Source: python-tornado Version: 6.5.4-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: close -1 6.5.5-1
For easier tracking of this issue (unless a CVE get still assigned): https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7 | Values passed to the domain, path, and samesite arguments of | RequestHandler.set_cookie were not completely validated in versions of | Tornado prior to 6.5.5. In particular, semicolons would be allowed, | which could be used to inject attacker-controlled values for other | cookie attributes. https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104 Regards, Salvatore
