Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:Update
patchinfo.2359
_patchinfo
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _patchinfo of Package patchinfo.2359
<patchinfo incident="2359"> <issue id="974657" tracker="bnc">Update python-tornado to 4.2.1 or later</issue> <issue id="930361" tracker="bnc">VUL-1: python-tornado: secure cookie name may be the prefix of another</issue> <issue id="930362" tracker="bnc">VUL-1: CVE-2014-9720: python-tornado: XSRF cookie allows side-channel attack against TLS (BREACH)</issue> <issue id="320738" tracker="fate"/> <issue id="CVE-2014-9720" tracker="cve"/> <category>security</category> <rating>moderate</rating> <packager>leonardocf</packager> <summary>Security update for python-tornado</summary> <description> The python-tornado module was updated to version 4.2.1, which brings several fixes, enhancements and new features. The following security issues have been fixed: - A path traversal vulnerability in StaticFileHandler, in which files whose names started with the static_path directory but were not actually in that directory could be accessed. - The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack. This applies to most applications that use both the xsrf_cookies and gzip options (or have gzip applied by a proxy). (bsc#930362, CVE-2014-9720) - The signed-value format used by RequestHandler.{g,s}et_secure_cookie changed to be more secure. (bsc#930361) The following enhancements have been implemented: - SSLIOStream.connect and IOStream.start_tls now validate certificates by default. - Certificate validation will now use the system CA root certificates. - The default SSL configuration has become stricter, using ssl.create_default_context where available on the client side. - The deprecated classes in the tornado.auth module, GoogleMixin, FacebookMixin and FriendFeedMixin have been removed. - New modules have been added: tornado.locks and tornado.queues. - The tornado.websocket module now supports compression via the "permessage-deflate" extension. - Tornado now depends on the backports.ssl_match_hostname when running on Python 2. For a comprehensive list of changes, please refer to the release notes: - http://www.tornadoweb.org/en/stable/releases/v4.2.0.html - http://www.tornadoweb.org/en/stable/releases/v4.1.0.html - http://www.tornadoweb.org/en/stable/releases/v4.0.0.html - http://www.tornadoweb.org/en/stable/releases/v3.2.0.html </description> </patchinfo>
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor