Debian Security Advisory

DLA-279-1 python-tornado -- LTS security update

Date Reported:
22 Jul 2015
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2014-9720.
More information:

A vulnerability was discovered in python-tornado, a Python scalable, nonblocking web server.

  • CVE-2014-9720

    CSRF cookie allows side-channel attack against TLS (BREACH)

    Security Fix

    The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack.

For the oldoldstable distribution (squeeze), this problem has been fixed in version 1.0.1-1+deb6u1.