

Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

David Walser 2023-06-23 00:46:45 CEST

CC: (none) => geiger.david68210

Comment 4 Len Lawrence 2023-06-24 18:27:18 CEST 
Mageia8, x86_64

Installed the two packages and looked for applications which need it.  It seems to be aimed at web-based frameworks.  Installed mopidy to try out in Firefox.  Not entirely sure what I was doing but managed to get it working by using a local (user) mopidy.conf and opening port 6680.
Started the server
$ mopidy --config ./.mopidy.conf
Entered http://<network address of host>:6680 in the address field and mopidy brought up a web page which showed iris as the web client.  Clicking on that generates the menu page "Playing now" which contains various controls.  I had no luck trying to play tracks from an m3u playlist.  The complaint was "This appears to be a text file...." which is what it is.  vlc accepts these files and displays a menu of tracks so it seems that the term "playlist" mean different things depending on who you talk to.  Anyway, there is a 'browse' button which works just like any file browser and allows selection of files to play directly.  That works fine and treats the current directory as a "playlist".

Updated the packages and used the same config file with mopidy and iris to play tracks.  It behaves exactly as before.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 5 Len Lawrence 2023-06-24 18:48:27 CEST 
Addendum to comment 4.
One way to generate an m3u file which mopidy might accept as a playlist would be to create one by playing tracks and adding them to a new playlist.
Comment 6 Thomas Andrews 2023-06-26 02:10:28 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-06-27 22:44:51 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2023-06-28 07:23:18 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0211.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.