Fedora has issued an advisory on May 21: http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081486.html The solution is to upgrade to 2.2.1 (also needed in Cauldron).
Pushed new release [1] to core/updates_testing. Updated also to latest version (2.3) in Cauldron. [1] python-tornado-2.2.1-1.mga2
CC: (none) => jani.valimaaAssignee: bugsquad => qa-bugs
Thanks Jani. Advisory: ======================== Updated python-tornado package fixes security vulnerability: CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input (CVE-2012-2374). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2374 http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081486.html
Testing complete x86_64 using the hello world example here: http://www.tornadoweb.org/ No PoC so just testing it works. $ python helloworld.py Verified by browsing to localhost:8888
Whiteboard: (none) => mga2-64-OK
Same testing completed on i586. Could someone from the sysadmin team push the srpm python-tornado-2.2.1-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated python-tornado package fixes security vulnerability: CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input (CVE-2012-2374). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2374 http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081486.html https://bugs.mageia.org/show_bug.cgi?id=6165
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: mga2-64-OK => mga2-64-OK, mga2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0117
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED