SUSE-SU-2016:1195-1: moderate: Security update for python-tornado

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Mon May 2 10:07:54 MDT 2016


   SUSE Security Update: Security update for python-tornado
______________________________________________________________________________

Announcement ID:    SUSE-SU-2016:1195-1
Rating:             moderate
References:         #930361 #930362 #974657 
Cross-References:   CVE-2014-9720
Affected Products:
                    SUSE Linux Enterprise Workstation Extension 12-SP1
                    SUSE Linux Enterprise Workstation Extension 12
                    SUSE Linux Enterprise Desktop 12-SP1
                    SUSE Linux Enterprise Desktop 12
______________________________________________________________________________

   An update that solves one vulnerability and has two fixes
   is now available.

Description:


   The python-tornado module was updated to version 4.2.1, which brings
   several fixes, enhancements and new features.

   The following security issues have been fixed:

   - A path traversal vulnerability in StaticFileHandler, in which files
     whose names started with the static_path directory but were not actually
     in that directory could be accessed.
   - The XSRF token is now encoded with a random mask on each request. This
     makes it safe to include in compressed pages without being vulnerable to
     the BREACH attack. This applies to most applications that use both the
     xsrf_cookies and gzip options (or have gzip applied by a proxy).
     (bsc#930362, CVE-2014-9720)
   - The signed-value format used by RequestHandler.{g,s}et_secure_cookie
     changed to be more secure. (bsc#930361)

   The following enhancements have been implemented:

   - SSLIOStream.connect and IOStream.start_tls now validate certificates by
     default.
   - Certificate validation will now use the system CA root certificates.
   - The default SSL configuration has become stricter, using
     ssl.create_default_context where available on the client side.
   - The deprecated classes in the tornado.auth module, GoogleMixin,
     FacebookMixin and FriendFeedMixin have been removed.
   - New modules have been added: tornado.locks and tornado.queues.
   - The tornado.websocket module now supports compression via the
     "permessage-deflate" extension.
   - Tornado now depends on the backports.ssl_match_hostname when running on
     Python 2.

   For a comprehensive list of changes, please refer to the release notes:

   - http://www.tornadoweb.org/en/stable/releases/v4.2.0.html
   - http://www.tornadoweb.org/en/stable/releases/v4.1.0.html
   - http://www.tornadoweb.org/en/stable/releases/v4.0.0.html
   - http://www.tornadoweb.org/en/stable/releases/v3.2.0.html


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Workstation Extension 12-SP1:

      zypper in -t patch SUSE-SLE-WE-12-SP1-2016-589=1

   - SUSE Linux Enterprise Workstation Extension 12:

      zypper in -t patch SUSE-SLE-WE-12-2016-589=1

   - SUSE Linux Enterprise Desktop 12-SP1:

      zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-589=1

   - SUSE Linux Enterprise Desktop 12:

      zypper in -t patch SUSE-SLE-DESKTOP-12-2016-589=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Workstation Extension 12-SP1 (noarch):

      python-backports.ssl_match_hostname-3.4.0.2-15.1

   - SUSE Linux Enterprise Workstation Extension 12-SP1 (x86_64):

      python-tornado-4.2.1-11.1

   - SUSE Linux Enterprise Workstation Extension 12 (x86_64):

      python-tornado-4.2.1-11.1

   - SUSE Linux Enterprise Workstation Extension 12 (noarch):

      python-backports.ssl_match_hostname-3.4.0.2-15.1

   - SUSE Linux Enterprise Desktop 12-SP1 (x86_64):

      python-tornado-4.2.1-11.1

   - SUSE Linux Enterprise Desktop 12-SP1 (noarch):

      python-backports.ssl_match_hostname-3.4.0.2-15.1

   - SUSE Linux Enterprise Desktop 12 (noarch):

      python-backports.ssl_match_hostname-3.4.0.2-15.1

   - SUSE Linux Enterprise Desktop 12 (x86_64):

      python-tornado-4.2.1-11.1


References:

   https://www.suse.com/security/cve/CVE-2014-9720.html
   https://bugzilla.suse.com/930361
   https://bugzilla.suse.com/930362
   https://bugzilla.suse.com/974657



More information about the sle-security-updates mailing list