Debian Patches
Status for python-tornado/6.2.0-3+deb12u4
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| disable-domain-tests.patch | Disable domain tests to prevent internet access during build | SVN-Git Migration <python-modules-team@lists.alioth.debian.org> | invalid | 2015-10-08 | ||
| ignoreuserwarning.patch | ignore userwarning in tests Required to run tests from source with the package already installed. Else one gets check_version_conflict warning from pkg_resources. |
SVN-Git Migration <python-modules-team@lists.alioth.debian.org> | no | 2015-10-08 | ||
| fix-ftbfs-on-hurd.patch | skip UnixSocketTest on hurd, as unix sockets with SO_REUSEADDR are not supported there A little discussion about unix sockets with SO_REUSEADDR can be found on https://lists.gnu.org/archive/html/bug-hurd/2016-01/msg00039.html |
Mattia Rizzolo <mattia@debian.org> | no | 2016-05-21 | ||
| 0006-Use-local-objects.inv-for-intersphinx-mapping.patch | Use local objects.inv for intersphinx mapping | Ondřej Nový <onovy@debian.org> | invalid | 2016-08-03 | ||
| 0007-Higher-test_gc-timeout.patch | Set timeout in test_gc to higher value | Ondřej Nový <onovy@debian.org> | not-needed | 2020-04-02 | ||
| ignore-py310-deprecation-warnings.patch | Ignore known DeprecationWarnings under Python 3.10 Python 3.10 triggers several DeprecationWarnings that haven't been resolved yet, upstream. There are going to be API changes required and they haven't been decided on, yet. |
Stefano Rivera <stefanor@debian.org> | not-needed | debian | 2021-11-20 | |
| CVE-2024-52804.patch | httputil: Fix quadratic performance of cookie parsing Maliciously-crafted cookies can cause Tornado to spend an unreasonable amount of CPU time and block the event loop. This change replaces the quadratic algorithm with a more efficient one. The implementation is copied from the Python 3.13 standard library (the previous one was from Python 3.5). Fixes CVE-2024-52804 See CVE-2024-7592 for a similar vulnerability in cpython. Thanks to github.com/kexinoh for the report. |
Ben Darnell <ben@bendarnell.com> | yes | debian upstream | https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533.patch | 2024-11-21 |
| CVE-2023-28370-1.patch | web: Fix an open redirect in StaticFileHandler Under some configurations the default_filename redirect could be exploited to redirect to an attacker-controlled site. This change refuses to redirect to URLs that could be misinterpreted. A test case for the specific vulnerable configuration will follow after the patch has been available. |
Ben Darnell <ben@bendarnell.com> | yes | debian upstream | https://github.com/tornadoweb/tornado/pull/3266 | 2023-05-13 |
| CVE-2023-28370-2.patch | test: Add test for open redirect fixed in 6.3.2 | Ben Darnell <ben@bendarnell.com> | yes | debian upstream | https://github.com/tornadoweb/tornado/pull/3276 | 2023-06-06 |
| CVE-2025-47287.patch | httputil: Raise errors instead of logging in multipart/form-data parsing We used to continue after logging an error, which allowed repeated errors to spam the logs. The error raised here will still be logged, but only once per request, consistent with other error handling in Tornado. |
Ben Darnell <ben@bendarnell.com> | yes | debian upstream | https://github.com/tornadoweb/tornado/pull/3497 | 2025-05-08 |
| CVE-2025-67726.patch | httputil: Fix quadratic behavior in _parseparam Prior to this change, _parseparam had O(n^2) behavior when parsing certain inputs, which could be a DoS vector. This change adapts logic from the equivalent function in the python standard library in https://github.com/python/cpython/pull/136072/files |
Ben Darnell <ben@bendarnell.com> | yes | debian upstream | https://github.com/tornadoweb/tornado/pull/3554 | 2025-12-10 |
| CVE-2025-67725.patch | httputil: Fix quadratic performance of repeated header lines Previouisly, when many header lines with the same name were found in an HTTP request or response, repeated string concatenation would result in quadratic performance. This change does the concatenation lazily (with a cache) so that repeated headers can be processed efficiently. via a maliciously crafted HTTP message, but only if the max_header_size was increased from its default of 64kB. |
Ben Darnell <ben@bendarnell.com> | yes | debian upstream | https://github.com/tornadoweb/tornado/commit/68e81b4a3385161877408a7a49c7ed12b45a614d | 2025-12-09 |
| CVE-2025-67724.patch | web: Harden against invalid HTTP reason phrases We allow applications to set custom reason phrases for the HTTP status line (to support custom status codes), but if this were exposed to untrusted data it could be exploited in various ways. This commit guards against invalid reason phrases in both HTTP headers and in error pages. |
Ben Darnell <ben@bendarnell.com> | yes | debian upstream | https://github.com/tornadoweb/tornado/commit/f3b99cd34d4c6360f0db34b3c39f700c002b1415 | 2025-12-10 |
| case-insensitive-http-headers.patch | Make sure that the in-operator on HTTPHeaders is case insensitive | Arnaud Schoonjans <arnaud.schoonjans@inmanta.com> | no | 2025-12-15 |
All known versions for source package 'python-tornado'
- 6.5.5-1 (forky, sid)
- 6.4.2-3+deb13u2 (trixie-proposed-updates, trixie-security)
- 6.4.2-3 (trixie)
- 6.2.0-3+deb12u4 (bookworm-proposed-updates, bookworm-security)
- 6.2.0-3+deb12u2 (bookworm)