|
|
Subscribe / Log in / New account

Debian-LTS alert DLA-475-1 (python-tornado)



From:
    	      Markus Koschany <apo@debian.org> 


To:
    	      debian-lts-announce@lists.debian.org 


Subject:
    	      [SECURITY] [DLA 475-1] python-tornado security update 


Date:
    	      Sun, 15 May 2016 21:45:40 +0200


Message-ID:
    	      <5738D1E4.5030900@debian.org>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : python-tornado
Version        : 2.3-2+deb7u1
CVE ID         : CVE-2014-9720

It was discovered that python-tornado, a Python web framework and
asynchronous networking library, was susceptible for the BREACH attack.
The XSRF token is now encoded with a random mask on each request. This
makes it safe to include in compressed pages without being vulnerable.

For Debian 7 "Wheezy", these problems have been fixed in version
2.3-2+deb7u1.

We recommend that you upgrade your python-tornado packages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJXONHjXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkW5AP/0c+1XPoTdp6ybsxU2UIMPJh
zxQpyGQ9kjK1X9yMS6uiykyJtxhAzU9fUIlkUnA+avzGmgEmA7oDrFWdZEhk8lfW
45I8sKTxmKShReZO3+LyiWKC665Jpjt0zEkEZ0WoYjR//cw5OQzPt1dCHXuUc24T
I4tpoP/huFoYfvHef9BflmD3DuhThWGmCOHDsdBzPh5Xc0IbJzt1UipZgn7UR3gN
ZQBtv37ZdFSQXUFrwciTp8tLj72NH7pFBd0PcJJPieURbks8wAN7bz2hVC4OUWXG
BWcilywH58FbRgCYaRK019s40qvMUu2UZPWERnfl0LBqKGm9JNziFKV5itw0xA4d
0BWBlwU6vbjEVDYJA/oP5eUmHW6jrAafjruU3XEp7x7MjZ4UkYM/QocyCGNJi2Ph
MIZSUx6opcSzzVf7u8xua1yIhKmPe1MFKk4oL7r75oGYWi0cwTRApMyu2PPQfXfe
mDMQ8vbO1azzepzZ+YLMrvnBpPZhp8QZTO+38HxpIR+KHnxDXrCJpGS2rrxJrZUQ
GPS5DWPw1eSPw8SV6E7l4uiwwKm7NtM/TT2IQvt3qjqCahYTN+waMVub0xTyfgV4
onjcgTdmMZK0Y5/5UyKMWcSFWDAI/uc1tueIY1Y6pOhhOkEDTAnRCGXlKacFq7BP
u9A70ZBPGfIc0rerLwzT
=JHb6
-----END PGP SIGNATURE-----
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds