- Update to 6.5.4
* The in operator for HTTPHeaders was incorrectly case-sensitive, causing
lookups to fail for headers with different casing than the original header
name. This was a regression in version 6.5.3 and has been fixed to restore
the intended case-insensitive behavior from version 6.5.2 and earlier.
- Update to 6.5.3 (bsc#1254903, bsc#1254905, bsc#1254904)
* Fixed a denial-of-service vulnerability involving quadratic computation
when parsing multipart/form-data request bodies. CVE-2025-67726
Thanks to Finder16 for reporting this issue.
* Fixed a denial-of-service vulnerability involving quadratic computation when
parsing repeated HTTP headers. CVE-2025-67725.
Thanks to Finder16 for reporting this issue.
* Fixed a header injection and XSS vulnerability involving the reason argument
to .RequestHandler.set_status and tornado.web.HTTPError. CVE-2025-67724.
Thanks to Finder16 and Cheshire1225 for reporting this issue.
* Several demo applications bundled with the Tornado repo (blog, chat,
facebook) had an open redirect vulnerability which has been fixed. This is
not covered by a CVE or security advisory since the demo applications are
not included as a part of the Tornado package when installed, but developers
who have copied code from these demos may which to review their own
applications for open redirects.
Thanks to J1vvoo for reporting this issue.
* he s3server demo application contained some path traversal vulnerabilities.
Since this demo application was not demonstrating any interesting aspects of
Tornado, it has been deleted rather than being fixed.
Thanks to J1vvoo for reporting this issue.
- Update to 6.5.2
* Fixed a bug that resulted in WebSocket pings not being sent at the
configured interval.
* Improved logging for invalid Host headers. This was previously logged as an
uncaught exception with a stack trace, now it is simply a 400 response
(logged as a warning in the access log).
* Restored the host argument to .HTTPServerRequest. This argument is
deprecated and will be removed in the future, but its removal with no
warning in 6.5.0 was a mistake.
* Removed a debugging print statement that was left in the code.
* Improved type hints for gen.multi.
- Update to 6.5.1
* Fixed a bug in multipart/form-data parsing that could incorrectly reject
filenames containing characters above U+00FF (i.e. most characters outside
the Latin alphabet).
OBS-URL: https://build.opensuse.org/request/show/1323122
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-tornado6?expand=0&rev=48
- Update to 6.5.0 (CVE-2025-47287, bsc#1243268):
* Security Improvements:
- Previously, malformed multipart-form-data requests could log
multiple warnings and constitute a denial-of-service attack. Now
an exception is raised at the first error, so there is only one
log message per request. This fixes CVE-2025-47287.
* General Changes:
- Python 3.14 is now supported. Older versions of Tornado will
work on Python 3.14 but may log deprecation warnings.
- The free-threading mode of Python 3.13 is now supported on an
experimental basis. Prebuilt wheels are not yet available for
this configuration, but it can be built from source.
- The minimum supported Python version is 3.9.
* Deprecation Notices:
- Support for obs-fold continuation lines in HTTP headers is
deprecated and will be removed in Tornado 7.0, as is the use of
carriage returns without line feeds as header separators.
- The callback argument to websocket_connect is deprecated and
will be removed in Tornado 7.0. Note that on_message_callback is
not deprecated.
- The log_message and args attributes of tornado.web.HTTPError are
deprecated. Use the new get_message method instead.
OBS-URL: https://build.opensuse.org/request/show/1277990
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-tornado6?expand=0&rev=20
* Security Improvements:
- Previously, malformed multipart-form-data requests could log
multiple warnings and constitute a denial-of-service attack. Now
an exception is raised at the first error, so there is only one
log message per request. This fixes CVE-2025-47287.
* General Changes:
- Python 3.14 is now supported. Older versions of Tornado will
work on Python 3.14 but may log deprecation warnings.
- The free-threading mode of Python 3.13 is now supported on an
experimental basis. Prebuilt wheels are not yet available for
this configuration, but it can be built from source.
- The minimum supported Python version is 3.9.
* Deprecation Notices:
- Support for obs-fold continuation lines in HTTP headers is
deprecated and will be removed in Tornado 7.0, as is the use of
carriage returns without line feeds as header separators.
- The callback argument to websocket_connect is deprecated and
will be removed in Tornado 7.0. Note that on_message_callback is
not deprecated.
- The log_message and args attributes of tornado.web.HTTPError are
deprecated. Use the new get_message method instead.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-tornado6?expand=0&rev=46
+ Security Improvements:
* Parsing of the cookie header is now much more efficient. The older
algorithm sometimes had quadratic performance which allowed for a
denial-of-service attack in which the server would spend excessive
CPU time parsing cookies and block the event loop.
(CVE-2024-52804, bsc#1233668)
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-tornado6?expand=0&rev=44
- update to 6.4:
* https://www.tornadoweb.org/en/stable/releases/v6.4.0.html
* Python 3.12 is now supported.
- drop py312-datetime.patch (upstream)
* The Content-Length header and chunked Transfer-Encoding sizes
are now parsed more strictly (according to the relevant RFCs)
to avoid potential request-smuggling vulnerabilities when
* Do not test multi-line headers.
- require python-backports.ssl_hostname only on python 2.x
or 3.2.
* This release fixes a path traversal vulnerability in StaticFileHandler,
in which files whose names started with the static_path directory
* SSLIOStream.connect and IOStream.start_tls now
* Certificate validation will now use the system CA root certificates
instead of certifi when possible (i.e. Python 2.7.9+ or 3.4+).
* The default SSL configuration has become stricter,
using ssl.create_default_context where available on the client side.
(On the server side, applications are encouraged to migrate from
* The deprecated classes in the tornado.auth module, GoogleMixin,
+ See more release details at
- added python3 package
OBS-URL: https://build.opensuse.org/request/show/1136473
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-tornado6?expand=0&rev=15
* https://www.tornadoweb.org/en/stable/releases/v6.4.0.html
* Python 3.12 is now supported.
- drop py312-datetime.patch (upstream)
* The Content-Length header and chunked Transfer-Encoding sizes
are now parsed more strictly (according to the relevant RFCs)
to avoid potential request-smuggling vulnerabilities when
* Do not test multi-line headers.
- require python-backports.ssl_hostname only on python 2.x
or 3.2.
* This release fixes a path traversal vulnerability in StaticFileHandler,
in which files whose names started with the static_path directory
* SSLIOStream.connect and IOStream.start_tls now
* Certificate validation will now use the system CA root certificates
instead of certifi when possible (i.e. Python 2.7.9+ or 3.4+).
* The default SSL configuration has become stricter,
using ssl.create_default_context where available on the client side.
(On the server side, applications are encouraged to migrate from
* The deprecated classes in the tornado.auth module, GoogleMixin,
+ See more release details at
- added python3 package
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-tornado6?expand=0&rev=36
- New upstream release 6.3.2
- Security improvements
- Fixed an open redirect vulnerability in StaticFileHandler
under certain configurations.
- ``tornado.web``
- `.RequestHandler.set_cookie` once again accepts capitalized
keyword arguments for backwards compatibility. This is
deprecated and in Tornado 7.0 only lowercase arguments will
be accepted.
- What's new in Tornado 6.3.0
- The new `.Application` setting ``xsrf_cookie_name``
can now be used to take advantage of the ``__Host``
cookie prefix for improved security. To use it, add
``{"xsrf_cookie_name": "__Host-xsrf", "xsrf_cookie_kwargs":
{"secure": True}}`` to your `.Application` settings. Note
that this feature currently only works when HTTPS is used.
- `.WSGIContainer` now supports running the application in
a ``ThreadPoolExecutor`` so the event loop is no longer
blocked.
- `.AsyncTestCase` and `.AsyncHTTPTestCase`, which were
deprecated in Tornado 6.2, are no longer deprecated.
- WebSockets are now much faster at receiving large messages
split into many fragments.
- General changes
- Python 3.7 is no longer supported; the minimum supported .
Python version is 3.8 Python 3.12 is now supported .
- To avoid spurious deprecation warnings, users of Python
3.10 should upgrade to at least version 3.10.9, and users
of Python 3.11 should upgrade to at least version 3.11.1.
- Tornado submodules are now imported automatically on
OBS-URL: https://build.opensuse.org/request/show/1090058
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-tornado6?expand=0&rev=12
- version update to 6.0.4
General changes
~~~~~~~~~~~~~~
``asyncio.set_event_loop_policy(asyncio.WindowsSelectorEventLoopPolicy())`` for
this platform/version.
Bug fixes
~~~~~~~~
- Fixed an issue in `.IOStream` (introduced in 6.0.0) that resulted in
``StreamClosedError`` being incorrectly raised if a stream is closed mid-read
but there is enough buffered data to satisfy the read.
- `.AnyThreadEventLoopPolicy` now always uses the selector event loop on Windows.
- modified patches
% ignore-resourcewarning-doctests.patch (refreshed)
% skip-failing-tests.patch (refreshed)
% tornado-testsuite_timeout.patch (refreshed)
OBS-URL: https://build.opensuse.org/request/show/783774
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-tornado6?expand=0&rev=9
system with python-tornado standing in as a metapkg
- Provide and obsolete python-toro that was integrated in tornado
- Minimal version is 3.5 and as such remove 3.4 compat deps
- Change this package back to latest python tornado to use
same approach like we do with pytest
- Provide %oldpython-tornado symbol too
- Reduce the conflicts even more
- Remove duplicate entry
- Remove cruft dependencies that should not be needed
- Switch to tornado 4 temporarily.
- Conflicts fixes
- Fix package name
- Split tornado versions into their own packages.
This package now depends on the current preferred version.
- Remove patches since there is no longer a source here:
* asyncio.patch
* openssl-cert-size.patch
* skip-failing-tests.patch
* tornado-testsuite_timeout.patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-tornado6?expand=0&rev=2
