Bugzilla – Bug 930362
VUL-1: CVE-2014-9720: python-tornado: XSRF cookie allows side-channel attack against TLS (BREACH)
Last modified: 2017-01-23 13:37:29 UTC
From http://www.tornadoweb.org/en/stable/releases/v3.2.2.html Security fixes The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack. This applies to most applications that use both the xsrf_cookies and gzip options (or have gzip applied by a proxy). Backwards-compatibility notes If Tornado 3.2.2 is run at the same time as older versions on the same domain, there is some potential for issues with the differing cookie versions. The Application setting xsrf_cookie_version=1 can be used for a transitional period to generate the older cookie format on newer servers. Also see bug 833754 for BREACH. References: From http://www.tornadoweb.org/en/stable/releases/v3.2.2.html http://breachattack.com/
bugbot adjusting priority
commit: https://github.com/tornadoweb/tornado/commit/1c36307463b1e8affae100bf9386948e6c1b2308 CVE-request: http://seclists.org/oss-sec/2015/q2/491
CVE-2014-9720 assigned http://seclists.org/oss-sec/2015/q2/501
Alexandre, on top of bug 930361, there's also this one.
This request need to porting patches: 1,Small security improvements to xsrf tokens; add tests. https://github.com/tornadoweb/tornado/commit/7279a303d1c366aabd4facfc6b29ed46c3422350 2,Change the xsrf cookie format to be masked with a random salt. https://github.com/tornadoweb/tornado/commit/1c36307463b1e8affae100bf9386948e6c1b2308 3,Add the option to request an older xsrf cookie version. https://github.com/tornadoweb/tornado/commit/c2a8c322b3f3f54f6525d7469ecab1af46862bc2
Created attachment 653293 [details] fix patch this patch which merge xsrf request.
Request 76763 Got accepted Maintenance target got moved to project SUSE:Maintenance:1369 Bug fixed. https://build.suse.de/request/show/76763
Created attachment 654143 [details] the patch This patch is for openSUSE-13.1 Patch re write on tornado-3.1.0 Code request on: https://api.opensuse.org/request/show/342032
openSUSE-SU-2015:1998-1: An update that solves one vulnerability and has one errata is now available. Category: security (low) Bug References: 930361,930362 CVE References: CVE-2014-9720 Sources used: openSUSE 13.1 (src): python-tornado-3.1-2.3.1
SUSE-SU-2016:1195-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 930361,930362,974657 CVE References: CVE-2014-9720 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP1 (src): python-backports.ssl_match_hostname-3.4.0.2-15.1, python-tornado-4.2.1-11.1 SUSE Linux Enterprise Workstation Extension 12 (src): python-backports.ssl_match_hostname-3.4.0.2-15.1, python-tornado-4.2.1-11.1 SUSE Linux Enterprise Desktop 12-SP1 (src): python-backports.ssl_match_hostname-3.4.0.2-15.1, python-tornado-4.2.1-11.1 SUSE Linux Enterprise Desktop 12 (src): python-backports.ssl_match_hostname-3.4.0.2-15.1, python-tornado-4.2.1-11.1
all released