Accepting request 1277990 from devel:languages:python

- Update to 6.5.0 (CVE-2025-47287, bsc#1243268):
  * Security Improvements:
    - Previously, malformed multipart-form-data requests could log
      multiple warnings and constitute a denial-of-service attack. Now
      an exception is raised at the first error, so there is only one
      log message per request. This fixes CVE-2025-47287.
  * General Changes:
    - Python 3.14 is now supported. Older versions of Tornado will
      work on Python 3.14 but may log deprecation warnings.
    - The free-threading mode of Python 3.13 is now supported on an
      experimental basis. Prebuilt wheels are not yet available for
      this configuration, but it can be built from source.
    - The minimum supported Python version is 3.9.
  * Deprecation Notices:
    - Support for obs-fold continuation lines in HTTP headers is
      deprecated and will be removed in Tornado 7.0, as is the use of
      carriage returns without line feeds as header separators.
    - The callback argument to websocket_connect is deprecated and
      will be removed in Tornado 7.0. Note that on_message_callback is
      not deprecated.
    - The log_message and args attributes of tornado.web.HTTPError are
      deprecated. Use the new get_message method instead.

OBS-URL: https://build.opensuse.org/request/show/1277990
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-tornado6?expand=0&rev=20

python-tornado6.changes

@@ -1,48 +1,3 @@
--------------------------------------------------------------------
-Tue Dec 16 13:42:10 UTC 2025 - Nico Krapp <nico.krapp@suse.com>
-
-- Update to 6.5.4
-  * The in operator for HTTPHeaders was incorrectly case-sensitive, causing
-    lookups to fail for headers with different casing than the original header
-    name. This was a regression in version 6.5.3 and has been fixed to restore
-    the intended case-insensitive behavior from version 6.5.2 and earlier.
-- Update to 6.5.3 (bsc#1254903, bsc#1254905, bsc#1254904)
-  * Fixed a denial-of-service vulnerability involving quadratic computation
-    when parsing multipart/form-data request bodies. CVE-2025-67726
-    Thanks to Finder16 for reporting this issue.
-  * Fixed a denial-of-service vulnerability involving quadratic computation when
-    parsing repeated HTTP headers. CVE-2025-67725.
-    Thanks to Finder16 for reporting this issue.
-  * Fixed a header injection and XSS vulnerability involving the reason argument
-    to .RequestHandler.set_status and tornado.web.HTTPError. CVE-2025-67724.
-    Thanks to Finder16 and Cheshire1225 for reporting this issue.
-  * Several demo applications bundled with the Tornado repo (blog, chat,
-    facebook) had an open redirect vulnerability which has been fixed. This is
-    not covered by a CVE or security advisory since the demo applications are
-    not included as a part of the Tornado package when installed, but developers
-    who have copied code from these demos may which to review their own
-    applications for open redirects.
-    Thanks to J1vvoo for reporting this issue.
-  * he s3server demo application contained some path traversal vulnerabilities.
-    Since this demo application was not demonstrating any interesting aspects of
-    Tornado, it has been deleted rather than being fixed.
-    Thanks to J1vvoo for reporting this issue.
-- Update to 6.5.2
-  * Fixed a bug that resulted in WebSocket pings not being sent at the
-    configured interval.
-  * Improved logging for invalid Host headers. This was previously logged as an
-    uncaught exception with a stack trace, now it is simply a 400 response
-    (logged as a warning in the access log).
-  * Restored the host argument to .HTTPServerRequest. This argument is
-    deprecated and will be removed in the future, but its removal with no
-    warning in 6.5.0 was a mistake.
-  * Removed a debugging print statement that was left in the code.
-  * Improved type hints for gen.multi.
-- Update to 6.5.1
-  * Fixed a bug in multipart/form-data parsing that could incorrectly reject
-    filenames containing characters above U+00FF (i.e. most characters outside
-    the Latin alphabet).
-
 -------------------------------------------------------------------
 Fri May 16 09:23:08 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
 

python-tornado6.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-tornado6
 #
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
 
 %{?sle15_python_module_pythons}
 Name:           python-tornado6
-Version:        6.5.4
+Version:        6.5
 Release:        0
 Summary:        Open source version of scalable, non-blocking web server that power FriendFeed
 License:        Apache-2.0

tornado-6.5.4.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a22fa9047405d03260b483980635f0b041989d8bcc9a313f8fe18b411d84b1d7
-size 513632