Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 18 May 2012 11:40:56 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request -- Tornado (python-tornado): Tornado
 v2.2.1 tornado.web.RequestHandler.set_header() fix to prevent header injection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/18/2012 04:40 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
> Package: -------- Tornado is an open source version of the
> scalable, non-blocking web server and tools that power FriendFeed:
> 
> URL: http://www.tornadoweb.org/ ----
> 
> Issue: ------ A possibility of header injection / response
> splitting flaw was found in the way web request handler of Tornado,
> a scalable, non-blocking web server and tools, performed
> sanitization of input arguments, provided to routine setting the
> HTTP response header name and value. If an application using the 
> Tornado web framework accepted untrusted user input and based on
> that input updated the HTTP headers content (to redirect the user
> etc.), by providing a specially-crafted input a remote attacker
> could use this flaw to perform cross-site scripting attacks,
> cross-user defacement, web cache poisoning etc.
> 
> Upstream v2.2.1 release changelog: [1]
> http://www.tornadoweb.org/documentation/releases/v2.2.1.html
> 
> References: [2] https://bugs.gentoo.org/show_bug.cgi?id=415903 [3]
> https://bugzilla.redhat.com/show_bug.cgi?id=822852
> 
> Could you allocate a CVE id for this? (should be CVE-2012-* one)
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team

Please use CVE-2012-2374 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPtomnAAoJEBYNRVNeJnmTt6QQAM5JUGGwQxV8LmGuKsFAUmN5
yfcDxNhY9b1a8lMFBfnNuFG9dSf+DbuAYgbe3hqPiFlj6fWMofIXcsUxPoUEuTLf
5dkdypWOqun1BRLr72vyGxvO7KPoSijAvm8K2q7N3sPhB0D1bj914xhw1XCHorj5
zJ7/6krCefJY2bCGt90zqzjN/pAVXYYoi5i0czZAaiVDjcj87udgXVgzk3MjX7zh
+UFxL5tJaWE9jZsXD61JkFhq/ZvKhfSjGbj1gmcNQxf7FFWoXoKLttHrb3gXHQxX
BHEnUgs2zUzrm66Z4hLvztUMw5iJWawJh5s0UtIQaWagrSUY9QeTzeiDej5ppRfC
h+41F8n0R1C94e598vCoOEQUXHBDrvJBRSws/ihJyojtOMjQ839X2zKDtcdM/+Nn
9q/eL/qrGpCpPfZsKLrT/66glDcbW0ENUaB6EYvn5d3Wx38MkX+KTccqz9v9OKV5
arbFvYr+32AE7AHyxG8UKzSlN/3yz8QlO+6E3ajvAAbndlF+2LbOPtN8X2k0/pUI
iPWI3yrtF84GMb9MUmfC3SEnHKZe/K3n3WPCFkyj2VpPv7IFwafCloc6ccUXRfpC
MaLplHIotptFWgIYtHwqO3IqcM2Vp0XqsUv02Sfa9ghbt4rJVgEelNcXf7F5mU0W
P75K9LZVPjfFbQSKMakn
=7TSV
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ