SUSE SLED12 Security Update : python-tornado (SUSE-SU-2016:1195-1)

medium Nessus Plugin ID 90883

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The python-tornado module was updated to version 4.2.1, which brings several fixes, enhancements and new features.

The following security issues have been fixed :

- A path traversal vulnerability in StaticFileHandler, in which files whose names started with the static_path directory but were not actually in that directory could be accessed.

- The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack.
This applies to most applications that use both the xsrf_cookies and gzip options (or have gzip applied by a proxy). (bsc#930362, CVE-2014-9720)

- The signed-value format used by RequestHandler.{g,s}et_secure_cookie changed to be more secure. (bsc#930361)

The following enhancements have been implemented :

- SSLIOStream.connect and IOStream.start_tls now validate certificates by default.

- Certificate validation will now use the system CA root certificates.

- The default SSL configuration has become stricter, using ssl.create_default_context where available on the client side.

- The deprecated classes in the tornado.auth module, GoogleMixin, FacebookMixin and FriendFeedMixin have been removed.

- New modules have been added: tornado.locks and tornado.queues.

- The tornado.websocket module now supports compression via the 'permessage-deflate' extension.

- Tornado now depends on the backports.ssl_match_hostname when running on Python 2.

For a comprehensive list of changes, please refer to the release notes :

- http://www.tornadoweb.org/en/stable/releases/v4.2.0.html

- http://www.tornadoweb.org/en/stable/releases/v4.1.0.html

- http://www.tornadoweb.org/en/stable/releases/v4.0.0.html

- http://www.tornadoweb.org/en/stable/releases/v3.2.0.html

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Workstation Extension 12-SP1 :

zypper in -t patch SUSE-SLE-WE-12-SP1-2016-589=1

SUSE Linux Enterprise Workstation Extension 12 :

zypper in -t patch SUSE-SLE-WE-12-2016-589=1

SUSE Linux Enterprise Desktop 12-SP1 :

zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-589=1

SUSE Linux Enterprise Desktop 12 :

zypper in -t patch SUSE-SLE-DESKTOP-12-2016-589=1

To bring your system up-to-date, use 'zypper patch'.

See Also

http://www.tornadoweb.org/en/stable/releases/v3.2.0.html

http://www.tornadoweb.org/en/stable/releases/v4.0.0.html

http://www.tornadoweb.org/en/stable/releases/v4.1.0.html

http://www.tornadoweb.org/en/stable/releases/v4.2.0.html

https://bugzilla.suse.com/show_bug.cgi?id=930361

https://bugzilla.suse.com/show_bug.cgi?id=930362

https://bugzilla.suse.com/show_bug.cgi?id=974657

https://www.suse.com/security/cve/CVE-2014-9720/

http://www.nessus.org/u?4b05bcc2

Plugin Details

Severity: Medium

ID: 90883

File Name: suse_SU-2016-1195-1.nasl

Version: 2.9

Type: local

Agent: unix

Published: 5/4/2016

Updated: 1/6/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:python-tornado, cpe:/o:novell:suse_linux:12

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 5/2/2016

Vulnerability Publication Date: 1/24/2020

Reference Information

CVE: CVE-2014-9720