Debian 10260 Published by

The following updates has been released for Debian GNU/Linux:

[DLA 279-1] python-tornado security update
[DSA 3312-1] cacti security update



[DLA 279-1] python-tornado security update

Package : python-tornado
Version : 1.0.1-1+deb6u1
CVE ID : CVE-2014-9720

A vulnerability was discovered in python-tornado, a Python scalable, non-
blocking web server.

CVE-2014-9720

CSRF cookie allows side-channel attack against TLS (BREACH)

Security Fix

The XSRF token is now encoded with a random mask on each request. This makes
it safe to include in compressed pages without being vulnerable to the BREACH
attack.

For the oldoldstable distribution (squeeze), this problem has been fixed in
version 1.0.1-1+deb6u1.

[DSA 3312-1] cacti security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3312-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
July 22, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : cacti
CVE ID : CVE-2015-4634

Multiple SQL injection vulnerabilities were discovered in cacti, a web
interface for graphing of monitoring systems.

For the oldstable distribution (wheezy), this problem has been fixed
in version 0.8.8a+dfsg-5+deb7u6.

For the stable distribution (jessie), this problem has been fixed in
version 0.8.8b+dfsg-8+deb8u2.

For the testing distribution (stretch), this problem has been fixed
in version 0.8.8e+ds1-1.

For the unstable distribution (sid), this problem has been fixed in
version 0.8.8e+ds1-1.

We recommend that you upgrade your cacti packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/