-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 31 Dec 2024 02:14:38 +0100 Source: python-tornado Architecture: source Version: 6.1.0-1+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Daniel Leidert <dleidert@debian.org> Closes: 1036875 1088112 Changes: python-tornado (6.1.0-1+deb11u1) bullseye-security; urgency=high . * Non-maintainer upload by the Debian LTS team. * d/patches/CVE-2024-52804.patch: Fix CVE-2024-52804 (closes: #1088112). - The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. * d/patches/CVE-2023-28370-1.patch, d/patches/CVE-2023-28370-2.patch: Fix CVE-2023-28370 (closes: #1036875). - Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL. Checksums-Sha1: 0f6007e8e3c0e2710f07701bb5897725f864e6c8 2559 python-tornado_6.1.0-1+deb11u1.dsc c23c617c7a0205e465bebad5b8cdf289ae8402a2 513910 python-tornado_6.1.0.orig.tar.gz 1a3dbafd684d7cae085834adb0c260af3f11eff7 12820 python-tornado_6.1.0-1+deb11u1.debian.tar.xz 189101148276793691f29bbb056dee23555870c5 10255 python-tornado_6.1.0-1+deb11u1_amd64.buildinfo Checksums-Sha256: 279f7ea4b8635ca8a4b1bb8bbd51a4fcbf7f54960b4e0ebd7b92db9ce30b0d03 2559 python-tornado_6.1.0-1+deb11u1.dsc 53a4300b786998c516fcacb76a00db6200829bf1d9b8d57e3c150bfd262e2bc8 513910 python-tornado_6.1.0.orig.tar.gz a7609f8505b6f71991e62faa9226c93f0680599c235db6fa767e72d11027c562 12820 python-tornado_6.1.0-1+deb11u1.debian.tar.xz fd79b72418c99c31082e50e100e902ca6674738afbf346fb04611af29eef909a 10255 python-tornado_6.1.0-1+deb11u1_amd64.buildinfo Files: db9a9931ef4db11bd0b281d240d8b0cd 2559 web optional python-tornado_6.1.0-1+deb11u1.dsc 2d94363f8a3dcf14dd77a796e19b0386 513910 web optional python-tornado_6.1.0.orig.tar.gz 42ca4d808693ca6f82d05764633b412e 12820 web optional python-tornado_6.1.0-1+deb11u1.debian.tar.xz bf1061a5030accd378fbd1d9397f1562 10255 web optional python-tornado_6.1.0-1+deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmd0mvYACgkQS80FZ8KW 0F0dew/+NAjRlsmuu6qP8VV8lsgEQrNq0oGkWz2ST/FicrWuEwmck7uRGvtR5e9w vnhHlZYgofUDXyp0ytnAgMGMKcT4sZDuWfGjbfgXu0QiqDvcH+OLPHTth8k9jzww B/PG7LqzqCXZnTElfdh0kj1YxGzfAI17Wq4MH1GLPxdU9xjxejzNqm3kBqoN0XtU xhbliHHpsCNd+vPFULONUW23oKzdmChUbUJTtKVK15PCqiTEfbTtGyzfEaGMICT7 zlhPcU+X9mnpUDV00hYQW0TXW1aV+dBuFBO00V5+o5etlojpndQbHjCpmGvtu2vs 9QHgC1zuHKT15bFD0rNNCYHCIQBP1G5X/5SJYztd4xYuEJ+TaY3/b1tYZR6YweHR nKK/eYrNqUcVI4n9ZTW7ubYr1JkTQDhNJs5mN4Kl4iZORP4oZH9CdedpMz6CjKHe ZLFx7s8/c1sqU5/TVY0H9fkfK7zs58H4P0z/V5LJdk7NzuAQWjyCRy6K6WBVAtbS vQUEi5x2nHuJ7mK+P+HM4YtG+jS9WsXlvQtHztZtFc8/66vH0byhFNimXgIY9ZP3 MxU2BvrRAXDw8z5P3fTsyNrx335nWOvk5jZ/k5RliQYmMTH7JAu5K32cyfd+o9y8 iEoV5pBL2bkde4hTfHCOvDub+3YrZ8gFx4QTZe4FfL+vMHc9qr4= =hps0 -----END PGP SIGNATURE-----
