oss-sec mailing list archives
Re: CVE request: python-tornado: XSRF cookie allows side-channel attack against TLS (BREACH)
From: cve-assign () mitre org
Date: Tue, 19 May 2015 15:34:01 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Tornado 3.2.2 June 3, 2014 Security fixes The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack.
https://github.com/tornadoweb/tornado/commit/1c36307463b1e8affae100bf9386948e6c1b2308 https://bugzilla.novell.com/show_bug.cgi?id=930362 https://bugzilla.redhat.com/show_bug.cgi?id=1222816
Use CVE-2014-9720. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVW4+7AAoJEKllVAevmvmswHgH/AzxCbHIYYgrgBckagxm7dFB nXP7n3H4Zi7fkS9VOl1E6KG03ckUh/4uPLNJ7TQhMdC/vj+iBJvR4Ek3PJVhh1pd Xz4XYVPnLFtdFbFCkdLwEw1ocSD2IyGYXWzjtbQhgZBA8uGOSnJGjSqmHpZ/khcu aEwyNC8guWp2KnwWI0yVnNXvfOjM6h97orEa4hcntIzdHtfejKeIMtyrr1g5pDT7 zog7fZZqKP3X2HbFhinfq/VARhpCdJdRykVvp2WGm8UEl2/rWM19pMHql37QYvUA 43GOIqbJWWMVQ1IqFvLfrdZOvH5BgHLUzTPZreuoJz1Qes+2KU/bVgP4IKzlVKU= =kmNI -----END PGP SIGNATURE-----
Current thread:
- CVE request: python-tornado: XSRF cookie allows side-channel attack against TLS (BREACH) Vasyl Kaigorodov (May 19)
- Re: CVE request: python-tornado: XSRF cookie allows side-channel attack against TLS (BREACH) cve-assign (May 19)