- Update to 6.5.0 (CVE-2025-47287, bsc#1243268):
* Security Improvements:
- Previously, malformed multipart-form-data requests could log
multiple warnings and constitute a denial-of-service attack. Now
an exception is raised at the first error, so there is only one
log message per request. This fixes CVE-2025-47287.
* General Changes:
- Python 3.14 is now supported. Older versions of Tornado will
work on Python 3.14 but may log deprecation warnings.
- The free-threading mode of Python 3.13 is now supported on an
experimental basis. Prebuilt wheels are not yet available for
this configuration, but it can be built from source.
- The minimum supported Python version is 3.9.
* Deprecation Notices:
- Support for obs-fold continuation lines in HTTP headers is
deprecated and will be removed in Tornado 7.0, as is the use of
carriage returns without line feeds as header separators.
- The callback argument to websocket_connect is deprecated and
will be removed in Tornado 7.0. Note that on_message_callback is
not deprecated.
- The log_message and args attributes of tornado.web.HTTPError are
deprecated. Use the new get_message method instead.
OBS-URL: https://build.opensuse.org/request/show/1277990
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-tornado6?expand=0&rev=20
+ Security Improvements:
* Parsing of the cookie header is now much more efficient. The older
algorithm sometimes had quadratic performance which allowed for a
denial-of-service attack in which the server would spend excessive
CPU time parsing cookies and block the event loop.
(CVE-2024-52804, bsc#1233668)
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-tornado6?expand=0&rev=44
- update to 6.4:
* https://www.tornadoweb.org/en/stable/releases/v6.4.0.html
* Python 3.12 is now supported.
- drop py312-datetime.patch (upstream)
* The Content-Length header and chunked Transfer-Encoding sizes
are now parsed more strictly (according to the relevant RFCs)
to avoid potential request-smuggling vulnerabilities when
* Do not test multi-line headers.
- require python-backports.ssl_hostname only on python 2.x
or 3.2.
* This release fixes a path traversal vulnerability in StaticFileHandler,
in which files whose names started with the static_path directory
* SSLIOStream.connect and IOStream.start_tls now
* Certificate validation will now use the system CA root certificates
instead of certifi when possible (i.e. Python 2.7.9+ or 3.4+).
* The default SSL configuration has become stricter,
using ssl.create_default_context where available on the client side.
(On the server side, applications are encouraged to migrate from
* The deprecated classes in the tornado.auth module, GoogleMixin,
+ See more release details at
- added python3 package
OBS-URL: https://build.opensuse.org/request/show/1136473
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-tornado6?expand=0&rev=15
* https://www.tornadoweb.org/en/stable/releases/v6.4.0.html
* Python 3.12 is now supported.
- drop py312-datetime.patch (upstream)
* The Content-Length header and chunked Transfer-Encoding sizes
are now parsed more strictly (according to the relevant RFCs)
to avoid potential request-smuggling vulnerabilities when
* Do not test multi-line headers.
- require python-backports.ssl_hostname only on python 2.x
or 3.2.
* This release fixes a path traversal vulnerability in StaticFileHandler,
in which files whose names started with the static_path directory
* SSLIOStream.connect and IOStream.start_tls now
* Certificate validation will now use the system CA root certificates
instead of certifi when possible (i.e. Python 2.7.9+ or 3.4+).
* The default SSL configuration has become stricter,
using ssl.create_default_context where available on the client side.
(On the server side, applications are encouraged to migrate from
* The deprecated classes in the tornado.auth module, GoogleMixin,
+ See more release details at
- added python3 package
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-tornado6?expand=0&rev=36
- New upstream release 6.3.2
- Security improvements
- Fixed an open redirect vulnerability in StaticFileHandler
under certain configurations.
- ``tornado.web``
- `.RequestHandler.set_cookie` once again accepts capitalized
keyword arguments for backwards compatibility. This is
deprecated and in Tornado 7.0 only lowercase arguments will
be accepted.
- What's new in Tornado 6.3.0
- The new `.Application` setting ``xsrf_cookie_name``
can now be used to take advantage of the ``__Host``
cookie prefix for improved security. To use it, add
``{"xsrf_cookie_name": "__Host-xsrf", "xsrf_cookie_kwargs":
{"secure": True}}`` to your `.Application` settings. Note
that this feature currently only works when HTTPS is used.
- `.WSGIContainer` now supports running the application in
a ``ThreadPoolExecutor`` so the event loop is no longer
blocked.
- `.AsyncTestCase` and `.AsyncHTTPTestCase`, which were
deprecated in Tornado 6.2, are no longer deprecated.
- WebSockets are now much faster at receiving large messages
split into many fragments.
- General changes
- Python 3.7 is no longer supported; the minimum supported .
Python version is 3.8 Python 3.12 is now supported .
- To avoid spurious deprecation warnings, users of Python
3.10 should upgrade to at least version 3.10.9, and users
of Python 3.11 should upgrade to at least version 3.11.1.
- Tornado submodules are now imported automatically on
OBS-URL: https://build.opensuse.org/request/show/1090058
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-tornado6?expand=0&rev=12
- version update to 6.0.4
General changes
~~~~~~~~~~~~~~
``asyncio.set_event_loop_policy(asyncio.WindowsSelectorEventLoopPolicy())`` for
this platform/version.
Bug fixes
~~~~~~~~
- Fixed an issue in `.IOStream` (introduced in 6.0.0) that resulted in
``StreamClosedError`` being incorrectly raised if a stream is closed mid-read
but there is enough buffered data to satisfy the read.
- `.AnyThreadEventLoopPolicy` now always uses the selector event loop on Windows.
- modified patches
% ignore-resourcewarning-doctests.patch (refreshed)
% skip-failing-tests.patch (refreshed)
% tornado-testsuite_timeout.patch (refreshed)
OBS-URL: https://build.opensuse.org/request/show/783774
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-tornado6?expand=0&rev=9
system with python-tornado standing in as a metapkg
- Provide and obsolete python-toro that was integrated in tornado
- Minimal version is 3.5 and as such remove 3.4 compat deps
- Change this package back to latest python tornado to use
same approach like we do with pytest
- Provide %oldpython-tornado symbol too
- Reduce the conflicts even more
- Remove duplicate entry
- Remove cruft dependencies that should not be needed
- Switch to tornado 4 temporarily.
- Conflicts fixes
- Fix package name
- Split tornado versions into their own packages.
This package now depends on the current preferred version.
- Remove patches since there is no longer a source here:
* asyncio.patch
* openssl-cert-size.patch
* skip-failing-tests.patch
* tornado-testsuite_timeout.patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-tornado6?expand=0&rev=2
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
