Security fixes

The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack. This applies to most applications that use both the xsrf_cookies and gzip options (or have gzip applied by a proxy).

Backwards-compatibility notes

If Tornado 3.2.2 is run at the same time as older versions on the same domain, there is some potential for issues with the differing cookie versions. The Application setting xsrf_cookie_version=1 can be used for a transitional period to generate the older cookie format on newer servers.

How to install

sudo dnf upgrade --advisory=FEDORA-2015-9143

This update has been submitted for testing by orion.

4 years ago

Taskotron: depcheck test PASSED on i386. Result log: https://taskotron.fedoraproject.org/taskmaster//builders/x86_64/builds/73896/steps/runtask/logs/stdio (results are informative only)

Taskotron: depcheck test PASSED on x86_64. Result log: https://taskotron.fedoraproject.org/taskmaster//builders/x86_64/builds/73896/steps/runtask/logs/stdio (results are informative only)

This update is currently being pushed to the Fedora 22 testing updates repository.

4 years ago

This update has been pushed to testing

4 years ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

4 years ago

This update has been submitted for stable by orion.

4 years ago

This update is currently being pushed to the Fedora 22 stable updates repository.

4 years ago

Taskotron: upgradepath test PASSED on noarch. Result log: https://taskotron.fedoraproject.org/taskmaster//builders/x86_64/builds/79703/steps/runtask/logs/stdio (results are informative only)

This update has been pushed to stable

4 years ago

Please login to add feedback.

Metadata
Type
security
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Dates
submitted
4 years ago
in testing
4 years ago
in stable
4 years ago
BZ#1222816 CVE-2014-9720 python-tornado: XSRF cookie allows side-channel attack against TLS (BREACH)
0
0
BZ#1222819 python-tornado: XSRF cookie allows side-channel attack against TLS (BREACH) [fedora-all]
0
0

Automated Test Results