Certain input provided to the tornado.web.RequestHandler.set_header() function in tornado prior to 2.2.1 was reported . This flaw could be used to expose arbitrary HTTP headers in a response sent to the user.
Created python-tornado tracking bugs for this issue
Affects: fedora-all [bug 823214]
Affects: epel-6 [bug 823215]
This CVE is already reported in bug #822852.
Closing as a dublicate as there is also an CVE number.
(Correct me, if this needs to be handled differently...)
*** This bug has been marked as a duplicate of bug 822852 ***
No that's fine. Thanks, Thomas. I hadn't noticed the other bug.