Monthly Archives: May 2015

Fedora

Fedora 22 Security Update: python-tornado-3.2.2-1.fc22

Leave a comment

Resolved Bugs
1222816 – CVE-2014-9720 python-tornado: XSRF cookie allows side-channel attack against TLS (BREACH)
1222819 – python-tornado: XSRF cookie allows side-channel attack against TLS (BREACH) [fedora-all]<br
Security fixes
The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack. This applies to most applications that use both the xsrf_cookies and gzip options (or have gzip applied by a proxy).
Backwards-compatibility notes
If Tornado 3.2.2 is run at the same time as older versions on the same domain, there is some potential for issues with the differing cookie versions. The Application setting xsrf_cookie_version=1 can be used for a transitional period to generate the older cookie format on newer servers.

Fedora

Fedora 22 Security Update: nss-3.19.1-1.0.fc22,nss-softokn-3.19.1-1.0.fc22,nss-util-3.19.1-1.0.fc22

Leave a comment

Resolved Bugs
1224448 – CVE-2015-4000 nss: LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks [fedora-all]
1214732 – nss-3.19.1 is available
1223211 – CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks<br
Security fix for CVE-2015-4000
Update to the upstream NSS 3.19.1 release, which includes a fix for the recently published logjam attack.
The previous 3.19 release made several notable changes related to the TLS protocol, one of them was to disable the SSL 3 protocol by default.
For the full list of changes in the 3.19 and 3.19.1 releases, please refer to the upstream release notes documents:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes