[ubuntu/plucky-updates] python-tornado 6.4.2-1ubuntu0.25.04.3 (Accepted)
Ubuntu Archive Robot
ubuntu-archive-robot at lists.canonical.com
Thu Jan 8 20:58:42 UTC 2026
python-tornado (6.4.2-1ubuntu0.25.04.3) plucky-security; urgency=medium
* SECURITY UPDATE: Cross site scripting in custom HTTP headers.
- debian/patches/CVE-2025-67724-pre*.patch: Restrict headers to printable
ASCII characters in tornado/httputil.py.
- debian/patches/CVE-2025-67724.patch: Add check for "<" and add
escape.xhtml_escape in status messages in tornado/web.py. Add tests in
tornado/test/web_test.py.
- CVE-2025-67724
* SECURITY UPDATE: Denial of service due to malicious HTTP requests with
repeated header names.
- debian/patches/CVE-2025-67725.patch: Replace self._dict with
self._combined_cache in tornado/httputil.py. Add tests in
tornado/test/httputil_test.py.
- debian/patches/CVE-2025-67725-post1.patch: Fix in-operator being case
sensitive due to last patch changes in tornado/httputil.py. Add tests in
tornado/test/httputil_test.py.
- CVE-2025-67725
* SECURITY UPDATE: Denial of service due to inefficient parsing of HTTP
header values.
- debian/patches/CVE-2025-67726.patch: Change _parseparam logic in
tornado/httputil.py. Add tests in tornado/test/httputil_test.py.
- CVE-2025-67726
Date: 2026-01-07 18:44:23.061814+00:00
Changed-By: Hlib Korzhynskyy <hlib.korzhynskyy at canonical.com>
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/python-tornado/6.4.2-1ubuntu0.25.04.3
-------------- next part --------------
Sorry, changesfile not available.
More information about the plucky-changes
mailing list