Bugzilla – Bug 1211741
VUL-0: CVE-2023-28370: python-tornado: open redirect vulnerability in StaticFileHandler under certain configurations.
Last modified: 2024-06-18 12:02:46 UTC
CVE-2023-28370 Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28370 https://bugzilla.redhat.com/show_bug.cgi?id=2210199 https://www.cve.org/CVERecord?id=CVE-2023-28370 https://github.com/tornadoweb/tornado/releases/tag/v6.3.2 https://jvn.jp/en/jp/JVN45127776/
Hi Stoyan: python-tornado's build was disabled for RHEL and Ubuntu repo on IBS. Do I still need to port this fix to them? If so, please indicate which repo could build RHEL7/8 and Ubuntu sources. Thank you! [1]. SUSE:RES-7:Update / python-tornado 4.2.1 [2]. SUSE:RES-7:Update:Products:ManagerToolsBeta:Update / python-tornado 4.2.1 [3]. SUSE:RES-8:Update:Products:ManagerTools:Update / python-tornado 4.2.1 [4]. SUSE:RES-8:Update:Products:ManagerToolsBeta:Update / python-tornado 4.2.1 [5]. SUSE:Ubuntu-18.04:Update / python-tornado 4.2.1 [5]. SUSE:Ubuntu-18.04:Update:Products:ManagerToolsBeta:Update / python-tornado 4.2.1
(In reply to Cliff Zhao from comment #10) > Hi Stoyan: > python-tornado's build was disabled for RHEL and Ubuntu repo on IBS. Do I > still need to port this fix to them? If so, please indicate which repo could > build RHEL7/8 and Ubuntu sources. > Thank you! > > [1]. SUSE:RES-7:Update / python-tornado 4.2.1 > [2]. SUSE:RES-7:Update:Products:ManagerToolsBeta:Update / python-tornado > 4.2.1 > [3]. SUSE:RES-8:Update:Products:ManagerTools:Update / python-tornado 4.2.1 > [4]. SUSE:RES-8:Update:Products:ManagerToolsBeta:Update / python-tornado > 4.2.1 > [5]. SUSE:Ubuntu-18.04:Update / python-tornado 4.2.1 > [5]. SUSE:Ubuntu-18.04:Update:Products:ManagerToolsBeta:Update / > python-tornado 4.2.1 @Cliff: for the SUSE Manager codestreams, please do not submit now. We will take care of the fixes with the next SUSE Manager 4.3.7 round that will be released on July.
(In reply to Marina Latini from comment #12) > (In reply to Cliff Zhao from comment #10) > > Hi Stoyan: > > python-tornado's build was disabled for RHEL and Ubuntu repo on IBS. Do I > > still need to port this fix to them? If so, please indicate which repo could > > build RHEL7/8 and Ubuntu sources. > > Thank you! > > > > [1]. SUSE:RES-7:Update / python-tornado 4.2.1 > > [2]. SUSE:RES-7:Update:Products:ManagerToolsBeta:Update / python-tornado > > 4.2.1 > > [3]. SUSE:RES-8:Update:Products:ManagerTools:Update / python-tornado 4.2.1 > > [4]. SUSE:RES-8:Update:Products:ManagerToolsBeta:Update / python-tornado > > 4.2.1 > > [5]. SUSE:Ubuntu-18.04:Update / python-tornado 4.2.1 > > [5]. SUSE:Ubuntu-18.04:Update:Products:ManagerToolsBeta:Update / > > python-tornado 4.2.1 > > @Cliff: for the SUSE Manager codestreams, please do not submit now. > We will take care of the fixes with the next SUSE Manager 4.3.7 round that > will be released on July. Okay, in this way, thank you for taking care of these fixes. I didn't find the SUSE Manager's group account on Bugzilla, so I transfer it to you, please pass it to the right person. and I keep myself on the CC list, just in case there have anything related to me. Thank you for the clarification.
(In reply to Cliff Zhao from comment #13) > Okay, in this way, thank you for taking care of these fixes. > I didn't find the SUSE Manager's group account on Bugzilla, so I transfer it > to you, please pass it to the right person. and I keep myself on the CC > list, just in case there have anything related to me. Thank you for the > clarification. Hello Cliff, I checked the details with Pablo and I assigned this bsc to him. Thanks a lot for your support! Marina
All submissions are created now, so this is now done from our side. Resetting assignee back to Security team. Thanks!
SUSE-SU-2023:2770-1: An update that solves one vulnerability can now be installed. Category: security (low) Bug References: 1211741 CVE References: CVE-2023-28370 Sources used: HPE Helion OpenStack 8 (src): python-tornado-4.4.3-3.3.1 SUSE OpenStack Cloud 8 (src): python-tornado-4.4.3-3.3.1 SUSE OpenStack Cloud Crowbar 8 (src): python-tornado-4.4.3-3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2807-1: An update that solves one vulnerability can now be installed. Category: security (low) Bug References: 1211741 CVE References: CVE-2023-28370 Sources used: SUSE OpenStack Cloud 9 (src): python-tornado-4.5.3-3.3.1 SUSE OpenStack Cloud Crowbar 9 (src): python-tornado-4.5.3-3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3145-1: An update that solves one vulnerability and has two fixes can now be installed. Category: security (moderate) Bug References: 1210994, 1211591, 1211741 CVE References: CVE-2023-28370 Sources used: openSUSE Leap 15.4 (src): salt-3006.0-150400.8.37.2 openSUSE Leap Micro 5.3 (src): salt-3006.0-150400.8.37.2 openSUSE Leap Micro 5.4 (src): salt-3006.0-150400.8.37.2 SUSE Linux Enterprise Micro for Rancher 5.3 (src): salt-3006.0-150400.8.37.2 SUSE Linux Enterprise Micro 5.3 (src): salt-3006.0-150400.8.37.2 SUSE Linux Enterprise Micro for Rancher 5.4 (src): salt-3006.0-150400.8.37.2 SUSE Linux Enterprise Micro 5.4 (src): salt-3006.0-150400.8.37.2 Basesystem Module 15-SP4 (src): salt-3006.0-150400.8.37.2 Server Applications Module 15-SP4 (src): salt-3006.0-150400.8.37.2 Transactional Server Module 15-SP4 (src): salt-3006.0-150400.8.37.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3144-1: An update that solves one vulnerability, contains three features and has two fixes can now be installed. Category: security (moderate) Bug References: 1208612, 1211741, 1212279 CVE References: CVE-2023-28370 Jira References: MSQA-679, PED-3694, PED-4556 Sources used: openSUSE Leap Micro 5.3 (src): python-tornado-4.5.3-150000.3.6.1 openSUSE Leap Micro 5.4 (src): python-tornado-4.5.3-150000.3.6.1 openSUSE Leap 15.4 (src): python-tornado-4.5.3-150000.3.6.1, prometheus-blackbox_exporter-0.24.0-150000.1.20.2, spacecmd-4.3.22-150000.3.101.1, system-user-prometheus-1.0.0-150000.10.1 openSUSE Leap 15.5 (src): python-tornado-4.5.3-150000.3.6.1, prometheus-blackbox_exporter-0.24.0-150000.1.20.2, spacecmd-4.3.22-150000.3.101.1, system-user-prometheus-1.0.0-150000.10.1 SUSE Manager Client Tools for SLE 15 (src): prometheus-blackbox_exporter-0.24.0-150000.1.20.2, spacecmd-4.3.22-150000.3.101.1, system-user-prometheus-1.0.0-150000.10.1 SUSE Manager Client Tools for SLE Micro 5 (src): prometheus-blackbox_exporter-0.24.0-150000.1.20.2, system-user-prometheus-1.0.0-150000.10.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): python-tornado-4.5.3-150000.3.6.1 SUSE Linux Enterprise Micro 5.3 (src): python-tornado-4.5.3-150000.3.6.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): python-tornado-4.5.3-150000.3.6.1 SUSE Linux Enterprise Micro 5.4 (src): python-tornado-4.5.3-150000.3.6.1 Basesystem Module 15-SP4 (src): python-tornado-4.5.3-150000.3.6.1 Basesystem Module 15-SP5 (src): python-tornado-4.5.3-150000.3.6.1 SUSE Manager Proxy 4.2 Module 4.2 (src): prometheus-blackbox_exporter-0.24.0-150000.1.20.2, system-user-prometheus-1.0.0-150000.10.1 SUSE Manager Proxy 4.3 Module 4.3 (src): prometheus-blackbox_exporter-0.24.0-150000.1.20.2, system-user-prometheus-1.0.0-150000.10.1 SUSE Manager Server 4.2 Module 4.2 (src): system-user-prometheus-1.0.0-150000.10.1 SUSE Manager Server 4.3 Module 4.3 (src): system-user-prometheus-1.0.0-150000.10.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): python-tornado-4.5.3-150000.3.6.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): python-tornado-4.5.3-150000.3.6.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): python-tornado-4.5.3-150000.3.6.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): python-tornado-4.5.3-150000.3.6.1 SUSE Linux Enterprise Real Time 15 SP3 (src): python-tornado-4.5.3-150000.3.6.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): python-tornado-4.5.3-150000.3.6.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): python-tornado-4.5.3-150000.3.6.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): python-tornado-4.5.3-150000.3.6.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): python-tornado-4.5.3-150000.3.6.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): python-tornado-4.5.3-150000.3.6.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): python-tornado-4.5.3-150000.3.6.1 SUSE Manager Proxy 4.2 (src): python-tornado-4.5.3-150000.3.6.1 SUSE Manager Retail Branch Server 4.2 (src): python-tornado-4.5.3-150000.3.6.1 SUSE Manager Server 4.2 (src): python-tornado-4.5.3-150000.3.6.1 SUSE Enterprise Storage 7.1 (src): python-tornado-4.5.3-150000.3.6.1 SUSE Enterprise Storage 7 (src): python-tornado-4.5.3-150000.3.6.1 SUSE CaaS Platform 4.0 (src): python-tornado-4.5.3-150000.3.6.1 SUSE Linux Enterprise Micro 5.2 (src): python-tornado-4.5.3-150000.3.6.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): python-tornado-4.5.3-150000.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3143-1: An update that solves one vulnerability and has two fixes can now be installed. Category: security (moderate) Bug References: 1210994, 1211591, 1211741 CVE References: CVE-2023-28370 Sources used: SUSE Linux Enterprise Micro 5.2 (src): salt-3006.0-150300.53.53.2 SUSE Linux Enterprise Micro for Rancher 5.2 (src): salt-3006.0-150300.53.53.2 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): salt-3006.0-150300.53.53.2 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): salt-3006.0-150300.53.53.2 SUSE Linux Enterprise Real Time 15 SP3 (src): salt-3006.0-150300.53.53.2 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): salt-3006.0-150300.53.53.2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): salt-3006.0-150300.53.53.2 SUSE Manager Proxy 4.2 (src): salt-3006.0-150300.53.53.2 SUSE Manager Retail Branch Server 4.2 (src): salt-3006.0-150300.53.53.2 SUSE Manager Server 4.2 (src): salt-3006.0-150300.53.53.2 SUSE Enterprise Storage 7.1 (src): salt-3006.0-150300.53.53.2 SUSE Linux Enterprise Micro 5.1 (src): salt-3006.0-150300.53.53.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3142-1: An update that solves one vulnerability, contains one feature and has four fixes can now be installed. Category: security (moderate) Bug References: 1210994, 1211591, 1211741, 1212516, 1212517 CVE References: CVE-2023-28370 Jira References: MSQA-679 Sources used: SUSE Manager Client Tools for SLE 15 (src): venv-salt-minion-3006.0-150000.3.35.1 SUSE Manager Client Tools for SLE Micro 5 (src): venv-salt-minion-3006.0-150000.3.35.1 SUSE Manager Proxy 4.3 Module 4.3 (src): venv-salt-minion-3006.0-150000.3.35.1 SUSE Manager Server 4.3 Module 4.3 (src): venv-salt-minion-3006.0-150000.3.35.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3139-1: An update that solves one vulnerability and has two fixes can now be installed. Category: security (moderate) Bug References: 1210994, 1211591, 1211741 CVE References: CVE-2023-28370 Sources used: openSUSE Leap 15.5 (src): salt-3006.0-150500.4.12.2 Basesystem Module 15-SP5 (src): salt-3006.0-150500.4.12.2 Server Applications Module 15-SP5 (src): salt-3006.0-150500.4.12.2 Transactional Server Module 15-SP5 (src): salt-3006.0-150500.4.12.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3137-1: An update that solves one vulnerability, contains one feature and has five fixes can now be installed. Category: security (moderate) Bug References: 1210994, 1211591, 1211741, 1211754, 1212516, 1212517 CVE References: CVE-2023-28370 Jira References: MSQA-679 Sources used: SUSE Manager Client Tools for RHEL, Liberty and Clones 9 (src): venv-salt-minion-3006.0-1.19.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-202306:15228-1: An update that solves one vulnerability, contains one feature and has five fixes can now be installed. Category: security (moderate) Bug References: 1210994, 1211591, 1211741, 1211754, 1212516, 1212517 CVE References: CVE-2023-28370 Jira References: MSQA-679 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3134-1: An update that solves one vulnerability, contains one feature and has five fixes can now be installed. Category: security (moderate) Bug References: 1210994, 1211591, 1211741, 1211754, 1212516, 1212517 CVE References: CVE-2023-28370 Jira References: MSQA-679 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3132-1: An update that solves one vulnerability, contains one feature and has five fixes can now be installed. Category: security (moderate) Bug References: 1210994, 1211591, 1211741, 1211754, 1212516, 1212517 CVE References: CVE-2023-28370 Jira References: MSQA-679 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3131-1: An update that solves one vulnerability and has two fixes can now be installed. Category: security (moderate) Bug References: 1210994, 1211591, 1211741 CVE References: CVE-2023-28370 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): salt-3006.0-150200.101.2 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): salt-3006.0-150200.101.2 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): salt-3006.0-150200.101.2 SUSE Enterprise Storage 7 (src): salt-3006.0-150200.101.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3129-1: An update that solves one vulnerability, contains one feature and has seven fixes can now be installed. Category: security (moderate) Bug References: 1208612, 1210994, 1211591, 1211741, 1211754, 1212516, 1212517, 1213432 CVE References: CVE-2023-28370 Jira References: MSQA-679 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3128-1: An update that solves one vulnerability, contains one feature and has five fixes can now be installed. Category: security (moderate) Bug References: 1210994, 1211591, 1211741, 1211754, 1212516, 1212517 CVE References: CVE-2023-28370 Jira References: MSQA-679 Sources used: SUSE Manager Client Tools for SLE 12 (src): venv-salt-minion-3006.0-3.33.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-202306:15226-1: An update that solves one vulnerability, contains one feature and has five fixes can now be installed. Category: security (moderate) Bug References: 1210994, 1211591, 1211741, 1211754, 1212516, 1212517 CVE References: CVE-2023-28370 Jira References: MSQA-679 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-202306:15225-1: An update that solves one vulnerability, contains one feature and has five fixes can now be installed. Category: security (moderate) Bug References: 1210994, 1211591, 1211741, 1211754, 1212516, 1212517 CVE References: CVE-2023-28370 Jira References: MSQA-679 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3123-1: An update that solves one vulnerability and has two fixes can now be installed. Category: security (moderate) Bug References: 1210994, 1211591, 1211741 CVE References: CVE-2023-28370 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): salt-3006.0-150100.100.2 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): salt-3006.0-150100.100.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): salt-3006.0-150100.100.2 SUSE CaaS Platform 4.0 (src): salt-3006.0-150100.100.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3122-1: An update that solves one vulnerability, contains three features and has three fixes can now be installed. Category: security (moderate) Bug References: 1204089, 1208612, 1211741, 1212279 CVE References: CVE-2023-28370 Jira References: MSQA-679, PED-3694, PED-4556 Sources used: SUSE Manager Client Tools for SLE 12 (src): prometheus-blackbox_exporter-0.24.0-1.20.3, python-tornado-4.2.1-17.7.1, spacecmd-4.3.22-38.124.3, kiwi-desc-saltboot-0.1.1687520761.cefb248-1.35.2 Advanced Systems Management Module 12 (src): python-tornado-4.2.1-17.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-202306:15224-1: An update that solves one vulnerability, contains one feature and has seven fixes can now be installed. Category: security (moderate) Bug References: 1208612, 1210994, 1211591, 1211741, 1211754, 1212516, 1212517, 1213432 CVE References: CVE-2023-28370 Jira References: MSQA-679 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-202306:15222-1: An update that solves one vulnerability, contains one feature and has seven fixes can now be installed. Category: security (moderate) Bug References: 1208612, 1210994, 1211591, 1211741, 1211754, 1212516, 1212517, 1213432 CVE References: CVE-2023-28370 Jira References: MSQA-679 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1211741) was mentioned in https://build.opensuse.org/request/show/1102687 Factory / python-tornado6
SUSE-RU-2023:4408-1: An update that solves eight vulnerabilities, contains two features and has 48 fixes can now be installed. Category: recommended (important) Bug References: 1097531, 1182851, 1186738, 1190781, 1193357, 1193948, 1194632, 1195624, 1195895, 1196050, 1196432, 1197288, 1197417, 1197533, 1197637, 1198489, 1198556, 1198744, 1199149, 1199372, 1199562, 1200566, 1200596, 1201082, 1202165, 1202631, 1203685, 1203834, 1203886, 1204206, 1204939, 1205687, 1207071, 1208691, 1209233, 1210954, 1210994, 1211591, 1211612, 1211741, 1211754, 1212516, 1212517, 1212794, 1212844, 1212855, 1213257, 1213293, 1213441, 1213518, 1213630, 1213926, 1213960, 1214796, 1214797, 1215489 CVE References: CVE-2022-22934, CVE-2022-22935, CVE-2022-22936, CVE-2022-22941, CVE-2022-22967, CVE-2023-20897, CVE-2023-20898, CVE-2023-28370 Jira References: MSQA-706, PED-3139 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.