Hi Daniel, On Fri, May 30, 2025 at 05:38:30AM +0200, Daniel Leidert wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > X-Debbugs-Cc: python-torn...@packages.debian.org > Control: affects -1 + src:python-tornado > User: release.debian....@packages.debian.org > Usertags: pu > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > [ Reason ] > This upload intends to fix the vulnerability CVE-2025-47287. > > CVE-2025-47287 allows a remote attacker to create an extremely high volume of > log entries, constituting a DoS attack. > > [ Impact ] > Users of Debian Bookworm will continue to be vulnerable to the mentioned > issues > if the update is not approved. > > [ Tests ] > The package comes with the testsuite enabled. The tests were adjusted to match > the new behavior to throw errors instead of logging warnings. All tests > succeed. > > [ Risks ] > The changes are quite simple. However, regressions are always possible. The > fact that the tests are successful reduce the risk of regressions. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > Instead of logging warning messages, errors are created which preserve the > backtrace. Parsing the body has been moved within the code into > RequestHandler._execute() to be in the right exception handler scope. The > tests > have been adjusted to this change. > > [ Other info ] > All patches contain links to the original reports and commits.
Technically we had the package already in mind for a DSA, so this could as well go via a DSA (cc'ing my teammates from Debian security team). One comment below: > diff -Nru python-tornado-6.2.0/debian/patches/CVE-2023-28370.patch > python-tornado-6.2.0/debian/patches/CVE-2023-28370.patch > --- python-tornado-6.2.0/debian/patches/CVE-2023-28370.patch 1970-01-01 > 01:00:00.000000000 +0100 > +++ python-tornado-6.2.0/debian/patches/CVE-2023-28370.patch 2025-05-30 > 05:19:15.000000000 +0200 The patch seems wrongly named, should be CVE-2025-47287.patch instead and samewise then in debian/patches/series to avoid confusion. Regards, Salvatore
