diff --git a/python-tornado6.changes b/python-tornado6.changes index b89fa4f..38f9836 100644 --- a/python-tornado6.changes +++ b/python-tornado6.changes @@ -1,3 +1,48 @@ +------------------------------------------------------------------- +Tue Dec 16 13:42:10 UTC 2025 - Nico Krapp + +- Update to 6.5.4 + * The in operator for HTTPHeaders was incorrectly case-sensitive, causing + lookups to fail for headers with different casing than the original header + name. This was a regression in version 6.5.3 and has been fixed to restore + the intended case-insensitive behavior from version 6.5.2 and earlier. +- Update to 6.5.3 (bsc#1254903, bsc#1254905, bsc#1254904) + * Fixed a denial-of-service vulnerability involving quadratic computation + when parsing multipart/form-data request bodies. CVE-2025-67726 + Thanks to Finder16 for reporting this issue. + * Fixed a denial-of-service vulnerability involving quadratic computation when + parsing repeated HTTP headers. CVE-2025-67725. + Thanks to Finder16 for reporting this issue. + * Fixed a header injection and XSS vulnerability involving the reason argument + to .RequestHandler.set_status and tornado.web.HTTPError. CVE-2025-67724. + Thanks to Finder16 and Cheshire1225 for reporting this issue. + * Several demo applications bundled with the Tornado repo (blog, chat, + facebook) had an open redirect vulnerability which has been fixed. This is + not covered by a CVE or security advisory since the demo applications are + not included as a part of the Tornado package when installed, but developers + who have copied code from these demos may which to review their own + applications for open redirects. + Thanks to J1vvoo for reporting this issue. + * he s3server demo application contained some path traversal vulnerabilities. + Since this demo application was not demonstrating any interesting aspects of + Tornado, it has been deleted rather than being fixed. + Thanks to J1vvoo for reporting this issue. +- Update to 6.5.2 + * Fixed a bug that resulted in WebSocket pings not being sent at the + configured interval. + * Improved logging for invalid Host headers. This was previously logged as an + uncaught exception with a stack trace, now it is simply a 400 response + (logged as a warning in the access log). + * Restored the host argument to .HTTPServerRequest. This argument is + deprecated and will be removed in the future, but its removal with no + warning in 6.5.0 was a mistake. + * Removed a debugging print statement that was left in the code. + * Improved type hints for gen.multi. +- Update to 6.5.1 + * Fixed a bug in multipart/form-data parsing that could incorrectly reject + filenames containing characters above U+00FF (i.e. most characters outside + the Latin alphabet). + ------------------------------------------------------------------- Fri May 16 09:23:08 UTC 2025 - Daniel Garcia diff --git a/python-tornado6.spec b/python-tornado6.spec index 0648beb..49e2217 100644 --- a/python-tornado6.spec +++ b/python-tornado6.spec @@ -1,7 +1,7 @@ # # spec file for package python-tornado6 # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ %{?sle15_python_module_pythons} Name: python-tornado6 -Version: 6.5 +Version: 6.5.4 Release: 0 Summary: Open source version of scalable, non-blocking web server that power FriendFeed License: Apache-2.0 diff --git a/tornado-6.5.4.tar.gz b/tornado-6.5.4.tar.gz new file mode 100644 index 0000000..5dc6ed3 --- /dev/null +++ b/tornado-6.5.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a22fa9047405d03260b483980635f0b041989d8bcc9a313f8fe18b411d84b1d7 +size 513632 diff --git a/tornado-6.5.tar.gz b/tornado-6.5.tar.gz deleted file mode 100644 index ea35ab3..0000000 --- a/tornado-6.5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c70c0a26d5b2d85440e4debd14a8d0b463a0cf35d92d3af05f5f1ffa8675c826 -size 508968