Debian Security Advisory
DLA-279-1 python-tornado -- LTS security update
- Date Reported:
- 22 Jul 2015
- Affected Packages:
- python-tornado
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2014-9720.
- More information:
-
A vulnerability was discovered in python-tornado, a Python scalable, nonblocking web server.
- CVE-2014-9720
CSRF cookie allows side-channel attack against TLS (BREACH)
Security Fix
The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack.
For the oldoldstable distribution (squeeze), this problem has been fixed in version 1.0.1-1+deb6u1.
- CVE-2014-9720