UbuntuUpdates.org

Package "python-tornado"

Name: python-tornado

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • scalable, non-blocking web server and tools - documentation
  • scalable, non-blocking web server and tools - Python 3 package
Latest version: 6.4.0-1ubuntu0.4
Release: noble (24.04)
Level: security
Repository: main

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "python-tornado" in Noble

Repository Area Version
base main 6.4.0-1build1
updates main 6.4.0-1ubuntu0.4

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 6.4.0-1ubuntu0.4 2026-01-08 23:08:33 UTC

  python-tornado (6.4.0-1ubuntu0.4) noble-security; urgency=medium

  * SECURITY UPDATE: Cross site scripting in custom HTTP headers.
    - debian/patches/CVE-2025-67724-pre*.patch: Restrict headers to printable
      ASCII characters in tornado/httputil.py.
    - debian/patches/CVE-2025-67724.patch: Add check for "<" and add
      escape.xhtml_escape in status messages in tornado/web.py. Add tests in
      tornado/test/web_test.py.
    - CVE-2025-67724
  * SECURITY UPDATE: Denial of service due to malicious HTTP requests with
    repeated header names.
    - debian/patches/CVE-2025-67725.patch: Replace self._dict with
      self._combined_cache in tornado/httputil.py. Add tests in
      tornado/test/httputil_test.py.
    - debian/patches/CVE-2025-67725-post1.patch: Fix in-operator being case
      sensitive due to last patch changes in tornado/httputil.py. Add tests in
      tornado/test/httputil_test.py.
    - CVE-2025-67725
  * SECURITY UPDATE: Denial of service due to inefficient parsing of HTTP
    header values.
    - debian/patches/CVE-2025-67726.patch: Change _parseparam logic in
      tornado/httputil.py. Add tests in tornado/test/httputil_test.py.
    - CVE-2025-67726

 -- Hlib Korzhynskyy <email address hidden> Wed, 07 Jan 2026 10:40:48 -0330
Source diff to previous version
CVE-2025-67724 Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in H
CVE-2025-67725 Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can blo
CVE-2025-67726 Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters

Version: 6.4.0-1ubuntu0.2 2025-06-02 12:09:29 UTC

  python-tornado (6.4.0-1ubuntu0.2) noble-security; urgency=medium

  * SECURITY UPDATE: denial of service
    - debian/patches/CVE-2025-47287.patch: httputil: Raise errors
      instead of logging in multipart/form-data parsing
    - CVE-2025-47287

 -- Shishir Subedi <email address hidden> Mon, 19 May 2025 15:11:21 +0545
Source diff to previous version
CVE-2025-47287 Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it lo

Version: 6.4.0-1ubuntu0.1 2024-12-11 15:06:49 UTC

  python-tornado (6.4.0-1ubuntu0.1) noble-security; urgency=medium

  * SECURITY UPDATE: Cookie header denial of service.
    - debian/patches/CVE-2024-52804.patch: Replace algorithm in _OctalPatt,
      _QuotePatt, and _nulljoin with _unquote_sub in tornado/httputil.py. Add
      tests.
    - CVE-2024-52804

 -- Hlib Korzhynskyy <email address hidden> Thu, 28 Nov 2024 16:53:42 -0330
CVE-2024-52804 Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2


About   -   Send Feedback to @ubuntu_updates