From ${URL} : Security fixes The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack. This applies to most applications that use both the xsrf_cookies and gzip options (or have gzip applied by a proxy). @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Hey Agostino (or security), is there any action I need to take on this bug at this time?
(In reply to Alex Brandt from comment #1) > Hey Agostino (or security), is there any action I need to take on this bug > at this time? you have to provide fixed version in the tree at least
> you have to provide fixed version in the tree at least Where's the CVE or other information that outlines the exploit and affected versions? I see the URL points at 3.2.2 is that an unaffected version or the version that is affected? Versions through 4.2 are available in the tree now. Let me know if any of the versions satisfy the requirements.
That URL cites June 3, 2014. Unless version 3.2.2 os the 3.x series is required, this bug appears to have had its requirements met *tornado-4.0.1 (02 Sep 2014) by me.
Created attachment 417306 [details] tornado.list Stable list
Comment on attachment 417306 [details] tornado.list wrong list
*** Bug 566144 has been marked as a duplicate of this bug. ***
Created attachment 417334 [details] urllib3.list Stable list
@arches please stabilize =dev-python/urllib3-1.12 and revdep. List attached. For some arches we need to fix bug 564588 first
@ia4 please also go stable here.
amd64 stable
Stable for HPPA.
Stable for PPC64.
arm stable
x86 stable
ppc stable
alpha stable
ia64 stable. Maintainer(s), please cleanup. Security, please vote.
commit d36d7fcf8d7df517ef6fc11a31a63052aae3a707 Author: Justin Lecher <jlec@gentoo.org> Date: Mon Jan 11 11:16:52 2016 +0100 www-servers/tornado: Drop versions vulnerable to CVE-2014-9720 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=549898 obsoletes Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=482494 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=487292 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=511514 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=535794 Package-Manager: portage-2.2.26 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d36d7fcf8d7df517ef6fc11a31a63052aae3a707
GLSA Vote: No Thank you all for you work. Closing as [noglsa].