Advisories » MGASA-2016-0418

Updated python-tornado package fixes security vulnerability

Publication date: 11 Dec 2016
Modification date: 11 Dec 2016
Type: security
Affected Mageia releases : 5

Description

A difference in cookie parsing between Tornado and web browsers
(especially when combined with Google Analytics) could allow an attacker
to set arbitrary cookies and bypass XSRF protection. The cookie parser
has been rewritten to fix this attack.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=19859
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PJEFGW4II3TYTO7TICVK47WENL2URP46/

SRPMS

5/core

• python-tornado-3.2.2-4.2.mga5