Alerts This Week
Warning Icon 1 700
Alerts This Week
Warning Icon 1 700

Fedora 24: Updated python-tornado for Critical XSRF Issues

fedora
Calendar Grey December 13, 2016
Dist Fedora Esm H88
Essential patch resolving CSRF safety vulnerabilities in python-tornado for Fedora 24 incorporating alternative cookie handling techniques.
Update to 4.4.2 Security fixes * A difference in cookie parsing between Tornado and web browsers (especially when combined with Google Analytics) could allow an attacker to set ...

Summary

Tornado is an open source version of the scalable, non-blocking web

server and tools.

The framework is distinct from most mainstream web server frameworks

(and certainly most Python frameworks) because it is non-blocking and

reasonably fast. Because it is non-blocking and uses epoll, it can

handle thousands of simultaneous standing connections, which means it is

ideal for real-time web services.

Update Information:

Update to 4.4.2 Security fixes * A difference in cookie parsing between Tornado and web browsers (especially when combined with Google Analytics) could allow an attacker to set arbitrary cookies and bypass XSRF protection. The cookie parser has been rewritten to fix this attack. Backwards-compatibility notes * Cookies containing certain special characters (in particular semicolon and square brackets) are now parsed differently. * If the cookie header contains a combination of valid and invalid cookies, the valid ones will be returned (older versions of Tornado would reject the entire header for a single invalid cookie). See also https://www.tornadoweb.org/en/stable/releases/v4.4.0.html

Topics%20covered

Topics Covered

security advisory critical Fedora python-tornado XSRF protection cookie parsing

Change Log

References


[ 1 ] Bug #1399570 - python-tornado: XSRF protection bypass via cookie parsing differences https://bugzilla.redhat.com/show_bug.cgi?id=1399570

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade python-tornado' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html

Severity
critical
Lowest
Low
Medium
High
Critical

Name: python-tornado
Product: Fedora 24
Version: 4.4.2
Release: 1.fc24
URL: https://www.tornadoweb.org/en/stable/
Summary: Scalable, non-blocking web server and tools

Topics%20covered

Topics Covered

security advisory critical Fedora python-tornado XSRF protection cookie parsing

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here