Candidate: CVE-2020-28476
PublicDate: 2021-01-18 12:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28476
 https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/
 https://snyk.io/vuln/SNYK-PYTHON-TORNADO-1017109
Description:
 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-23336.
 Reason: This candidate is a reservation duplicate of CVE-2021-23336. Notes:
 All CVE users should reference CVE-2021-23336 instead of this candidate.
 All references and descriptions in this candidate have been removed to
 prevent accidental usage.
Ubuntu-Description:
Notes:
 mdeslaur> per tornado developers, this isn't an issue in tornado itself,
 mdeslaur> but in the python standard library.
 mdeslaur> as of 2021-01-29, no details on possible fix from upstream
Mitigation:
Bugs:
 https://github.com/tornadoweb/tornado/issues/2981
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H [6.8 MEDIUM]


Patches_python-tornado:
upstream_python-tornado: needs-triage
precise/esm_python-tornado: DNE
trusty_python-tornado: ignored (out of standard support)
trusty/esm_python-tornado: DNE
xenial_python-tornado: deferred (2021-01-29)
esm-infra/xenial_python-tornado: deferred (2021-01-29)
bionic_python-tornado: deferred (2021-01-29)
focal_python-tornado: deferred (2021-01-29)
groovy_python-tornado: deferred (2021-01-29)
devel_python-tornado: deferred (2021-01-29)

Patches_python-tornado4:
upstream_python-tornado4: needs-triage
precise/esm_python-tornado4: DNE
trusty_python-tornado4: ignored (out of standard support)
trusty/esm_python-tornado4: DNE
xenial_python-tornado4: DNE
bionic_python-tornado4: DNE
focal_python-tornado4: deferred (2021-01-29)
groovy_python-tornado4: DNE
devel_python-tornado4: DNE