suse-su-2016:1195-1
Vulnerability from csaf_suse
Published
2016-05-02 13:01
Modified
2016-05-02 13:01
Summary
Security update for python-tornado
Notes
Title of the patch
Security update for python-tornado
Description of the patch
The python-tornado module was updated to version 4.2.1, which brings several fixes,
enhancements and new features.
The following security issues have been fixed:
- A path traversal vulnerability in StaticFileHandler, in which files whose names
started with the static_path directory but were not actually in that directory
could be accessed.
- The XSRF token is now encoded with a random mask on each request. This makes it
safe to include in compressed pages without being vulnerable to the BREACH attack.
This applies to most applications that use both the xsrf_cookies and gzip options
(or have gzip applied by a proxy). (bsc#930362, CVE-2014-9720)
- The signed-value format used by RequestHandler.{g,s}et_secure_cookie changed to be
more secure. (bsc#930361)
The following enhancements have been implemented:
- SSLIOStream.connect and IOStream.start_tls now validate certificates by default.
- Certificate validation will now use the system CA root certificates.
- The default SSL configuration has become stricter, using ssl.create_default_context
where available on the client side.
- The deprecated classes in the tornado.auth module, GoogleMixin, FacebookMixin and
FriendFeedMixin have been removed.
- New modules have been added: tornado.locks and tornado.queues.
- The tornado.websocket module now supports compression via the 'permessage-deflate'
extension.
- Tornado now depends on the backports.ssl_match_hostname when running on Python 2.
For a comprehensive list of changes, please refer to the release notes:
- http://www.tornadoweb.org/en/stable/releases/v4.2.0.html
- http://www.tornadoweb.org/en/stable/releases/v4.1.0.html
- http://www.tornadoweb.org/en/stable/releases/v4.0.0.html
- http://www.tornadoweb.org/en/stable/releases/v3.2.0.html
Patchnames
SUSE-SLE-DESKTOP-12-2016-589,SUSE-SLE-DESKTOP-12-SP1-2016-589,SUSE-SLE-WE-12-2016-589,SUSE-SLE-WE-12-SP1-2016-589
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-tornado",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nThe python-tornado module was updated to version 4.2.1, which brings several fixes,\nenhancements and new features.\n\nThe following security issues have been fixed:\n\n- A path traversal vulnerability in StaticFileHandler, in which files whose names\n started with the static_path directory but were not actually in that directory\n could be accessed.\n- The XSRF token is now encoded with a random mask on each request. This makes it\n safe to include in compressed pages without being vulnerable to the BREACH attack.\n This applies to most applications that use both the xsrf_cookies and gzip options\n (or have gzip applied by a proxy). (bsc#930362, CVE-2014-9720)\n- The signed-value format used by RequestHandler.{g,s}et_secure_cookie changed to be\n more secure. (bsc#930361)\n\nThe following enhancements have been implemented:\n\n- SSLIOStream.connect and IOStream.start_tls now validate certificates by default.\n- Certificate validation will now use the system CA root certificates.\n- The default SSL configuration has become stricter, using ssl.create_default_context\n where available on the client side.\n- The deprecated classes in the tornado.auth module, GoogleMixin, FacebookMixin and\n FriendFeedMixin have been removed.\n- New modules have been added: tornado.locks and tornado.queues.\n- The tornado.websocket module now supports compression via the \u0027permessage-deflate\u0027\n extension.\n- Tornado now depends on the backports.ssl_match_hostname when running on Python 2.\n\nFor a comprehensive list of changes, please refer to the release notes:\n\n- http://www.tornadoweb.org/en/stable/releases/v4.2.0.html\n- http://www.tornadoweb.org/en/stable/releases/v4.1.0.html\n- http://www.tornadoweb.org/en/stable/releases/v4.0.0.html\n- http://www.tornadoweb.org/en/stable/releases/v3.2.0.html\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-DESKTOP-12-2016-589,SUSE-SLE-DESKTOP-12-SP1-2016-589,SUSE-SLE-WE-12-2016-589,SUSE-SLE-WE-12-SP1-2016-589",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2016_1195-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2016:1195-1",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20161195-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2016:1195-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2016-May/002034.html"
},
{
"category": "self",
"summary": "SUSE Bug 930361",
"url": "https://bugzilla.suse.com/930361"
},
{
"category": "self",
"summary": "SUSE Bug 930362",
"url": "https://bugzilla.suse.com/930362"
},
{
"category": "self",
"summary": "SUSE Bug 974657",
"url": "https://bugzilla.suse.com/974657"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2014-9720 page",
"url": "https://www.suse.com/security/cve/CVE-2014-9720/"
}
],
"title": "Security update for python-tornado",
"tracking": {
"current_release_date": "2016-05-02T13:01:41Z",
"generator": {
"date": "2016-05-02T13:01:41Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2016:1195-1",
"initial_release_date": "2016-05-02T13:01:41Z",
"revision_history": [
{
"date": "2016-05-02T13:01:41Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch",
"product": {
"name": "python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch",
"product_id": "python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "python-tornado-4.2.1-11.1.x86_64",
"product": {
"name": "python-tornado-4.2.1-11.1.x86_64",
"product_id": "python-tornado-4.2.1-11.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Desktop 12",
"product": {
"name": "SUSE Linux Enterprise Desktop 12",
"product_id": "SUSE Linux Enterprise Desktop 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sled:12"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Desktop 12 SP1",
"product": {
"name": "SUSE Linux Enterprise Desktop 12 SP1",
"product_id": "SUSE Linux Enterprise Desktop 12 SP1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sled:12:sp1"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Workstation Extension 12",
"product": {
"name": "SUSE Linux Enterprise Workstation Extension 12",
"product_id": "SUSE Linux Enterprise Workstation Extension 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-we:12"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Workstation Extension 12 SP1",
"product": {
"name": "SUSE Linux Enterprise Workstation Extension 12 SP1",
"product_id": "SUSE Linux Enterprise Workstation Extension 12 SP1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-we:12:sp1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch as component of SUSE Linux Enterprise Desktop 12",
"product_id": "SUSE Linux Enterprise Desktop 12:python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch"
},
"product_reference": "python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Desktop 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-4.2.1-11.1.x86_64 as component of SUSE Linux Enterprise Desktop 12",
"product_id": "SUSE Linux Enterprise Desktop 12:python-tornado-4.2.1-11.1.x86_64"
},
"product_reference": "python-tornado-4.2.1-11.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Desktop 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch as component of SUSE Linux Enterprise Desktop 12 SP1",
"product_id": "SUSE Linux Enterprise Desktop 12 SP1:python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch"
},
"product_reference": "python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Desktop 12 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-4.2.1-11.1.x86_64 as component of SUSE Linux Enterprise Desktop 12 SP1",
"product_id": "SUSE Linux Enterprise Desktop 12 SP1:python-tornado-4.2.1-11.1.x86_64"
},
"product_reference": "python-tornado-4.2.1-11.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Desktop 12 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch as component of SUSE Linux Enterprise Workstation Extension 12",
"product_id": "SUSE Linux Enterprise Workstation Extension 12:python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch"
},
"product_reference": "python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Workstation Extension 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-4.2.1-11.1.x86_64 as component of SUSE Linux Enterprise Workstation Extension 12",
"product_id": "SUSE Linux Enterprise Workstation Extension 12:python-tornado-4.2.1-11.1.x86_64"
},
"product_reference": "python-tornado-4.2.1-11.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Workstation Extension 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch as component of SUSE Linux Enterprise Workstation Extension 12 SP1",
"product_id": "SUSE Linux Enterprise Workstation Extension 12 SP1:python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch"
},
"product_reference": "python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Workstation Extension 12 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-tornado-4.2.1-11.1.x86_64 as component of SUSE Linux Enterprise Workstation Extension 12 SP1",
"product_id": "SUSE Linux Enterprise Workstation Extension 12 SP1:python-tornado-4.2.1-11.1.x86_64"
},
"product_reference": "python-tornado-4.2.1-11.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Workstation Extension 12 SP1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2014-9720",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2014-9720"
}
],
"notes": [
{
"category": "general",
"text": "Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Desktop 12 SP1:python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch",
"SUSE Linux Enterprise Desktop 12 SP1:python-tornado-4.2.1-11.1.x86_64",
"SUSE Linux Enterprise Desktop 12:python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch",
"SUSE Linux Enterprise Desktop 12:python-tornado-4.2.1-11.1.x86_64",
"SUSE Linux Enterprise Workstation Extension 12 SP1:python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch",
"SUSE Linux Enterprise Workstation Extension 12 SP1:python-tornado-4.2.1-11.1.x86_64",
"SUSE Linux Enterprise Workstation Extension 12:python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch",
"SUSE Linux Enterprise Workstation Extension 12:python-tornado-4.2.1-11.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2014-9720",
"url": "https://www.suse.com/security/cve/CVE-2014-9720"
},
{
"category": "external",
"summary": "SUSE Bug 833754 for CVE-2014-9720",
"url": "https://bugzilla.suse.com/833754"
},
{
"category": "external",
"summary": "SUSE Bug 930361 for CVE-2014-9720",
"url": "https://bugzilla.suse.com/930361"
},
{
"category": "external",
"summary": "SUSE Bug 930362 for CVE-2014-9720",
"url": "https://bugzilla.suse.com/930362"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Desktop 12 SP1:python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch",
"SUSE Linux Enterprise Desktop 12 SP1:python-tornado-4.2.1-11.1.x86_64",
"SUSE Linux Enterprise Desktop 12:python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch",
"SUSE Linux Enterprise Desktop 12:python-tornado-4.2.1-11.1.x86_64",
"SUSE Linux Enterprise Workstation Extension 12 SP1:python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch",
"SUSE Linux Enterprise Workstation Extension 12 SP1:python-tornado-4.2.1-11.1.x86_64",
"SUSE Linux Enterprise Workstation Extension 12:python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch",
"SUSE Linux Enterprise Workstation Extension 12:python-tornado-4.2.1-11.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Desktop 12 SP1:python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch",
"SUSE Linux Enterprise Desktop 12 SP1:python-tornado-4.2.1-11.1.x86_64",
"SUSE Linux Enterprise Desktop 12:python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch",
"SUSE Linux Enterprise Desktop 12:python-tornado-4.2.1-11.1.x86_64",
"SUSE Linux Enterprise Workstation Extension 12 SP1:python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch",
"SUSE Linux Enterprise Workstation Extension 12 SP1:python-tornado-4.2.1-11.1.x86_64",
"SUSE Linux Enterprise Workstation Extension 12:python-backports.ssl_match_hostname-3.4.0.2-15.1.noarch",
"SUSE Linux Enterprise Workstation Extension 12:python-tornado-4.2.1-11.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-05-02T13:01:41Z",
"details": "moderate"
}
],
"title": "CVE-2014-9720"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…