rpm/python-tornado6
SHA256
1
0
Fork 0
forked from pool/python-tornado6
Code Pull Requests Activity

Compare commits

merge into: rpm:factory
Branches Tags
rpm:factory rpm:devel pool:factory pool:slfo-main pool:slfo-1.2
...
pull from: pool:factory
Branches Tags
pool:factory pool:slfo-main pool:slfo-1.2 rpm:factory rpm:devel

6 Commits
factory ... factory

Author SHA256 Message Date
Dominique Leuenberger
b2373358e3 Accepting request 1323582 from devel:languages:python 
OBS-URL: https://build.opensuse.org/request/show/1323582
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-tornado6?expand=0&rev=21
 2025-12-20 20:45:03 +00:00
Steve Kowalik
46a9d0e6f7 - Update to 6.5.4 
* The in operator for HTTPHeaders was incorrectly case-sensitive, causing
    lookups to fail for headers with different casing than the original header
    name. This was a regression in version 6.5.3 and has been fixed to restore
    the intended case-insensitive behavior from version 6.5.2 and earlier.
- Update to 6.5.3 (bsc#1254903, bsc#1254905, bsc#1254904)
  * Fixed a denial-of-service vulnerability involving quadratic computation
    when parsing multipart/form-data request bodies. CVE-2025-67726
    Thanks to Finder16 for reporting this issue.
  * Fixed a denial-of-service vulnerability involving quadratic computation when
    parsing repeated HTTP headers. CVE-2025-67725.
    Thanks to Finder16 for reporting this issue.
  * Fixed a header injection and XSS vulnerability involving the reason argument
    to .RequestHandler.set_status and tornado.web.HTTPError. CVE-2025-67724.
    Thanks to Finder16 and Cheshire1225 for reporting this issue.
  * Several demo applications bundled with the Tornado repo (blog, chat,
    facebook) had an open redirect vulnerability which has been fixed. This is
    not covered by a CVE or security advisory since the demo applications are
    not included as a part of the Tornado package when installed, but developers
    who have copied code from these demos may which to review their own
    applications for open redirects.
    Thanks to J1vvoo for reporting this issue.
  * he s3server demo application contained some path traversal vulnerabilities.
    Since this demo application was not demonstrating any interesting aspects of
    Tornado, it has been deleted rather than being fixed.
    Thanks to J1vvoo for reporting this issue.
- Update to 6.5.2
  * Fixed a bug that resulted in WebSocket pings not being sent at the
    configured interval.
  * Improved logging for invalid Host headers. This was previously logged as an
    uncaught exception with a stack trace, now it is simply a 400 response
    (logged as a warning in the access log).
  * Restored the host argument to .HTTPServerRequest. This argument is
    deprecated and will be removed in the future, but its removal with no
    warning in 6.5.0 was a mistake.
  * Removed a debugging print statement that was left in the code.
  * Improved type hints for gen.multi.
- Update to 6.5.1
  * Fixed a bug in multipart/form-data parsing that could incorrectly reject
    filenames containing characters above U+00FF (i.e. most characters outside
    the Latin alphabet).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-tornado6?expand=0&rev=48
 2025-12-18 23:48:04 +00:00
Ana Guerrero
8f0aed5840 Accepting request 1277990 from devel:languages:python 
- Update to 6.5.0 (CVE-2025-47287, bsc#1243268):
  * Security Improvements:
    - Previously, malformed multipart-form-data requests could log
      multiple warnings and constitute a denial-of-service attack. Now
      an exception is raised at the first error, so there is only one
      log message per request. This fixes CVE-2025-47287.
  * General Changes:
    - Python 3.14 is now supported. Older versions of Tornado will
      work on Python 3.14 but may log deprecation warnings.
    - The free-threading mode of Python 3.13 is now supported on an
      experimental basis. Prebuilt wheels are not yet available for
      this configuration, but it can be built from source.
    - The minimum supported Python version is 3.9.
  * Deprecation Notices:
    - Support for obs-fold continuation lines in HTTP headers is
      deprecated and will be removed in Tornado 7.0, as is the use of
      carriage returns without line feeds as header separators.
    - The callback argument to websocket_connect is deprecated and
      will be removed in Tornado 7.0. Note that on_message_callback is
      not deprecated.
    - The log_message and args attributes of tornado.web.HTTPError are
      deprecated. Use the new get_message method instead.

OBS-URL: https://build.opensuse.org/request/show/1277990
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-tornado6?expand=0&rev=20
 2025-05-23 12:27:19 +00:00
Daniel Garcia
d509d3561b - Update to 6.5.0 (CVE-2025-47287, bsc#1243268): 
* Security Improvements:
    - Previously, malformed multipart-form-data requests could log
      multiple warnings and constitute a denial-of-service attack. Now
      an exception is raised at the first error, so there is only one
      log message per request. This fixes CVE-2025-47287.
  * General Changes:
    - Python 3.14 is now supported. Older versions of Tornado will
      work on Python 3.14 but may log deprecation warnings.
    - The free-threading mode of Python 3.13 is now supported on an
      experimental basis. Prebuilt wheels are not yet available for
      this configuration, but it can be built from source.
    - The minimum supported Python version is 3.9.
  * Deprecation Notices:
    - Support for obs-fold continuation lines in HTTP headers is
      deprecated and will be removed in Tornado 7.0, as is the use of
      carriage returns without line feeds as header separators.
    - The callback argument to websocket_connect is deprecated and
      will be removed in Tornado 7.0. Note that on_message_callback is
      not deprecated.
    - The log_message and args attributes of tornado.web.HTTPError are
      deprecated. Use the new get_message method instead.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-tornado6?expand=0&rev=46
 2025-05-16 09:31:51 +00:00
Ana Guerrero
da9e76faa6 Accepting request 1226139 from devel:languages:python 
- Update to 6.4.2: 
  + Security Improvements:
    * Parsing of the cookie header is now much more efficient. The older
      algorithm sometimes had quadratic performance which allowed for a
      denial-of-service attack in which the server would spend excessive
      CPU time parsing cookies and block the event loop.
      (CVE-2024-52804, bsc#1233668)

OBS-URL: https://build.opensuse.org/request/show/1226139
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-tornado6?expand=0&rev=19
 2024-11-26 19:55:22 +00:00
Steve Kowalik
c3ee285ce0 - Update to 6.4.2: 
+ Security Improvements:
    * Parsing of the cookie header is now much more efficient. The older
      algorithm sometimes had quadratic performance which allowed for a
      denial-of-service attack in which the server would spend excessive
      CPU time parsing cookies and block the event loop.
      (CVE-2024-52804, bsc#1233668)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-tornado6?expand=0&rev=44
 2024-11-25 03:21:09 +00:00
4 changed files with 88 additions and 7 deletions
Expand all files Collapse all files

82
python-tornado6.changes
View File

@@ -1,3 +1,85 @@
-------------------------------------------------------------------
Tue Dec 16 13:42:10 UTC 2025 - Nico Krapp <nico.krapp@suse.com>
- Update to 6.5.4
* The in operator for HTTPHeaders was incorrectly case-sensitive, causing
lookups to fail for headers with different casing than the original header
name. This was a regression in version 6.5.3 and has been fixed to restore
the intended case-insensitive behavior from version 6.5.2 and earlier.
- Update to 6.5.3 (bsc#1254903, bsc#1254905, bsc#1254904)
* Fixed a denial-of-service vulnerability involving quadratic computation
when parsing multipart/form-data request bodies. CVE-2025-67726
Thanks to Finder16 for reporting this issue.
* Fixed a denial-of-service vulnerability involving quadratic computation when
parsing repeated HTTP headers. CVE-2025-67725.
Thanks to Finder16 for reporting this issue.
* Fixed a header injection and XSS vulnerability involving the reason argument
to .RequestHandler.set_status and tornado.web.HTTPError. CVE-2025-67724.
Thanks to Finder16 and Cheshire1225 for reporting this issue.
* Several demo applications bundled with the Tornado repo (blog, chat,
facebook) had an open redirect vulnerability which has been fixed. This is
not covered by a CVE or security advisory since the demo applications are
not included as a part of the Tornado package when installed, but developers
who have copied code from these demos may which to review their own
applications for open redirects.
Thanks to J1vvoo for reporting this issue.
* he s3server demo application contained some path traversal vulnerabilities.
Since this demo application was not demonstrating any interesting aspects of
Tornado, it has been deleted rather than being fixed.
Thanks to J1vvoo for reporting this issue.
- Update to 6.5.2
* Fixed a bug that resulted in WebSocket pings not being sent at the
configured interval.
* Improved logging for invalid Host headers. This was previously logged as an
uncaught exception with a stack trace, now it is simply a 400 response
(logged as a warning in the access log).
* Restored the host argument to .HTTPServerRequest. This argument is
deprecated and will be removed in the future, but its removal with no
warning in 6.5.0 was a mistake.
* Removed a debugging print statement that was left in the code.
* Improved type hints for gen.multi.
- Update to 6.5.1
* Fixed a bug in multipart/form-data parsing that could incorrectly reject
filenames containing characters above U+00FF (i.e. most characters outside
the Latin alphabet).
-------------------------------------------------------------------
Fri May 16 09:23:08 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
- Update to 6.5.0 (CVE-2025-47287, bsc#1243268):
* Security Improvements:
- Previously, malformed multipart-form-data requests could log
multiple warnings and constitute a denial-of-service attack. Now
an exception is raised at the first error, so there is only one
log message per request. This fixes CVE-2025-47287.
* General Changes:
- Python 3.14 is now supported. Older versions of Tornado will
work on Python 3.14 but may log deprecation warnings.
- The free-threading mode of Python 3.13 is now supported on an
experimental basis. Prebuilt wheels are not yet available for
this configuration, but it can be built from source.
- The minimum supported Python version is 3.9.
* Deprecation Notices:
- Support for obs-fold continuation lines in HTTP headers is
deprecated and will be removed in Tornado 7.0, as is the use of
carriage returns without line feeds as header separators.
- The callback argument to websocket_connect is deprecated and
will be removed in Tornado 7.0. Note that on_message_callback is
not deprecated.
- The log_message and args attributes of tornado.web.HTTPError are
deprecated. Use the new get_message method instead.
-------------------------------------------------------------------
Mon Nov 25 03:19:20 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
- Update to 6.4.2:
+ Security Improvements:
* Parsing of the cookie header is now much more efficient. The older
algorithm sometimes had quadratic performance which allowed for a
denial-of-service attack in which the server would spend excessive
CPU time parsing cookies and block the event loop.
(CVE-2024-52804, bsc#1233668)
-------------------------------------------------------------------
Wed Jul 31 09:32:23 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>

7
python-tornado6.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package python-tornado6
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2025 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,9 +17,8 @@
%{?sle15_python_module_pythons}
%define skip_python2 1
Name: python-tornado6
Version: 6.4.1
Version: 6.5.4
Release: 0
Summary: Open source version of scalable, non-blocking web server that power FriendFeed
License: Apache-2.0
@@ -104,6 +103,6 @@ export TRAVIS=1
%license LICENSE
%doc %{_docdir}/%{python_prefix}-tornado6
%{python_sitearch}/tornado
%{python_sitearch}/tornado-%{version}*-info
%{python_sitearch}/tornado-%{version}.dist-info
%changelog

3
tornado-6.4.1.tar.gz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:92d3ab53183d8c50f8204a51e6f91d18a15d5ef261e84d452800d4ff6fc504e9
size 500623

3
tornado-6.5.4.tar.gz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a22fa9047405d03260b483980635f0b041989d8bcc9a313f8fe18b411d84b1d7
size 513632