python/python-tornado6
SHA256
15
0
Fork 0
forked from pool/python-tornado6
Code Pull Requests Activity

Compare commits

base: python:main
Branches Tags
python:main python:slfo-1.2 python:slfo-main pool:factory pool:slfo-main pool:slfo-1.2
..
compare: pool:factory
Branches Tags
pool:factory pool:slfo-main pool:slfo-1.2 python:main python:slfo-1.2 python:slfo-main

8 Commits
main ... factory

Author SHA256 Message Date
Dominique Leuenberger
b2373358e3 Accepting request 1323582 from devel:languages:python 
OBS-URL: https://build.opensuse.org/request/show/1323582
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-tornado6?expand=0&rev=21
 2025-12-20 20:45:03 +00:00
Steve Kowalik
46a9d0e6f7 - Update to 6.5.4 
* The in operator for HTTPHeaders was incorrectly case-sensitive, causing
    lookups to fail for headers with different casing than the original header
    name. This was a regression in version 6.5.3 and has been fixed to restore
    the intended case-insensitive behavior from version 6.5.2 and earlier.
- Update to 6.5.3 (bsc#1254903, bsc#1254905, bsc#1254904)
  * Fixed a denial-of-service vulnerability involving quadratic computation
    when parsing multipart/form-data request bodies. CVE-2025-67726
    Thanks to Finder16 for reporting this issue.
  * Fixed a denial-of-service vulnerability involving quadratic computation when
    parsing repeated HTTP headers. CVE-2025-67725.
    Thanks to Finder16 for reporting this issue.
  * Fixed a header injection and XSS vulnerability involving the reason argument
    to .RequestHandler.set_status and tornado.web.HTTPError. CVE-2025-67724.
    Thanks to Finder16 and Cheshire1225 for reporting this issue.
  * Several demo applications bundled with the Tornado repo (blog, chat,
    facebook) had an open redirect vulnerability which has been fixed. This is
    not covered by a CVE or security advisory since the demo applications are
    not included as a part of the Tornado package when installed, but developers
    who have copied code from these demos may which to review their own
    applications for open redirects.
    Thanks to J1vvoo for reporting this issue.
  * he s3server demo application contained some path traversal vulnerabilities.
    Since this demo application was not demonstrating any interesting aspects of
    Tornado, it has been deleted rather than being fixed.
    Thanks to J1vvoo for reporting this issue.
- Update to 6.5.2
  * Fixed a bug that resulted in WebSocket pings not being sent at the
    configured interval.
  * Improved logging for invalid Host headers. This was previously logged as an
    uncaught exception with a stack trace, now it is simply a 400 response
    (logged as a warning in the access log).
  * Restored the host argument to .HTTPServerRequest. This argument is
    deprecated and will be removed in the future, but its removal with no
    warning in 6.5.0 was a mistake.
  * Removed a debugging print statement that was left in the code.
  * Improved type hints for gen.multi.
- Update to 6.5.1
  * Fixed a bug in multipart/form-data parsing that could incorrectly reject
    filenames containing characters above U+00FF (i.e. most characters outside
    the Latin alphabet).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-tornado6?expand=0&rev=48
 2025-12-18 23:48:04 +00:00
Ana Guerrero
8f0aed5840 Accepting request 1277990 from devel:languages:python 
- Update to 6.5.0 (CVE-2025-47287, bsc#1243268):
  * Security Improvements:
    - Previously, malformed multipart-form-data requests could log
      multiple warnings and constitute a denial-of-service attack. Now
      an exception is raised at the first error, so there is only one
      log message per request. This fixes CVE-2025-47287.
  * General Changes:
    - Python 3.14 is now supported. Older versions of Tornado will
      work on Python 3.14 but may log deprecation warnings.
    - The free-threading mode of Python 3.13 is now supported on an
      experimental basis. Prebuilt wheels are not yet available for
      this configuration, but it can be built from source.
    - The minimum supported Python version is 3.9.
  * Deprecation Notices:
    - Support for obs-fold continuation lines in HTTP headers is
      deprecated and will be removed in Tornado 7.0, as is the use of
      carriage returns without line feeds as header separators.
    - The callback argument to websocket_connect is deprecated and
      will be removed in Tornado 7.0. Note that on_message_callback is
      not deprecated.
    - The log_message and args attributes of tornado.web.HTTPError are
      deprecated. Use the new get_message method instead.

OBS-URL: https://build.opensuse.org/request/show/1277990
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-tornado6?expand=0&rev=20
 2025-05-23 12:27:19 +00:00
Daniel Garcia
d509d3561b - Update to 6.5.0 (CVE-2025-47287, bsc#1243268): 
* Security Improvements:
    - Previously, malformed multipart-form-data requests could log
      multiple warnings and constitute a denial-of-service attack. Now
      an exception is raised at the first error, so there is only one
      log message per request. This fixes CVE-2025-47287.
  * General Changes:
    - Python 3.14 is now supported. Older versions of Tornado will
      work on Python 3.14 but may log deprecation warnings.
    - The free-threading mode of Python 3.13 is now supported on an
      experimental basis. Prebuilt wheels are not yet available for
      this configuration, but it can be built from source.
    - The minimum supported Python version is 3.9.
  * Deprecation Notices:
    - Support for obs-fold continuation lines in HTTP headers is
      deprecated and will be removed in Tornado 7.0, as is the use of
      carriage returns without line feeds as header separators.
    - The callback argument to websocket_connect is deprecated and
      will be removed in Tornado 7.0. Note that on_message_callback is
      not deprecated.
    - The log_message and args attributes of tornado.web.HTTPError are
      deprecated. Use the new get_message method instead.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-tornado6?expand=0&rev=46
 2025-05-16 09:31:51 +00:00
Ana Guerrero
da9e76faa6 Accepting request 1226139 from devel:languages:python 
- Update to 6.4.2: 
  + Security Improvements:
    * Parsing of the cookie header is now much more efficient. The older
      algorithm sometimes had quadratic performance which allowed for a
      denial-of-service attack in which the server would spend excessive
      CPU time parsing cookies and block the event loop.
      (CVE-2024-52804, bsc#1233668)

OBS-URL: https://build.opensuse.org/request/show/1226139
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-tornado6?expand=0&rev=19
 2024-11-26 19:55:22 +00:00
Steve Kowalik
c3ee285ce0 - Update to 6.4.2: 
+ Security Improvements:
    * Parsing of the cookie header is now much more efficient. The older
      algorithm sometimes had quadratic performance which allowed for a
      denial-of-service attack in which the server would spend excessive
      CPU time parsing cookies and block the event loop.
      (CVE-2024-52804, bsc#1233668)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-tornado6?expand=0&rev=44
 2024-11-25 03:21:09 +00:00
Dominique Leuenberger
a009a9b49d Accepting request 1190823 from devel:languages:python 
OBS-URL: https://build.opensuse.org/request/show/1190823
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-tornado6?expand=0&rev=18
 2024-08-02 15:26:09 +00:00
Matej Cepl
37b092df83 Accepting request 1190624 from home:dimstar:Factory 
Update to 6.4.1 - does NOT fix the test issue with cURL 8.9.1

OBS-URL: https://build.opensuse.org/request/show/1190624
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-tornado6?expand=0&rev=42
 2024-07-31 21:55:58 +00:00
4 changed files with 50 additions and 5 deletions
Expand all files Collapse all files

45
python-tornado6.changes
View File

@@ -1,3 +1,48 @@
-------------------------------------------------------------------
Tue Dec 16 13:42:10 UTC 2025 - Nico Krapp <nico.krapp@suse.com>
- Update to 6.5.4
* The in operator for HTTPHeaders was incorrectly case-sensitive, causing
lookups to fail for headers with different casing than the original header
name. This was a regression in version 6.5.3 and has been fixed to restore
the intended case-insensitive behavior from version 6.5.2 and earlier.
- Update to 6.5.3 (bsc#1254903, bsc#1254905, bsc#1254904)
* Fixed a denial-of-service vulnerability involving quadratic computation
when parsing multipart/form-data request bodies. CVE-2025-67726
Thanks to Finder16 for reporting this issue.
* Fixed a denial-of-service vulnerability involving quadratic computation when
parsing repeated HTTP headers. CVE-2025-67725.
Thanks to Finder16 for reporting this issue.
* Fixed a header injection and XSS vulnerability involving the reason argument
to .RequestHandler.set_status and tornado.web.HTTPError. CVE-2025-67724.
Thanks to Finder16 and Cheshire1225 for reporting this issue.
* Several demo applications bundled with the Tornado repo (blog, chat,
facebook) had an open redirect vulnerability which has been fixed. This is
not covered by a CVE or security advisory since the demo applications are
not included as a part of the Tornado package when installed, but developers
who have copied code from these demos may which to review their own
applications for open redirects.
Thanks to J1vvoo for reporting this issue.
* he s3server demo application contained some path traversal vulnerabilities.
Since this demo application was not demonstrating any interesting aspects of
Tornado, it has been deleted rather than being fixed.
Thanks to J1vvoo for reporting this issue.
- Update to 6.5.2
* Fixed a bug that resulted in WebSocket pings not being sent at the
configured interval.
* Improved logging for invalid Host headers. This was previously logged as an
uncaught exception with a stack trace, now it is simply a 400 response
(logged as a warning in the access log).
* Restored the host argument to .HTTPServerRequest. This argument is
deprecated and will be removed in the future, but its removal with no
warning in 6.5.0 was a mistake.
* Removed a debugging print statement that was left in the code.
* Improved type hints for gen.multi.
- Update to 6.5.1
* Fixed a bug in multipart/form-data parsing that could incorrectly reject
filenames containing characters above U+00FF (i.e. most characters outside
the Latin alphabet).
-------------------------------------------------------------------
Fri May 16 09:23:08 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>

4
python-tornado6.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package python-tornado6
#
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2025 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
%{?sle15_python_module_pythons}
Name: python-tornado6
Version: 6.5
Version: 6.5.4
Release: 0
Summary: Open source version of scalable, non-blocking web server that power FriendFeed
License: Apache-2.0

3
tornado-6.5.4.tar.gz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a22fa9047405d03260b483980635f0b041989d8bcc9a313f8fe18b411d84b1d7
size 513632

BIN
tornado-6.5.tar.gz LFS
View File

Binary file not shown.