Bug 1211741 (CVE-2023-28370)

Summary: VUL-0: CVE-2023-28370: python-tornado: open redirect vulnerability in StaticFileHandler under certain configurations.
Product: [Novell Products] SUSE Security Incidents Reporter: Stoyan Manolov <stoyan.manolov>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: marina.latini, pablo.suarezhernandez, qzhao, security-team, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/367462/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-28370:3.4:(AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Stoyan Manolov 2023-05-26 07:25:32 UTC 
CVE-2023-28370

Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a
remote unauthenticated attacker to redirect a user to an arbitrary web site and
conduct a phishing attack by having user access a specially crafted URL.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28370
https://bugzilla.redhat.com/show_bug.cgi?id=2210199
https://www.cve.org/CVERecord?id=CVE-2023-28370
https://github.com/tornadoweb/tornado/releases/tag/v6.3.2
https://jvn.jp/en/jp/JVN45127776/
Comment 10 Cliff Zhao 2023-05-31 13:07:04 UTC 
Hi Stoyan:
python-tornado's build was disabled for RHEL and Ubuntu repo on IBS. Do I still need to port this fix to them? If so, please indicate which repo could build RHEL7/8 and Ubuntu sources.
Thank you!

[1]. SUSE:RES-7:Update / python-tornado    4.2.1
[2]. SUSE:RES-7:Update:Products:ManagerToolsBeta:Update / python-tornado    4.2.1
[3]. SUSE:RES-8:Update:Products:ManagerTools:Update / python-tornado    4.2.1
[4]. SUSE:RES-8:Update:Products:ManagerToolsBeta:Update / python-tornado    4.2.1
[5]. SUSE:Ubuntu-18.04:Update / python-tornado    4.2.1
[5]. SUSE:Ubuntu-18.04:Update:Products:ManagerToolsBeta:Update / python-tornado    4.2.1
Comment 12 Marina Latini 2023-05-31 14:29:49 UTC 
(In reply to Cliff Zhao from comment #10)
> Hi Stoyan:
> python-tornado's build was disabled for RHEL and Ubuntu repo on IBS. Do I
> still need to port this fix to them? If so, please indicate which repo could
> build RHEL7/8 and Ubuntu sources.
> Thank you!
> 
> [1]. SUSE:RES-7:Update / python-tornado    4.2.1
> [2]. SUSE:RES-7:Update:Products:ManagerToolsBeta:Update / python-tornado   
> 4.2.1
> [3]. SUSE:RES-8:Update:Products:ManagerTools:Update / python-tornado    4.2.1
> [4]. SUSE:RES-8:Update:Products:ManagerToolsBeta:Update / python-tornado   
> 4.2.1
> [5]. SUSE:Ubuntu-18.04:Update / python-tornado    4.2.1
> [5]. SUSE:Ubuntu-18.04:Update:Products:ManagerToolsBeta:Update /
> python-tornado    4.2.1

@Cliff: for the SUSE Manager codestreams, please do not submit now.
We will take care of the fixes with the next SUSE Manager 4.3.7 round that will be released on July.
Comment 13 Cliff Zhao 2023-05-31 15:25:48 UTC 
(In reply to Marina Latini from comment #12)
> (In reply to Cliff Zhao from comment #10)
> > Hi Stoyan:
> > python-tornado's build was disabled for RHEL and Ubuntu repo on IBS. Do I
> > still need to port this fix to them? If so, please indicate which repo could
> > build RHEL7/8 and Ubuntu sources.
> > Thank you!
> > 
> > [1]. SUSE:RES-7:Update / python-tornado    4.2.1
> > [2]. SUSE:RES-7:Update:Products:ManagerToolsBeta:Update / python-tornado   
> > 4.2.1
> > [3]. SUSE:RES-8:Update:Products:ManagerTools:Update / python-tornado    4.2.1
> > [4]. SUSE:RES-8:Update:Products:ManagerToolsBeta:Update / python-tornado   
> > 4.2.1
> > [5]. SUSE:Ubuntu-18.04:Update / python-tornado    4.2.1
> > [5]. SUSE:Ubuntu-18.04:Update:Products:ManagerToolsBeta:Update /
> > python-tornado    4.2.1
> 
> @Cliff: for the SUSE Manager codestreams, please do not submit now.
> We will take care of the fixes with the next SUSE Manager 4.3.7 round that
> will be released on July.
Okay, in this way, thank you for taking care of these fixes.
I didn't find the SUSE Manager's group account on Bugzilla, so I transfer it to you, please pass it to the right person. and I keep myself on the CC list, just in case there have anything related to me. Thank you for the clarification.
Comment 14 Marina Latini 2023-05-31 16:14:58 UTC 
(In reply to Cliff Zhao from comment #13)
> Okay, in this way, thank you for taking care of these fixes.
> I didn't find the SUSE Manager's group account on Bugzilla, so I transfer it
> to you, please pass it to the right person. and I keep myself on the CC
> list, just in case there have anything related to me. Thank you for the
> clarification.

Hello Cliff, I checked the details with Pablo and I assigned this bsc to him. Thanks a lot for your support!

Marina
Comment 21 Pablo Suárez Hernández 2023-06-27 15:32:39 UTC 
All submissions are created now, so this is now done from our side.

Resetting assignee back to Security team.

Thanks!
Comment 28 Maintenance Automation 2023-07-04 08:30:05 UTC 
SUSE-SU-2023:2770-1: An update that solves one vulnerability can now be installed.

Category: security (low)
Bug References: 1211741
CVE References: CVE-2023-28370
Sources used:
HPE Helion OpenStack 8 (src): python-tornado-4.4.3-3.3.1
SUSE OpenStack Cloud 8 (src): python-tornado-4.4.3-3.3.1
SUSE OpenStack Cloud Crowbar 8 (src): python-tornado-4.4.3-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Maintenance Automation 2023-07-11 12:30:02 UTC 
SUSE-SU-2023:2807-1: An update that solves one vulnerability can now be installed.

Category: security (low)
Bug References: 1211741
CVE References: CVE-2023-28370
Sources used:
SUSE OpenStack Cloud 9 (src): python-tornado-4.5.3-3.3.1
SUSE OpenStack Cloud Crowbar 9 (src): python-tornado-4.5.3-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Maintenance Automation 2023-08-02 08:45:10 UTC 
SUSE-SU-2023:3145-1: An update that solves one vulnerability and has two fixes can now be installed.

Category: security (moderate)
Bug References: 1210994, 1211591, 1211741
CVE References: CVE-2023-28370
Sources used:
openSUSE Leap 15.4 (src): salt-3006.0-150400.8.37.2
openSUSE Leap Micro 5.3 (src): salt-3006.0-150400.8.37.2
openSUSE Leap Micro 5.4 (src): salt-3006.0-150400.8.37.2
SUSE Linux Enterprise Micro for Rancher 5.3 (src): salt-3006.0-150400.8.37.2
SUSE Linux Enterprise Micro 5.3 (src): salt-3006.0-150400.8.37.2
SUSE Linux Enterprise Micro for Rancher 5.4 (src): salt-3006.0-150400.8.37.2
SUSE Linux Enterprise Micro 5.4 (src): salt-3006.0-150400.8.37.2
Basesystem Module 15-SP4 (src): salt-3006.0-150400.8.37.2
Server Applications Module 15-SP4 (src): salt-3006.0-150400.8.37.2
Transactional Server Module 15-SP4 (src): salt-3006.0-150400.8.37.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Maintenance Automation 2023-08-02 08:45:14 UTC 
SUSE-SU-2023:3144-1: An update that solves one vulnerability, contains three features and has two fixes can now be installed.

Category: security (moderate)
Bug References: 1208612, 1211741, 1212279
CVE References: CVE-2023-28370
Jira References: MSQA-679, PED-3694, PED-4556
Sources used:
openSUSE Leap Micro 5.3 (src): python-tornado-4.5.3-150000.3.6.1
openSUSE Leap Micro 5.4 (src): python-tornado-4.5.3-150000.3.6.1
openSUSE Leap 15.4 (src): python-tornado-4.5.3-150000.3.6.1, prometheus-blackbox_exporter-0.24.0-150000.1.20.2, spacecmd-4.3.22-150000.3.101.1, system-user-prometheus-1.0.0-150000.10.1
openSUSE Leap 15.5 (src): python-tornado-4.5.3-150000.3.6.1, prometheus-blackbox_exporter-0.24.0-150000.1.20.2, spacecmd-4.3.22-150000.3.101.1, system-user-prometheus-1.0.0-150000.10.1
SUSE Manager Client Tools for SLE 15 (src): prometheus-blackbox_exporter-0.24.0-150000.1.20.2, spacecmd-4.3.22-150000.3.101.1, system-user-prometheus-1.0.0-150000.10.1
SUSE Manager Client Tools for SLE Micro 5 (src): prometheus-blackbox_exporter-0.24.0-150000.1.20.2, system-user-prometheus-1.0.0-150000.10.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): python-tornado-4.5.3-150000.3.6.1
SUSE Linux Enterprise Micro 5.3 (src): python-tornado-4.5.3-150000.3.6.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): python-tornado-4.5.3-150000.3.6.1
SUSE Linux Enterprise Micro 5.4 (src): python-tornado-4.5.3-150000.3.6.1
Basesystem Module 15-SP4 (src): python-tornado-4.5.3-150000.3.6.1
Basesystem Module 15-SP5 (src): python-tornado-4.5.3-150000.3.6.1
SUSE Manager Proxy 4.2 Module 4.2 (src): prometheus-blackbox_exporter-0.24.0-150000.1.20.2, system-user-prometheus-1.0.0-150000.10.1
SUSE Manager Proxy 4.3 Module 4.3 (src): prometheus-blackbox_exporter-0.24.0-150000.1.20.2, system-user-prometheus-1.0.0-150000.10.1
SUSE Manager Server 4.2 Module 4.2 (src): system-user-prometheus-1.0.0-150000.10.1
SUSE Manager Server 4.3 Module 4.3 (src): system-user-prometheus-1.0.0-150000.10.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): python-tornado-4.5.3-150000.3.6.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): python-tornado-4.5.3-150000.3.6.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): python-tornado-4.5.3-150000.3.6.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): python-tornado-4.5.3-150000.3.6.1
SUSE Linux Enterprise Real Time 15 SP3 (src): python-tornado-4.5.3-150000.3.6.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): python-tornado-4.5.3-150000.3.6.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): python-tornado-4.5.3-150000.3.6.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): python-tornado-4.5.3-150000.3.6.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): python-tornado-4.5.3-150000.3.6.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): python-tornado-4.5.3-150000.3.6.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): python-tornado-4.5.3-150000.3.6.1
SUSE Manager Proxy 4.2 (src): python-tornado-4.5.3-150000.3.6.1
SUSE Manager Retail Branch Server 4.2 (src): python-tornado-4.5.3-150000.3.6.1
SUSE Manager Server 4.2 (src): python-tornado-4.5.3-150000.3.6.1
SUSE Enterprise Storage 7.1 (src): python-tornado-4.5.3-150000.3.6.1
SUSE Enterprise Storage 7 (src): python-tornado-4.5.3-150000.3.6.1
SUSE CaaS Platform 4.0 (src): python-tornado-4.5.3-150000.3.6.1
SUSE Linux Enterprise Micro 5.2 (src): python-tornado-4.5.3-150000.3.6.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): python-tornado-4.5.3-150000.3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Maintenance Automation 2023-08-02 08:45:18 UTC 
SUSE-SU-2023:3143-1: An update that solves one vulnerability and has two fixes can now be installed.

Category: security (moderate)
Bug References: 1210994, 1211591, 1211741
CVE References: CVE-2023-28370
Sources used:
SUSE Linux Enterprise Micro 5.2 (src): salt-3006.0-150300.53.53.2
SUSE Linux Enterprise Micro for Rancher 5.2 (src): salt-3006.0-150300.53.53.2
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): salt-3006.0-150300.53.53.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): salt-3006.0-150300.53.53.2
SUSE Linux Enterprise Real Time 15 SP3 (src): salt-3006.0-150300.53.53.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): salt-3006.0-150300.53.53.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): salt-3006.0-150300.53.53.2
SUSE Manager Proxy 4.2 (src): salt-3006.0-150300.53.53.2
SUSE Manager Retail Branch Server 4.2 (src): salt-3006.0-150300.53.53.2
SUSE Manager Server 4.2 (src): salt-3006.0-150300.53.53.2
SUSE Enterprise Storage 7.1 (src): salt-3006.0-150300.53.53.2
SUSE Linux Enterprise Micro 5.1 (src): salt-3006.0-150300.53.53.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 33 Maintenance Automation 2023-08-02 08:45:21 UTC 
SUSE-SU-2023:3142-1: An update that solves one vulnerability, contains one feature and has four fixes can now be installed.

Category: security (moderate)
Bug References: 1210994, 1211591, 1211741, 1212516, 1212517
CVE References: CVE-2023-28370
Jira References: MSQA-679
Sources used:
SUSE Manager Client Tools for SLE 15 (src): venv-salt-minion-3006.0-150000.3.35.1
SUSE Manager Client Tools for SLE Micro 5 (src): venv-salt-minion-3006.0-150000.3.35.1
SUSE Manager Proxy 4.3 Module 4.3 (src): venv-salt-minion-3006.0-150000.3.35.1
SUSE Manager Server 4.3 Module 4.3 (src): venv-salt-minion-3006.0-150000.3.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 34 Maintenance Automation 2023-08-02 08:45:24 UTC 
SUSE-SU-2023:3139-1: An update that solves one vulnerability and has two fixes can now be installed.

Category: security (moderate)
Bug References: 1210994, 1211591, 1211741
CVE References: CVE-2023-28370
Sources used:
openSUSE Leap 15.5 (src): salt-3006.0-150500.4.12.2
Basesystem Module 15-SP5 (src): salt-3006.0-150500.4.12.2
Server Applications Module 15-SP5 (src): salt-3006.0-150500.4.12.2
Transactional Server Module 15-SP5 (src): salt-3006.0-150500.4.12.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 35 Maintenance Automation 2023-08-02 08:45:28 UTC 
SUSE-SU-2023:3137-1: An update that solves one vulnerability, contains one feature and has five fixes can now be installed.

Category: security (moderate)
Bug References: 1210994, 1211591, 1211741, 1211754, 1212516, 1212517
CVE References: CVE-2023-28370
Jira References: MSQA-679
Sources used:
SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (src): venv-salt-minion-3006.0-1.19.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 36 Maintenance Automation 2023-08-02 08:45:45 UTC 
SUSE-SU-202306:15228-1: An update that solves one vulnerability, contains one feature and has five fixes can now be installed.

Category: security (moderate)
Bug References: 1210994, 1211591, 1211741, 1211754, 1212516, 1212517
CVE References: CVE-2023-28370
Jira References: MSQA-679
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 37 Maintenance Automation 2023-08-02 08:45:48 UTC 
SUSE-SU-2023:3134-1: An update that solves one vulnerability, contains one feature and has five fixes can now be installed.

Category: security (moderate)
Bug References: 1210994, 1211591, 1211741, 1211754, 1212516, 1212517
CVE References: CVE-2023-28370
Jira References: MSQA-679
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 38 Maintenance Automation 2023-08-02 08:45:51 UTC 
SUSE-SU-2023:3132-1: An update that solves one vulnerability, contains one feature and has five fixes can now be installed.

Category: security (moderate)
Bug References: 1210994, 1211591, 1211741, 1211754, 1212516, 1212517
CVE References: CVE-2023-28370
Jira References: MSQA-679
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 39 Maintenance Automation 2023-08-02 08:45:54 UTC 
SUSE-SU-2023:3131-1: An update that solves one vulnerability and has two fixes can now be installed.

Category: security (moderate)
Bug References: 1210994, 1211591, 1211741
CVE References: CVE-2023-28370
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): salt-3006.0-150200.101.2
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): salt-3006.0-150200.101.2
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): salt-3006.0-150200.101.2
SUSE Enterprise Storage 7 (src): salt-3006.0-150200.101.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 40 Maintenance Automation 2023-08-02 08:46:00 UTC 
SUSE-SU-2023:3129-1: An update that solves one vulnerability, contains one feature and has seven fixes can now be installed.

Category: security (moderate)
Bug References: 1208612, 1210994, 1211591, 1211741, 1211754, 1212516, 1212517, 1213432
CVE References: CVE-2023-28370
Jira References: MSQA-679
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 41 Maintenance Automation 2023-08-02 08:46:03 UTC 
SUSE-SU-2023:3128-1: An update that solves one vulnerability, contains one feature and has five fixes can now be installed.

Category: security (moderate)
Bug References: 1210994, 1211591, 1211741, 1211754, 1212516, 1212517
CVE References: CVE-2023-28370
Jira References: MSQA-679
Sources used:
SUSE Manager Client Tools for SLE 12 (src): venv-salt-minion-3006.0-3.33.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 42 Maintenance Automation 2023-08-02 08:46:06 UTC 
SUSE-SU-202306:15226-1: An update that solves one vulnerability, contains one feature and has five fixes can now be installed.

Category: security (moderate)
Bug References: 1210994, 1211591, 1211741, 1211754, 1212516, 1212517
CVE References: CVE-2023-28370
Jira References: MSQA-679
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 43 Maintenance Automation 2023-08-02 08:46:09 UTC 
SUSE-SU-202306:15225-1: An update that solves one vulnerability, contains one feature and has five fixes can now be installed.

Category: security (moderate)
Bug References: 1210994, 1211591, 1211741, 1211754, 1212516, 1212517
CVE References: CVE-2023-28370
Jira References: MSQA-679
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 44 Maintenance Automation 2023-08-02 08:46:17 UTC 
SUSE-SU-2023:3123-1: An update that solves one vulnerability and has two fixes can now be installed.

Category: security (moderate)
Bug References: 1210994, 1211591, 1211741
CVE References: CVE-2023-28370
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): salt-3006.0-150100.100.2
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): salt-3006.0-150100.100.2
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): salt-3006.0-150100.100.2
SUSE CaaS Platform 4.0 (src): salt-3006.0-150100.100.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 45 Maintenance Automation 2023-08-02 08:46:20 UTC 
SUSE-SU-2023:3122-1: An update that solves one vulnerability, contains three features and has three fixes can now be installed.

Category: security (moderate)
Bug References: 1204089, 1208612, 1211741, 1212279
CVE References: CVE-2023-28370
Jira References: MSQA-679, PED-3694, PED-4556
Sources used:
SUSE Manager Client Tools for SLE 12 (src): prometheus-blackbox_exporter-0.24.0-1.20.3, python-tornado-4.2.1-17.7.1, spacecmd-4.3.22-38.124.3, kiwi-desc-saltboot-0.1.1687520761.cefb248-1.35.2
Advanced Systems Management Module 12 (src): python-tornado-4.2.1-17.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 46 Maintenance Automation 2023-08-02 08:46:24 UTC 
SUSE-SU-202306:15224-1: An update that solves one vulnerability, contains one feature and has seven fixes can now be installed.

Category: security (moderate)
Bug References: 1208612, 1210994, 1211591, 1211741, 1211754, 1212516, 1212517, 1213432
CVE References: CVE-2023-28370
Jira References: MSQA-679
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 48 Maintenance Automation 2023-08-02 12:31:03 UTC 
SUSE-SU-202306:15222-1: An update that solves one vulnerability, contains one feature and has seven fixes can now be installed.

Category: security (moderate)
Bug References: 1208612, 1210994, 1211591, 1211741, 1211754, 1212516, 1212517, 1213432
CVE References: CVE-2023-28370
Jira References: MSQA-679
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 49 OBSbugzilla Bot 2023-08-07 11:55:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1211741) was mentioned in
https://build.opensuse.org/request/show/1102687 Factory / python-tornado6
Comment 55 Maintenance Automation 2023-11-09 08:30:23 UTC 
SUSE-RU-2023:4408-1: An update that solves eight vulnerabilities, contains two features and has 48 fixes can now be installed.

Category: recommended (important)
Bug References: 1097531, 1182851, 1186738, 1190781, 1193357, 1193948, 1194632, 1195624, 1195895, 1196050, 1196432, 1197288, 1197417, 1197533, 1197637, 1198489, 1198556, 1198744, 1199149, 1199372, 1199562, 1200566, 1200596, 1201082, 1202165, 1202631, 1203685, 1203834, 1203886, 1204206, 1204939, 1205687, 1207071, 1208691, 1209233, 1210954, 1210994, 1211591, 1211612, 1211741, 1211754, 1212516, 1212517, 1212794, 1212844, 1212855, 1213257, 1213293, 1213441, 1213518, 1213630, 1213926, 1213960, 1214796, 1214797, 1215489
CVE References: CVE-2022-22934, CVE-2022-22935, CVE-2022-22936, CVE-2022-22941, CVE-2022-22967, CVE-2023-20897, CVE-2023-20898, CVE-2023-28370
Jira References: MSQA-706, PED-3139
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.