UbuntuUpdates.org

Package "python-tornado-doc"

Name: python-tornado-doc

Description:

scalable, non-blocking web server and tools - documentation
Latest version: 6.4.2-3ubuntu0.3
Release: questing (25.10)
Level: security
Repository: main
Head package: python-tornado
Homepage: https://www.tornadoweb.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "python-tornado-doc"

All arch deb package
APT INSTALL

Other versions of "python-tornado-doc" in Questing

Repository Area Version
base main 6.4.2-3
updates main 6.4.2-3ubuntu0.3

Changelog

Version: 6.4.2-3ubuntu0.3 2026-04-22 19:08:19 UTC

  python-tornado (6.4.2-3ubuntu0.3) questing-security; urgency=medium

  * SECURITY UPDATE: Denial of service when parsing large multipart bodies.
    - debian/patches/CVE-2026-31958.patch: Add limit of 100 parts and enforce
      checks in tornado/httputil.py. Add tests in
      tornado/test/httputil_test.py.
    - CVE-2026-31958
  * SECURITY UPDATE: Cookie attribute injection.
    - debian/patches/CVE-2026-35536.patch: Raise CookieError on invalid
      characters in tornado/web.py. Add tests in tornado/test/web_test.py.
    - CVE-2026-35536

 -- Hlib Korzhynskyy <email address hidden> Fri, 17 Apr 2026 13:01:19 -0230
Source diff to previous version
CVE-2026-31958 Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts i
CVE-2026-35536 In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were n

Version: 6.4.2-3ubuntu0.2 2026-01-08 23:08:46 UTC

  python-tornado (6.4.2-3ubuntu0.2) questing-security; urgency=medium

  * SECURITY UPDATE: Cross site scripting in custom HTTP headers.
    - debian/patches/CVE-2025-67724-pre*.patch: Restrict headers to printable
      ASCII characters in tornado/httputil.py.
    - debian/patches/CVE-2025-67724.patch: Add check for "<" and add
      escape.xhtml_escape in status messages in tornado/web.py. Add tests in
      tornado/test/web_test.py.
    - CVE-2025-67724
  * SECURITY UPDATE: Denial of service due to malicious HTTP requests with
    repeated header names.
    - debian/patches/CVE-2025-67725.patch: Replace self._dict with
      self._combined_cache in tornado/httputil.py. Add tests in
      tornado/test/httputil_test.py.
    - debian/patches/CVE-2025-67725-post1.patch: Fix in-operator being case
      sensitive due to last patch changes in tornado/httputil.py. Add tests in
      tornado/test/httputil_test.py.
    - CVE-2025-67725
  * SECURITY UPDATE: Denial of service due to inefficient parsing of HTTP
    header values.
    - debian/patches/CVE-2025-67726.patch: Change _parseparam logic in
      tornado/httputil.py. Add tests in tornado/test/httputil_test.py.
    - CVE-2025-67726

 -- Hlib Korzhynskyy <email address hidden> Tue, 06 Jan 2026 17:06:23 -0330
CVE-2025-67724 Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in H
CVE-2025-67725 Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can blo
CVE-2025-67726 Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters


About   -   Send Feedback to @ubuntu_updates