Accepting request 1323582 from devel:languages:python

OBS-URL: https://build.opensuse.org/request/show/1323582
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-tornado6?expand=0&rev=21

openssl-3.2.patch

@@ -1,13 +0,0 @@
-Index: tornado-6.4/tornado/iostream.py
-===================================================================
---- tornado-6.4.orig/tornado/iostream.py
-+++ tornado-6.4/tornado/iostream.py
-@@ -1374,7 +1374,7 @@ class SSLIOStream(IOStream):
-                 return
-             elif err.args[0] in (ssl.SSL_ERROR_EOF, ssl.SSL_ERROR_ZERO_RETURN):
-                 return self.close(exc_info=err)
--            elif err.args[0] == ssl.SSL_ERROR_SSL:
-+            elif err.args[0] in (ssl.SSL_ERROR_SSL, ssl.SSL_ERROR_SYSCALL):
-                 try:
-                     peer = self.socket.getpeername()
-                 except Exception:

python-tornado6.changes

@@ -1,3 +1,119 @@
+-------------------------------------------------------------------
+Tue Dec 16 13:42:10 UTC 2025 - Nico Krapp <nico.krapp@suse.com>
+
+- Update to 6.5.4
+  * The in operator for HTTPHeaders was incorrectly case-sensitive, causing
+    lookups to fail for headers with different casing than the original header
+    name. This was a regression in version 6.5.3 and has been fixed to restore
+    the intended case-insensitive behavior from version 6.5.2 and earlier.
+- Update to 6.5.3 (bsc#1254903, bsc#1254905, bsc#1254904)
+  * Fixed a denial-of-service vulnerability involving quadratic computation
+    when parsing multipart/form-data request bodies. CVE-2025-67726
+    Thanks to Finder16 for reporting this issue.
+  * Fixed a denial-of-service vulnerability involving quadratic computation when
+    parsing repeated HTTP headers. CVE-2025-67725.
+    Thanks to Finder16 for reporting this issue.
+  * Fixed a header injection and XSS vulnerability involving the reason argument
+    to .RequestHandler.set_status and tornado.web.HTTPError. CVE-2025-67724.
+    Thanks to Finder16 and Cheshire1225 for reporting this issue.
+  * Several demo applications bundled with the Tornado repo (blog, chat,
+    facebook) had an open redirect vulnerability which has been fixed. This is
+    not covered by a CVE or security advisory since the demo applications are
+    not included as a part of the Tornado package when installed, but developers
+    who have copied code from these demos may which to review their own
+    applications for open redirects.
+    Thanks to J1vvoo for reporting this issue.
+  * he s3server demo application contained some path traversal vulnerabilities.
+    Since this demo application was not demonstrating any interesting aspects of
+    Tornado, it has been deleted rather than being fixed.
+    Thanks to J1vvoo for reporting this issue.
+- Update to 6.5.2
+  * Fixed a bug that resulted in WebSocket pings not being sent at the
+    configured interval.
+  * Improved logging for invalid Host headers. This was previously logged as an
+    uncaught exception with a stack trace, now it is simply a 400 response
+    (logged as a warning in the access log).
+  * Restored the host argument to .HTTPServerRequest. This argument is
+    deprecated and will be removed in the future, but its removal with no
+    warning in 6.5.0 was a mistake.
+  * Removed a debugging print statement that was left in the code.
+  * Improved type hints for gen.multi.
+- Update to 6.5.1
+  * Fixed a bug in multipart/form-data parsing that could incorrectly reject
+    filenames containing characters above U+00FF (i.e. most characters outside
+    the Latin alphabet).
+
+-------------------------------------------------------------------
+Fri May 16 09:23:08 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Update to 6.5.0 (CVE-2025-47287, bsc#1243268):
+  * Security Improvements:
+    - Previously, malformed multipart-form-data requests could log
+      multiple warnings and constitute a denial-of-service attack. Now
+      an exception is raised at the first error, so there is only one
+      log message per request. This fixes CVE-2025-47287.
+  * General Changes:
+    - Python 3.14 is now supported. Older versions of Tornado will
+      work on Python 3.14 but may log deprecation warnings.
+    - The free-threading mode of Python 3.13 is now supported on an
+      experimental basis. Prebuilt wheels are not yet available for
+      this configuration, but it can be built from source.
+    - The minimum supported Python version is 3.9.
+  * Deprecation Notices:
+    - Support for obs-fold continuation lines in HTTP headers is
+      deprecated and will be removed in Tornado 7.0, as is the use of
+      carriage returns without line feeds as header separators.
+    - The callback argument to websocket_connect is deprecated and
+      will be removed in Tornado 7.0. Note that on_message_callback is
+      not deprecated.
+    - The log_message and args attributes of tornado.web.HTTPError are
+      deprecated. Use the new get_message method instead.
+
+-------------------------------------------------------------------
+Mon Nov 25 03:19:20 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Update to 6.4.2: 
+  + Security Improvements:
+    * Parsing of the cookie header is now much more efficient. The older
+      algorithm sometimes had quadratic performance which allowed for a
+      denial-of-service attack in which the server would spend excessive
+      CPU time parsing cookies and block the event loop.
+      (CVE-2024-52804, bsc#1233668)
+
+-------------------------------------------------------------------
+Wed Jul 31 09:32:23 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Update to version 6.4.1:
+  + Security Improvements:
+    - Parsing of the ``Transfer-Encoding`` header is now stricter.
+      Unexpected transfer-encoding values were previously ignored
+      and treated as the HTTP/1.0 default of read-until-close. This
+      can lead to framing issues with certain proxies. We now treat
+      any unexpected value as an error.
+    - Handling of whitespace in headers now matches the RFC more
+      closely. Only space and tab characters are treated as
+      whitespace and stripped from the beginning and end of header
+      values. Other unicode whitespace characters are now left
+      alone. This could also lead to framing issues with certain
+      proxies.
+    - `tornado.curl_httpclient` now prohibits carriage return and
+      linefeed headers in HTTP headers (matching the behavior of
+      `simple_httpclient`). These characters could be used for
+      header injection or request smuggling if untrusted data were
+      used in headers.
+  + General Changes:
+    - `tornado.iostream`: `SLIOStream` now understands changes to
+      error codes from OpenSSL 3.2. The main result of this change
+      is to reduce the noise in the logs for certain errors.
+    - `tornado.simple_httpclient`: `simple_httpclient` now
+      prohibits carriage return characters in HTTP headers. It had
+      previously prohibited only linefeed characters.
+    - `tornado.testing`: `.AsyncTestCase` subclasses can now be
+      instantiated without being associated with a test method.
+      Improves compatibility with test discovery in Pytest 8.2.
+- Drop  support-pytest-8.2.patch: fixed upstream.
+- Drop openssl-3.2.patch: fixed upstream.
+
 -------------------------------------------------------------------
 Fri May 17 03:37:07 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
 

python-tornado6.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-tornado6
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,9 +17,8 @@
 
 
 %{?sle15_python_module_pythons}
-%define         skip_python2 1
 Name:           python-tornado6
-Version:        6.4
+Version:        6.5.4
 Release:        0
 Summary:        Open source version of scalable, non-blocking web server that power FriendFeed
 License:        Apache-2.0
@@ -28,10 +27,6 @@ Source:         https://files.pythonhosted.org/packages/source/t/tornado/tornado
 Source99:       python-tornado6-rpmlintrc
 # PATCH-FIX-OPENSUSE ignore-resourcewarning-doctests.patch -- ignore resource warnings on OBS
 Patch0:         ignore-resourcewarning-doctests.patch
-# PATCH-FIX-OPENSUSE openssl-3.2.patch gh#tornadoweb/tornado#3355
-Patch1:         openssl-3.2.patch
-# PATCH-FIX-UPSTREAM gh#tornadoweb/tornado#3374
-Patch2:         support-pytest-8.2.patch
 BuildRequires:  %{python_module base >= 3.8}
 BuildRequires:  %{python_module devel}
 BuildRequires:  %{python_module pip}
@@ -108,6 +103,6 @@ export TRAVIS=1
 %license LICENSE
 %doc %{_docdir}/%{python_prefix}-tornado6
 %{python_sitearch}/tornado
-%{python_sitearch}/tornado-%{version}*-info
+%{python_sitearch}/tornado-%{version}.dist-info
 
 %changelog

support-pytest-8.2.patch

@@ -1,66 +0,0 @@
-From c851aa8a949524b35f72c82b45a52353aa3c0558 Mon Sep 17 00:00:00 2001
-From: Ran Benita <ran@unusedvar.com>
-Date: Sun, 28 Apr 2024 14:17:54 +0300
-Subject: [PATCH] testing: allow to instantiate an empty AsyncTestCase
-
-`unittest.TestCase` has a feature where it allows instantiating
-`MyTestClass()` with the default method name `runTest` even if a
-`runTest` method doesn't actually exist. This is documented in
-`TestCase`'s docs under "Changed in version 3.2"[0].
-
-Since version 8.2, pytest relies on this, and started breaking on
-Tornado's `AsyncTestCase`[1].
-
-Change `AsyncTestCase` to allow empty instatiation, by matching the
-upstream code.
-
-[0] https://docs.python.org/3/library/unittest.html#unittest.TestCase
-[1] https://github.com/pytest-dev/pytest/issues/12263
----
- tornado/test/testing_test.py |  9 +++++++++
- tornado/testing.py           | 12 +++++++++++-
- 2 files changed, 20 insertions(+), 1 deletion(-)
-
-diff --git a/tornado/test/testing_test.py b/tornado/test/testing_test.py
-index 0429feee83..8e2b8db428 100644
---- a/tornado/test/testing_test.py
-+++ b/tornado/test/testing_test.py
-@@ -61,6 +61,15 @@ def test_subsequent_wait_calls(self):
-         self.io_loop.add_timeout(self.io_loop.time() + 0.2, self.stop)
-         self.wait(timeout=0.4)
- 
-+    def test_empty_instantation_is_allowed(self):
-+        """
-+        Test that empty instatiation of an AsyncTestCase is allowed.
-+
-+        unittest.TestCase docs guarantee this working, and pytest's unittest
-+        support relies on it.
-+        """
-+        AsyncTestCaseTest()
-+
- 
- class LeakTest(AsyncTestCase):
-     def tearDown(self):
-diff --git a/tornado/testing.py b/tornado/testing.py
-index bdbff87bc3..9455411a6d 100644
---- a/tornado/testing.py
-+++ b/tornado/testing.py
-@@ -177,7 +177,17 @@ def __init__(self, methodName: str = "runTest") -> None:
-         # the test will silently be ignored because nothing will consume
-         # the generator.  Replace the test method with a wrapper that will
-         # make sure it's not an undecorated generator.
--        setattr(self, methodName, _TestMethodWrapper(getattr(self, methodName)))
-+        try:
-+            test_method = getattr(self, methodName)
-+        except AttributeError:
-+            if methodName != "runTest":
-+                # We allow instantiation with no explicit method name
-+                # but not an *incorrect* or missing method name.
-+                raise ValueError(
-+                    "no such test method in %s: %s" % (self.__class__, methodName)
-+                )
-+        else:
-+            setattr(self, methodName, _TestMethodWrapper(test_method))
- 
-         # Not used in this class itself, but used by @gen_test
-         self._test_generator = None  # type: Optional[Union[Generator, Coroutine]]

tornado-6.5.4.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a22fa9047405d03260b483980635f0b041989d8bcc9a313f8fe18b411d84b1d7
+size 513632