[ubuntu/questing-updates] python-tornado 6.4.2-3ubuntu0.2 (Accepted)
Ubuntu Archive Robot
ubuntu-archive-robot at lists.canonical.com
Thu Jan 8 20:58:43 UTC 2026
python-tornado (6.4.2-3ubuntu0.2) questing-security; urgency=medium
* SECURITY UPDATE: Cross site scripting in custom HTTP headers.
- debian/patches/CVE-2025-67724-pre*.patch: Restrict headers to printable
ASCII characters in tornado/httputil.py.
- debian/patches/CVE-2025-67724.patch: Add check for "<" and add
escape.xhtml_escape in status messages in tornado/web.py. Add tests in
tornado/test/web_test.py.
- CVE-2025-67724
* SECURITY UPDATE: Denial of service due to malicious HTTP requests with
repeated header names.
- debian/patches/CVE-2025-67725.patch: Replace self._dict with
self._combined_cache in tornado/httputil.py. Add tests in
tornado/test/httputil_test.py.
- debian/patches/CVE-2025-67725-post1.patch: Fix in-operator being case
sensitive due to last patch changes in tornado/httputil.py. Add tests in
tornado/test/httputil_test.py.
- CVE-2025-67725
* SECURITY UPDATE: Denial of service due to inefficient parsing of HTTP
header values.
- debian/patches/CVE-2025-67726.patch: Change _parseparam logic in
tornado/httputil.py. Add tests in tornado/test/httputil_test.py.
- CVE-2025-67726
Date: 2026-01-07 18:33:10.270729+00:00
Changed-By: Hlib Korzhynskyy <hlib.korzhynskyy at canonical.com>
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/python-tornado/6.4.2-3ubuntu0.2
-------------- next part --------------
Sorry, changesfile not available.
More information about the Questing-changes
mailing list