Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 549898 (CVE-2014-9720) - <www-servers/tornado-4.2.1: XSRF cookie allows side-channel attack against TLS (CVE-2014-9720)
Summary: <www-servers/tornado-4.2.1: XSRF cookie allows side-channel attack against TL...
Alias: CVE-2014-9720
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa/cve]
: 566144 (view as bug list)
Depends on: 564588
Blocks: 530622
  Show dependency tree
Reported: 2015-05-19 13:31 UTC by Agostino Sarubbo
Modified: 2016-02-25 06:53 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

tornado.list (tornado.list,240 bytes, text/plain)
2015-11-18 16:42 UTC, Justin Lecher (RETIRED)
no flags Details
urllib3.list (urllib3.list,362 bytes, text/plain)
2015-11-19 09:49 UTC, Justin Lecher (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-05-19 13:31:36 UTC
From ${URL} :

Security fixes
The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack. This applies to most applications that use both the xsrf_cookies and gzip options (or have gzip 
applied by a proxy).

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alex Brandt (RETIRED) gentoo-dev 2015-05-23 20:41:44 UTC
Hey Agostino (or security), is there any action I need to take on this bug at this time?
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-05-23 21:28:03 UTC
(In reply to Alex Brandt from comment #1)
> Hey Agostino (or security), is there any action I need to take on this bug
> at this time?

you have to provide fixed version in the tree at least
Comment 3 Alex Brandt (RETIRED) gentoo-dev 2015-05-24 02:00:01 UTC
> you have to provide fixed version in the tree at least

Where's the CVE or other information that outlines the exploit and affected versions?  I see the URL points at 3.2.2 is that an unaffected version or the version that is affected?  Versions through 4.2 are available in the tree now.  Let me know if any of the versions satisfy the requirements.
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2015-05-27 06:09:15 UTC
That URL cites June 3, 2014. Unless version 3.2.2 os the 3.x series is required, this bug appears to have had its requirements met *tornado-4.0.1 (02 Sep 2014) by me.
Comment 5 Justin Lecher (RETIRED) gentoo-dev 2015-11-18 16:42:03 UTC
Created attachment 417306 [details]

Stable list
Comment 6 Justin Lecher (RETIRED) gentoo-dev 2015-11-18 16:53:15 UTC
Comment on attachment 417306 [details]

wrong list
Comment 7 Justin Lecher (RETIRED) gentoo-dev 2015-11-18 17:04:47 UTC
*** Bug 566144 has been marked as a duplicate of this bug. ***
Comment 8 Justin Lecher (RETIRED) gentoo-dev 2015-11-19 09:49:27 UTC
Created attachment 417334 [details]

Stable list
Comment 9 Justin Lecher (RETIRED) gentoo-dev 2015-11-19 09:51:20 UTC
@arches please stabilize


and revdep.

List attached. For some arches we need to fix bug 564588 first
Comment 10 Justin Lecher (RETIRED) gentoo-dev 2015-11-19 09:56:02 UTC
@ia4 please also go stable here.
Comment 11 Agostino Sarubbo gentoo-dev 2015-11-19 10:16:55 UTC
amd64 stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2015-11-22 05:41:15 UTC
Stable for HPPA.
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2015-11-24 09:37:33 UTC
Stable for PPC64.
Comment 14 Markus Meier gentoo-dev 2015-11-26 19:26:53 UTC
arm stable
Comment 15 Agostino Sarubbo gentoo-dev 2015-12-25 18:20:26 UTC
x86 stable
Comment 16 Agostino Sarubbo gentoo-dev 2015-12-26 12:04:01 UTC
ppc stable
Comment 17 Agostino Sarubbo gentoo-dev 2016-01-10 11:22:17 UTC
alpha stable
Comment 18 Agostino Sarubbo gentoo-dev 2016-01-11 09:56:42 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 19 Justin Lecher (RETIRED) gentoo-dev 2016-01-11 10:17:25 UTC
commit d36d7fcf8d7df517ef6fc11a31a63052aae3a707
Author: Justin Lecher <>
Date:   Mon Jan 11 11:16:52 2016 +0100

    www-servers/tornado: Drop versions vulnerable to CVE-2014-9720



    Package-Manager: portage-2.2.26
    Signed-off-by: Justin Lecher <>
Comment 20 Yury German Gentoo Infrastructure gentoo-dev 2016-02-25 06:53:01 UTC
GLSA Vote: No

Thank you all for you work. 
Closing as [noglsa].