Your message dated Fri, 06 Jun 2025 20:54:48 +0000
with message-id <e1une5q-00foec...@fasolo.debian.org>
and subject line Bug#1105886: fixed in python-tornado 6.2.0-3+deb12u2
has caused the Debian Bug report #1105886,
regarding python-tornado: CVE-2025-47287
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1105886: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105886
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-tornado
Version: 6.4.2-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for python-tornado.
CVE-2025-47287[0]:
| Tornado is a Python web framework and asynchronous networking
| library. When Tornado's ``multipart/form-data`` parser encounters
| certain errors, it logs a warning but continues trying to parse the
| remainder of the data. This allows remote attackers to generate an
| extremely high volume of logs, constituting a DoS attack. This DoS
| is compounded by the fact that the logging subsystem is synchronous.
| All versions of Tornado prior to 6.5.0 are affected. The vulnerable
| parser is enabled by default. Upgrade to Tornado version 6.50 to
| receive a patch. As a workaround, risk can be mitigated by blocking
| `Content-Type: multipart/form-data` in a proxy.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-47287
https://www.cve.org/CVERecord?id=CVE-2025-47287
[1]
https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m
[2]
https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3
Please adjust the affected versions in the BTS as needed, all versions
before 6.5.0 should be affected.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-tornado
Source-Version: 6.2.0-3+deb12u2
Done: Daniel Leidert <dleid...@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-tornado, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1105...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Leidert <dleid...@debian.org> (supplier of updated python-tornado
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 03 Jun 2025 13:27:39 +0200
Source: python-tornado
Architecture: source
Version: 6.2.0-3+deb12u2
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Daniel Leidert <dleid...@debian.org>
Closes: 1105886
Changes:
python-tornado (6.2.0-3+deb12u2) bookworm-security; urgency=medium
.
* Non-maintainer upload by the Debian LTS team.
* d/patches/CVE-2025-47287.patch: Add patch to fix CVE-2025-47287.
- When Tornado's 'multipart/form-data' parser encounters certain errors,
it logs a warning but continues trying to parse the remainder of the
data. This allows remote attackers to generate an extremely high volume
of logs, constituting a DoS attack. This DoS is compounded by the fact
that the logging subsystem is synchronous (closes: #1105886).
Checksums-Sha1:
4d88854164a708f4acf181a2397d7e67137c14f1 2559
python-tornado_6.2.0-3+deb12u2.dsc
9e809453db3a3347b7c0e7837a189833247e0828 519040
python-tornado_6.2.0.orig.tar.gz
068024e3b3bcf285e63b1702d40bbab7b84a9422 15600
python-tornado_6.2.0-3+deb12u2.debian.tar.xz
ef9d98d59ca35c105ebc610846836a1463094d1b 10494
python-tornado_6.2.0-3+deb12u2_amd64.buildinfo
Checksums-Sha256:
3f0add8aac3e118c3a72045c41c200138ff9e097aa334dbbf983e5a6cc236353 2559
python-tornado_6.2.0-3+deb12u2.dsc
c2e902e4771eb90b057c7629fa239a59ecae63052919c3b5e61253f2c8a5f0d6 519040
python-tornado_6.2.0.orig.tar.gz
ee4503f50b56a2e41dd6646e6eabffea52fff79a5cba0a9d80631208c1dd6d55 15600
python-tornado_6.2.0-3+deb12u2.debian.tar.xz
4d233ff7b91a450178673f15dcb801f505b73e394215cf6f238a4b9ca6f568c6 10494
python-tornado_6.2.0-3+deb12u2_amd64.buildinfo
Files:
3c10d3e3161e4cc37fe6ed85762b51ac 2559 web optional
python-tornado_6.2.0-3+deb12u2.dsc
ac5546f18d57171df7f711aefbd518c6 519040 web optional
python-tornado_6.2.0.orig.tar.gz
81f17a3245e79ef715db2ae6e2a10ba5 15600 web optional
python-tornado_6.2.0-3+deb12u2.debian.tar.xz
f587a690d8b1e89eb1ca2080c00b1f46 10494 web optional
python-tornado_6.2.0-3+deb12u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmhAttMACgkQS80FZ8KW
0F1FEQ//SZY0ATG13ttQ5Hy9Ih+TS+T+vmYvBn9QTi4BGTEnppfbPyNb53ylLuox
Ma+diWFY5CLnYtH3dlfCZVwkPASbxaIRw2xt6J4KYzxS7aUyTolRMcwQYIb0o7YG
VS268Tx0Vp6borKNrG/wk7DjlFtp7EoIYu3uIKd2txdOxLtTgsfI304nj3bod3M9
tQ3uMSk3e/L6EvRaoySX4KvxLklT/QE94vTkNh+uT2n0Mo28c902n5vCheEJmEEP
eaNuYRiwZon4mAASBAxTpipLeKJ1okSMp14hdyvnAd3ZQu2Cv8ThpJDjuqM88NBf
5mkxo0IWz8vv+SPzF3Sry66soZzPPmZ9kvcJ3ak1LA3QAb8G1wFgJNzn1SeCCRvS
8gXSPNisZ6dWsXYs+CLCnqmcR7GRueRswoS71QixLvAFpyvn6WvfqoLZyaTrJ84w
pVAZKYJVGAdmuKdEWdkFA5VyMSuRcuOtmVjrUfiF7ataQ1uCUEEBUSfeCDX+W1Uq
KNEXNZ8KIbO8YVvA5z8CzxlZHT3TnIiBNj6IJlokmw5I/NFitWmhx7lHDnomJ8KC
icQy5tUWK6H87SSl4qlXfFR43QiBDEhtpERCM3HAYulvqB9yF7wLxp7llHMCxktN
y0Hc2QP4/FH5qxjtaVtcpx4u68SXPgslRjODfBeF+SsmWYnrIx8=
=rHCe
-----END PGP SIGNATURE-----
pgpyqbVi3dfdc.pgp
Description: PGP signature
--- End Message ---
