84 matches found
PYSEC-2020-213
Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests...
CVE-2014-9720
Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests...
CVE-2014-9720
Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests...
When Time is of the Essence – Testing Controls Against the Latest Threats Faster
A new threat has hit head the headlines Robinhood anyone?, and you need to know if you're protected right now. What do you do? Traditionally, you would have to go with one of the options below. Option 1 – Manually check that IoCs have been updated across your security controls. This would require...
Legal Robot: SSL BREACH attack (CVE-2013-3587)
Hello security team, The site legalrobot.com is potentially vulnerable to the BREACH attack. Allowing an attacker the ability to: - Inject partial chosen plaintext into a victim's requests - Measure the size of encrypted traffic - can leverage information leaked by compression to recover targeted...
Debian DLA-475-1 : python-tornado security update
It was discovered that python-tornado, a Python web framework and asynchronous networking library, was susceptible for the BREACH attack. The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable. For Debian 7...
DLA-475-1 python-tornado - security update
Bulletin has no description...
SUSE SLED12 Security Update : python-tornado (SUSE-SU-2016:1195-1)
The python-tornado module was updated to version 4.2.1, which brings several fixes, enhancements and new features. The following security issues have been fixed : - A path traversal vulnerability in StaticFileHandler, in which files whose names started with the staticpath directory but were not...
BREACH Revived to Steal Private Messages from Gmail, Facebook
The BREACH attack hasn’t been top of mind since the summer of 2013, but two researchers have found new ways to exploit and persistently attack traffic, including Gmail and Facebook chat sessions. The research was shared late last week in Singapore at Black Hat Asia where Dimitris Karakostas of th...
Debian DLA-336-1 : phpmyadmin security update
Several issues have been fixed in phpMyAdmin, the web administration tool for MySQL. CVE-2014-8958 Multiple cross-site scripting XSS vulnerabilities. CVE-2014-9218 Denial of service resource consumption via a long password. CVE-2015-2206 Risk of BREACH attack due to reflected parameter...
[SECURITY] [DSA 3382-1] phpmyadmin security update
------------------------------------------------------------------------- Debian Security Advisory DSA-3382-1 [email protected] https://www.debian.org/security/ Thijs Kinkhorst October 28, 2015 https://www.debian.org/security/faq -...
Debian Security Advisory DSA 3382-1 (phpmyadmin - security update)
Several issues have been fixed in phpMyAdmin, the web administration tool for MySQL. CVE-2014-8958 Wheezy only Multiple cross-site scripting XSS vulnerabilities. CVE-2014-9218 Wheezy only Denial of service resource consumption via a long password. CVE-2015-2206 Risk of BREACH attack due to...
DLA-336-1 phpmyadmin - security update
Bulletin has no description...
Debian: Security Advisory (DSA-3382-1)
The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2015 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
[SECURITY] [DLA 279-1] python-tornado security update
Package : python-tornado Version : 1.0.1-1+deb6u1 CVE ID : CVE-2014-9720 A vulnerability was discovered in python-tornado, a Python scalable, non- blocking web server. CVE-2014-9720 CSRF cookie allows side-channel attack against TLS BREACH Security Fix The XSRF token is now encoded with a random...
Updated python-tornado package fixes security vulnerability
Security fixes CVE-2014-9720 The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack. This applies to most applications that use both the xsrfcookies and gzip options or have gzip applied by ...
MGASA-2015-0251 Updated python-tornado package fixes security vulnerability
Security fixes CVE-2014-9720 The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack. This applies to most applications that use both the xsrfcookies and gzip options or have gzip applied by ...
Fedora 21 : python-tornado-3.2.2-1.fc21 (2015-8606)
Security fixes The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack. This applies to most applications that use both the xsrfcookies and gzip options or have gzip applied by a proxy...
Fedora 22 : python-tornado-3.2.2-1.fc22 (2015-9143)
Security fixes The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack. This applies to most applications that use both the xsrfcookies and gzip options or have gzip applied by a proxy...
Grindr v2.1.1 iOS & Account System - Breach Attack Vulnerability
Document Title: =============== Grindr v2.1.1 iOS & Account System - Breach Attack Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1420 Release Date: ============= 2015-05-03 Vulnerability Laboratory ID VL-ID:...