SUSE-SU-2016:1195-1

See a problem?
Please try reporting it to the source first.

Source

https://www.suse.com/support/update/announcement/2016/suse-su-20161195-1/

Import Source

https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2016:1195-1.json

JSON Data

https://api.osv.dev/v1/vulns/SUSE-SU-2016:1195-1

Upstream

CVE-2014-9720

Related

CVE-2014-9720

Published

2016-05-02T13:01:41Z

Modified

2025-05-02T04:04:15.115729Z

Summary

Security update for python-tornado

Details

The python-tornado module was updated to version 4.2.1, which brings several fixes, enhancements and new features.

The following security issues have been fixed:

A path traversal vulnerability in StaticFileHandler, in which files whose names started with the static_path directory but were not actually in that directory could be accessed.
The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack. This applies to most applications that use both the xsrf_cookies and gzip options (or have gzip applied by a proxy). (bsc#930362, CVE-2014-9720)
The signed-value format used by RequestHandler.{g,s}etsecurecookie changed to be more secure. (bsc#930361)

The following enhancements have been implemented:

SSLIOStream.connect and IOStream.start_tls now validate certificates by default.
Certificate validation will now use the system CA root certificates.
The default SSL configuration has become stricter, using ssl.createdefaultcontext where available on the client side.
The deprecated classes in the tornado.auth module, GoogleMixin, FacebookMixin and FriendFeedMixin have been removed.
New modules have been added: tornado.locks and tornado.queues.
The tornado.websocket module now supports compression via the 'permessage-deflate' extension.
Tornado now depends on the backports.sslmatchhostname when running on Python 2.

For a comprehensive list of changes, please refer to the release notes:

http://www.tornadoweb.org/en/stable/releases/v4.2.0.html
http://www.tornadoweb.org/en/stable/releases/v4.1.0.html
http://www.tornadoweb.org/en/stable/releases/v4.0.0.html
http://www.tornadoweb.org/en/stable/releases/v3.2.0.html

References

Affected packages

SUSE:Linux Enterprise Desktop 12

python-backports.ssl_match_hostname

Package

Name: python-backports.ssl_match_hostname
Purl: pkg:rpm/suse/python-backports.ssl_match_hostname&distro=SUSE%20Linux%20Enterprise%20Desktop%2012

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.0.2-15.1

Ecosystem specific

{
    "binaries": [
        {
            "python-tornado": "4.2.1-11.1",
            "python-backports.ssl_match_hostname": "3.4.0.2-15.1"
        }
    ]
}

Database specific

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2016:1195-1.json"

python-tornado

Package

Name: python-tornado
Purl: pkg:rpm/suse/python-tornado&distro=SUSE%20Linux%20Enterprise%20Desktop%2012

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.2.1-11.1

Ecosystem specific

{
    "binaries": [
        {
            "python-tornado": "4.2.1-11.1",
            "python-backports.ssl_match_hostname": "3.4.0.2-15.1"
        }
    ]
}

Database specific

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2016:1195-1.json"

SUSE:Linux Enterprise Desktop 12 SP1

python-backports.ssl_match_hostname

Package

Name: python-backports.ssl_match_hostname
Purl: pkg:rpm/suse/python-backports.ssl_match_hostname&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.0.2-15.1

Ecosystem specific

{
    "binaries": [
        {
            "python-tornado": "4.2.1-11.1",
            "python-backports.ssl_match_hostname": "3.4.0.2-15.1"
        }
    ]
}

Database specific

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2016:1195-1.json"

python-tornado

Package

Name: python-tornado
Purl: pkg:rpm/suse/python-tornado&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.2.1-11.1

Ecosystem specific

{
    "binaries": [
        {
            "python-tornado": "4.2.1-11.1",
            "python-backports.ssl_match_hostname": "3.4.0.2-15.1"
        }
    ]
}

Database specific

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2016:1195-1.json"

SUSE:Linux Enterprise Workstation Extension 12

python-backports.ssl_match_hostname

Package

Name: python-backports.ssl_match_hostname
Purl: pkg:rpm/suse/python-backports.ssl_match_hostname&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.0.2-15.1

Ecosystem specific

{
    "binaries": [
        {
            "python-tornado": "4.2.1-11.1",
            "python-backports.ssl_match_hostname": "3.4.0.2-15.1"
        }
    ]
}

Database specific

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2016:1195-1.json"

python-tornado

Package

Name: python-tornado
Purl: pkg:rpm/suse/python-tornado&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.2.1-11.1

Ecosystem specific

{
    "binaries": [
        {
            "python-tornado": "4.2.1-11.1",
            "python-backports.ssl_match_hostname": "3.4.0.2-15.1"
        }
    ]
}

Database specific

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2016:1195-1.json"

SUSE:Linux Enterprise Workstation Extension 12 SP1

python-backports.ssl_match_hostname

Package

Name: python-backports.ssl_match_hostname
Purl: pkg:rpm/suse/python-backports.ssl_match_hostname&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.0.2-15.1

Ecosystem specific

{
    "binaries": [
        {
            "python-tornado": "4.2.1-11.1",
            "python-backports.ssl_match_hostname": "3.4.0.2-15.1"
        }
    ]
}

Database specific

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2016:1195-1.json"

python-tornado

Package

Name: python-tornado
Purl: pkg:rpm/suse/python-tornado&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.2.1-11.1

Ecosystem specific

{
    "binaries": [
        {
            "python-tornado": "4.2.1-11.1",
            "python-backports.ssl_match_hostname": "3.4.0.2-15.1"
        }
    ]
}

Database specific

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2016:1195-1.json"