Debian Patches
Status for python-tornado/6.4.2-3+deb13u2
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| disable-domain-tests.patch | Disable domain tests to prevent internet access during build | SVN-Git Migration <python-modules-team@lists.alioth.debian.org> | not-needed | 2015-10-08 | ||
| ignoreuserwarning.patch | ignore userwarning in tests Required to run tests from source with the package already installed. Else one gets check_version_conflict warning from pkg_resources. |
SVN-Git Migration <python-modules-team@lists.alioth.debian.org> | not-needed | 2015-10-08 | ||
| 0006-Use-local-objects.inv-for-intersphinx-mapping.patch | Use local objects.inv for intersphinx mapping | Ondřej Nový <onovy@debian.org> | not-needed | 2016-08-03 | ||
| 0007-Higher-test_gc-timeout.patch | Set timeout in test_gc to higher value | Ondřej Nový <onovy@debian.org> | not-needed | 2020-04-02 | ||
| pythonpath-autoreload-test.patch | autoreload_test: Handle a relative PYTHONPATH This came up in the Debian package build of tornado, where we run the tests from a staged build of the module. |
Stefano Rivera <stefano@rivera.za.net> | yes | 2024-01-21 | ||
| disable-should-be-failing-test.patch | no | |||||
| CVE-2025-47287.patch | httputil: Raise errors instead of logging in multipart/form-data parsing We used to continue after logging an error, which allowed repeated errors to spam the logs. The error raised here will still be logged, but only once per request, consistent with other error handling in Tornado. |
Ben Darnell <ben@bendarnell.com> | no | debian | backport, https://github.com/tornadoweb/tornado/pull/3497 | 2025-05-18 |
| increase-timeout-rv64.patch | increase timeout on riscv64 | Bo YU <vimer@debian.org> | not-needed | upstream | 2025-05-19 | |
| CVE-2025-67726.patch | httputil: Fix quadratic behavior in _parseparam Prior to this change, _parseparam had O(n^2) behavior when parsing certain inputs, which could be a DoS vector. This change adapts logic from the equivalent function in the python standard library in https://github.com/python/cpython/pull/136072/files |
Ben Darnell <ben@bendarnell.com> | yes | debian upstream | https://github.com/tornadoweb/tornado/pull/3554 | 2025-12-10 |
| CVE-2025-67725.patch | httputil: Fix quadratic performance of repeated header lines Previouisly, when many header lines with the same name were found in an HTTP request or response, repeated string concatenation would result in quadratic performance. This change does the concatenation lazily (with a cache) so that repeated headers can be processed efficiently. via a maliciously crafted HTTP message, but only if the max_header_size was increased from its default of 64kB. |
Ben Darnell <ben@bendarnell.com> | yes | debian upstream | https://github.com/tornadoweb/tornado/commit/68e81b4a3385161877408a7a49c7ed12b45a614d | 2025-12-09 |
| CVE-2025-67724.patch | web: Harden against invalid HTTP reason phrases We allow applications to set custom reason phrases for the HTTP status line (to support custom status codes), but if this were exposed to untrusted data it could be exploited in various ways. This commit guards against invalid reason phrases in both HTTP headers and in error pages. |
Ben Darnell <ben@bendarnell.com> | yes | debian upstream | https://github.com/tornadoweb/tornado/commit/f3b99cd34d4c6360f0db34b3c39f700c002b1415 | 2025-12-10 |
| case-insensitive-http-headers.patch | Make sure that the in-operator on HTTPHeaders is case insensitive | Arnaud Schoonjans <arnaud.schoonjans@inmanta.com> | no | 2025-12-15 |
All known versions for source package 'python-tornado'
- 6.5.5-1 (forky, sid)
- 6.4.2-3+deb13u2 (trixie-proposed-updates, trixie-security)
- 6.4.2-3 (trixie)
- 6.2.0-3+deb12u4 (bookworm-proposed-updates, bookworm-security)
- 6.2.0-3+deb12u2 (bookworm)