416547 – (CVE-2012-2374) <www-servers/tornado-2.2.1 HTTP Header Injection Vulnerability (CVE-2012-2374)

Bug 416547 (CVE-2012-2374) - <www-servers/tornado-2.2.1 HTTP Header Injection Vulnerability (CVE-2012-2374)

Summary: <www-servers/tornado-2.2.1 HTTP Header Injection Vulnerability (CVE-2012-2374)

Status:	RESOLVED FIXED

Alias:	CVE-2012-2374

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/49185
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:	415903
Blocks:
	Show dependency tree

Reported:	2012-05-18 18:55 UTC by Michael Harrison
Modified:	2012-05-23 02:53 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Harrison 2012-05-18 18:55:47 UTC

Certain input is not properly sanitised in the "tornado.web.RequestHandler.set_header()" function before being used to display HTTP headers. This can be exploited to include arbitrary HTTP headers in a response sent to the user.

The vulnerability is reported in versions prior to 2.2.1.

Solution
Update to version 2.2.1.

Provided and/or discovered by
Reported by the vendor.

Original Advisory
http://www.tornadoweb.org/documentation/releases/v2.2.1.html

Version 2.2.1 is already stable @bug 415903 and old versions simply need to be removed. Bug for tracking purposes.

Comment 1 Agostino Sarubbo gentoo-dev

2012-05-21 20:03:00 UTC

@security: please vote

Comment 2 Sean Amoss (RETIRED) gentoo-dev

2012-05-22 20:00:46 UTC

Thanks, everyone.

GLSA vote: no.

Comment 3 Tim Sammut (RETIRED) gentoo-dev

2012-05-23 02:53:06 UTC

GLSA Vote: no too, closing noglsa.