Debian Security Advisory
DLA-279-1 python-tornado -- LTS security update
- Date Reported:
- 22 Jul 2015
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2014-9720.
- More information:
A vulnerability was discovered in python-tornado, a Python scalable, nonblocking web server.
CSRF cookie allows side-channel attack against TLS (BREACH)
The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack.
For the oldoldstable distribution (squeeze), this problem has been fixed in version 1.0.1-1+deb6u1.