Ubuntu
python-tornado package

[MIR] python-tornado

Bug #1047432 reported by Chuck Short
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-tornado (Ubuntu)
Fix Released
Critical
Unassigned

Bug Description

Availability: Currently in universe
Rationale: Dependency for python-urllib3
Security: No security history.
Quality Assurance: Package works out of the box with no prompting. There is no major bugs in Ubuntu and the is no major bugs in Debian.
Standards Compliance: FHS and Debian Policy compliant.
Maintenance: Simple python package that the Ubuntu Server Team will take care of.
Dependencies: All are in main

CVE References

Chuck Short (zulcss)
Changed in python-tornado (Ubuntu):
importance: Undecided → Critical
Revision history for this message
Michael Terry (mterry) wrote :

Test suite should be run. PYTHONPATH=. pythonX.X tornado/test/runtests.py seems to do it. Looking further.

Changed in python-tornado (Ubuntu):
status: New → Incomplete
Revision history for this message
Michael Terry (mterry) wrote :

Looks fine once the tests are enabled. But since there is a recent history of CVEs (security update in precise), I'll pass over to Jamie for a quick audit.

Changed in python-tornado (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Security review:
* One CVE: CVE-2012-2374. Issue was fixed prompted and with a one line patch
* Python library
* Lintian clean, no initscripts/upstart jobs, no dbus services, not setuid/fscaps/sudo/pkexec, no cron jobs. Has a testsuite, but not enabled.
* Uses the system ca-certificates file. Defaults to certificate verification.
* Minor nit: demos have predictable filenames in /tmp

Conditional ACK provided the testsuite is enabled.

Changed in python-tornado (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → Chuck Short (zulcss)
status: Incomplete → In Progress
Revision history for this message
Julian Taylor (jtaylor) wrote :

what exactly does urrlib3 need tornado for?
it isn't clear to me from the package descriptions.

the testsuites aren't enabled in debian because some where failing and others required internet access. It could not be resolved before the debian freeze.

Revision history for this message
Matthias Klose (doko) wrote :

test/README reads:

Test coverage is almost non-existent, but it's a start. Be sure to
set PYTHONPATH apprioriately (generally to the root directory of your
tornado checkout) when running tests to make sure you're getting the
version of the tornado package that you expect.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Is it possible to enable the testsuite based on Matthias' comments?

Revision history for this message
Chuck Short (zulcss) wrote :

I enabled the testsuite in the last upload.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

With the testsuite enabled, ACK. Please feel to seed or make this a dependency/recommends of another package in main.

Changed in python-tornado (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Dave Walker (davewalker) wrote :

Override component to main
python-tornado 2.3-2ubuntu1 in quantal: universe/python -> main
1 publication overridden.

Changed in python-tornado (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Christian Ehrhardt  (paelzer) wrote (last edit ):

FYI
This was demoted in Bionic and later but now came back as dependency of the PCS stack (bug 1953341).
The new case is here: https://bugs.launchpad.net/ubuntu/+source/python-tornado/+bug/1990191

Changed in python-tornado (Ubuntu):
status: Fix Released → Fix Committed
assignee: Chuck Short (zulcss) → nobody
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.