[continued from previous message]
bh=CLUFkLY84u+GEeq3w7QEPrGJVII9IMtSVyzPiT91KKk=; b=hOfi+Nm+Z7J7qnJuf7k6PNdjCR
ODHhZXeWnHbKg2QUtoCJOYJG0D/5K+kmrUXYMXugtd6NtCawU2pZOlaj7igE46xlPEnG4/BbUFJsx
yFAnloV4wYgu7X0eefFTH0haMy72YzQvY/585DUS6y5DqUYIgrN9TrgwW58WT7G6XTSUN/KsAA5a3
qmMcbE3d8ADwVOhSBhdaDUERuKpvjLSKH4GRG8XOqpPHw8nwpoLuqhBxf5uSUz9BGcGJivmLSSJyK
1Y22Ap2dToWWYSHqrUuLszDF0cFUeBsNBitcEbvIURo+jAXv1ehlEV2Zw6NDdX1oPq01pTUac79ZY
tX7kiOLw==;
Received: from dak by fasolo.debian.org with local (Exim 4.94.2)
(envelope-from <
[email protected]>)
id 1uNe5Q-00FOec-Qv; Fri, 06 Jun 2025 20:54:48 +0000
From: Debian FTP Masters <
[email protected]>
Reply-To: Daniel Leidert <
[email protected]>
To:
[email protected]
X-DAK: dak process-policy
X-Debian: DAK
X-Debian-Package: python-tornado
Debian: DAK
Debian-Changes: python-tornado_6.2.0-3+deb12u2_source.changes
Debian-Source: python-tornado
Debian-Version: 6.2.0-3+deb12u2
Debian-Architecture: source
Debian-Suite: proposed-updates
Debian-Archive-Action: accept
MIME-Version: 1.0
Subject: Bug#1105886: fixed in python-tornado 6.2.0-3+deb12u2
Content-Type: multipart/signed; micalg="pgp-sha256";
protocol="application/pgp-signature";
boundary="===============2153438442815691332=="
Message-Id: <
[email protected]>
Date: Fri, 06 Jun 2025 20:54:48 +0000
--===============2153438442815691332==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Source: python-tornado
Source-Version: 6.2.0-3+deb12u2
Done: Daniel Leidert <
[email protected]>
We believe that the bug you reported is fixed in the latest version of python-tornado, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to
[email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Leidert <
[email protected]> (supplier of updated python-tornado package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive administrators by mailing
[email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 03 Jun 2025 13:27:39 +0200
Source: python-tornado
Architecture: source
Version: 6.2.0-3+deb12u2
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Python Team <
[email protected]>
Changed-By: Daniel Leidert <
[email protected]>
Closes: 1105886
Changes:
python-tornado (6.2.0-3+deb12u2) bookworm-security; urgency=medium
.
* Non-maintainer upload by the Debian LTS team.
* d/patches/CVE-2025-47287.patch: Add patch to fix CVE-2025-47287.
- When Tornado's 'multipart/form-data' parser encounters certain errors,
it logs a warning but continues trying to parse the remainder of the
data. This allows remote attackers to generate an extremely high volume
of logs, constituting a DoS attack. This DoS is compounded by the fact
that the logging subsystem is synchronous (closes: #1105886). Checksums-Sha1:
4d88854164a708f4acf181a2397d7e67137c14f1 2559 python-tornado_6.2.0-3+deb12u2.dsc
9e809453db3a3347b7c0e7837a189833247e0828 519040 python-tornado_6.2.0.orig.tar.gz
068024e3b3bcf285e63b1702d40bbab7b84a9422 15600 python-tornado_6.2.0-3+deb12u2.debian.tar.xz
ef9d98d59ca35c105ebc610846836a1463094d1b 10494 python-tornado_6.2.0-3+deb12u2_amd64.buildinfo
Checksums-Sha256:
3f0add8aac3e118c3a72045c41c200138ff9e097aa334dbbf983e5a6cc236353 2559 python-tornado_6.2.0-3+deb12u2.dsc
c2e902e4771eb90b057c7629fa239a59ecae63052919c3b5e61253f2c8a5f0d6 519040 python-tornado_6.2.0.orig.tar.gz
ee4503f50b56a2e41dd6646e6eabffea52fff79a5cba0a9d80631208c1dd6d55 15600 python-tornado_6.2.0-3+deb12u2.debian.tar.xz
4d233ff7b91a450178673f15dcb801f505b73e394215cf6f238a4b9ca6f568c6 10494 python-tornado_6.2.0-3+deb12u2_amd64.buildinfo
Files:
3c10d3e3161e4cc37fe6ed85762b51ac 2559 web optional python-tornado_6.2.0-3+deb12u2.dsc
ac5546f18d57171df7f711aefbd518c6 519040 web optional python-tornado_6.2.0.orig.tar.gz
81f17a3245e79ef715db2ae6e2a10ba5 15600 web optional python-tornado_6.2.0-3+deb12u2.debian.tar.xz
f587a690d8b1e89eb1ca2080c00b1f46 10494 web optional python-tornado_6.2.0-3+deb12u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmhAttMACgkQS80FZ8KW 0F1FEQ//SZY0ATG13ttQ5Hy9Ih+TS+T+vmYvBn9QTi4BGTEnppfbPyNb53ylLuox Ma+diWFY5CLnYtH3dlfCZVwkPASbxaIRw2xt6J4KYzxS7aUyTolRMcwQYIb0o7YG VS268Tx0Vp6borKNrG/wk7DjlFtp7EoIYu3uIKd2txdOxLtTgsfI304nj3bod3M9 tQ3uMSk3e/L6EvRaoySX4KvxLklT/QE94vTkNh+uT2n0Mo28c902n5vCheEJmEEP eaNuYRiwZon4mAASBAxTpipLeKJ1okSMp14hdyvnAd3ZQu2Cv8ThpJDjuqM88NBf 5mkxo0IWz8vv+SPzF3Sry66soZzPPmZ9kvcJ3ak1LA3QAb8G1wFgJNzn1SeCCRvS 8gXSPNisZ6dWsXYs+CLCnqmcR7GRueRswoS71QixLvAFpyvn6WvfqoLZyaTrJ84w pVAZKYJVGAdmuKdEWdkFA5VyMSuRcuOtmVjrUfiF7ataQ1uCUEEBUSfeCDX+W1Uq KNEXNZ8KIbO8YVvA5z8CzxlZHT3TnIiBNj6IJlokmw5I/NFitWmhx7lHDnomJ8KC icQy5tUWK6H87SSl4qlXfFR43QiBDEhtpERCM3HAYulvqB9yF7wLxp7llHMCxktN y0Hc2QP4/FH5qxjtaVtcpx4u68SXPgslRjODfBeF+SsmWYnrIx8=
=rHCe
-----END PGP SIGNATURE-----
--==============!53438442815691332=Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCaENVmAAKCRCb9qggYcy5 IYtoAP4nT9nb1pn9x0NSInXHlbMJrZcrcLn47F9GW6kQbPZ3jQD+O3bRvIn9jtrL NBUsOQqWPsaeyznuXrgzD/Wq9VhFZwI=cyG/
-----END PGP SIGNATURE-----
--==============!53438442815691332==--
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)