Your message dated Sun, 18 May 2025 16:06:30 +0000
with message-id <e1uggx0-00hddc...@fasolo.debian.org>
and subject line Bug#1105886: fixed in python-tornado 6.4.2-2
has caused the Debian Bug report #1105886,
regarding python-tornado: CVE-2025-47287
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1105886: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105886
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-tornado
Version: 6.4.2-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for python-tornado.
CVE-2025-47287[0]:
| Tornado is a Python web framework and asynchronous networking
| library. When Tornado's ``multipart/form-data`` parser encounters
| certain errors, it logs a warning but continues trying to parse the
| remainder of the data. This allows remote attackers to generate an
| extremely high volume of logs, constituting a DoS attack. This DoS
| is compounded by the fact that the logging subsystem is synchronous.
| All versions of Tornado prior to 6.5.0 are affected. The vulnerable
| parser is enabled by default. Upgrade to Tornado version 6.50 to
| receive a patch. As a workaround, risk can be mitigated by blocking
| `Content-Type: multipart/form-data` in a proxy.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-47287
https://www.cve.org/CVERecord?id=CVE-2025-47287
[1]
https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m
[2]
https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3
Please adjust the affected versions in the BTS as needed, all versions
before 6.5.0 should be affected.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-tornado
Source-Version: 6.4.2-2
Done: Colin Watson <cjwat...@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-tornado, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1105...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwat...@debian.org> (supplier of updated python-tornado package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 18 May 2025 16:43:40 +0100
Source: python-tornado
Architecture: source
Version: 6.4.2-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Colin Watson <cjwat...@debian.org>
Closes: 1105886
Changes:
python-tornado (6.4.2-2) unstable; urgency=medium
.
* Team upload.
* CVE-2025-47287: httputil: Raise errors instead of logging in
multipart/form-data parsing (closes: #1105886).
Checksums-Sha1:
cb0e7cf6ffe8b4f80a371a5f69427f602e7b36b8 2561 python-tornado_6.4.2-2.dsc
23b0ae36fc0f1bedffa0af1bcf231c108f160d35 12684
python-tornado_6.4.2-2.debian.tar.xz
Checksums-Sha256:
cb1acc701093e54d7edf68c7e897584751bb59eca150ffaa8179f298d21e8dd1 2561
python-tornado_6.4.2-2.dsc
60d25eddcdfe13973c8382c759c7160c697b9b6c9d85c2527028d5342726662d 12684
python-tornado_6.4.2-2.debian.tar.xz
Files:
1b27fe2f9130eaf49435d72793065c74 2561 web optional python-tornado_6.4.2-2.dsc
6a6ce3086b2542400964fa8791ed77f4 12684 web optional
python-tornado_6.4.2-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmgqAE4ACgkQOTWH2X2G
UAs5QQ//V+XNxOL5c39bsWGhlBMjc1z/2OcHFDQKz3uXspcB/bHHefWeCoyVOS/a
b5BjVIGXLHxeaZGuy1a2dnRcO8vpB9dlUpH1m6eJbt+suLQPS/YLhaGaiq3aqr44
Pma8yjmxeJBiMFHip0gBAPnnpuL4nRhEwyjsijQjpf7JuQvoxcvfGtL+WgarTiJl
NAlgRfBaMxRGQrJekKp8K95cjSZqlVcoihp7G8aF9+l3U4yz8ILL/S3WvJzqrujG
+Rq8qM6SFOcVp+HNg3ao5x2jXMcRvxV7bOg1HQgy0EYsNV1Kbv7k8Fr6YeYbWXEc
H9z7asYuIbZ0WzGH3nqKfYuRNDbdPCuhitSQx2wq0oTNJNNo/cahM7P4HzPON/Wo
0O859P5W8QYXlRo4vDOJTnYUr3XPjxZ4r5nP2fc5Ncc7Ju875isPmC7M3SmdheSl
dpvO4t25Uyd6IoXa2f0CJE6M+AtEDEb1jVcq/IdO5CmP198sObUJ/rje6fltn/na
WmUpgeAwStIDiKScLyT2GIQ5LAs7yCrZi9Hg58Z/aiwa2S8+epyWOaj/Cu2O+ptS
SyN82XqcutgoPwNIj5tiVHDUsnyKmZYpPaSHa9m/H8ir32PEfffASRfiCFCEAtCl
VjmBE5vj0ZBf3luZjHNwsipCn5LTqoVFitVdqGtjOi7fBanmPHk=
=YVtd
-----END PGP SIGNATURE-----
pgpVTAtsBuNmK.pgp
Description: PGP signature
--- End Message ---
