-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 31 Mar 2026 02:37:32 +0200 Source: python-tornado Architecture: source Version: 6.1.0-1+deb11u4 Distribution: bullseye-security Urgency: medium Maintainer: Debian Python Team <team+python@tracker.debian.org> Changed-By: Daniel Leidert <dleidert@debian.org> Closes: 1130507 1132367 Changes: python-tornado (6.1.0-1+deb11u4) bullseye-security; urgency=medium . * Non-maintainer upload by the Debian LTS team. * d/patches/CVE-2026-31958.patch: Add patch to fix CVE-2026-31958. - Introduce new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request to mitigate a possible DoS. It is also possible to disable parsing multipart/form-data entirely if not required (closes: #1130507). * d/patches/CVE-2026-incomplete-validation-of-cookie-attributes.patch: Add patch to fix incomplete validation of cookie attributes. - Values passed to the domain, path, and samesite arguments of RequestHandler.set_cookie are not completely validated. In particular, semicolons are allowed, which could be used to inject attacker-controlled values for other cookie attributes (no CVE yet, closes: #1132367). Checksums-Sha1: 9d3fb56419be2da2dd8b9d44a9932236ab3831c1 2559 python-tornado_6.1.0-1+deb11u4.dsc c23c617c7a0205e465bebad5b8cdf289ae8402a2 513910 python-tornado_6.1.0.orig.tar.gz 17d4c732f06182f4a800ff3495ef84be3a2f517a 23072 python-tornado_6.1.0-1+deb11u4.debian.tar.xz e3d837b181f389e725bd9d8d93d0e0afa45f080c 10295 python-tornado_6.1.0-1+deb11u4_amd64.buildinfo Checksums-Sha256: d11faa1e14e91db25ef5ad798924f3bd237756457be9a0bf95fc580260579d43 2559 python-tornado_6.1.0-1+deb11u4.dsc 53a4300b786998c516fcacb76a00db6200829bf1d9b8d57e3c150bfd262e2bc8 513910 python-tornado_6.1.0.orig.tar.gz 274288f38afa97b445a53b83fae57f0a49f78c35f449bcdca5fbe43770780cbc 23072 python-tornado_6.1.0-1+deb11u4.debian.tar.xz 7e544b204308726674c7c71981ef1e69146f45fc394d55d3a61c3c1d2a50a823 10295 python-tornado_6.1.0-1+deb11u4_amd64.buildinfo Files: 44f60042634a5c19d9fc65f2b7687b11 2559 web optional python-tornado_6.1.0-1+deb11u4.dsc 2d94363f8a3dcf14dd77a796e19b0386 513910 web optional python-tornado_6.1.0.orig.tar.gz e933d96b7dd9cf3d08f0a9b9352455bf 23072 web optional python-tornado_6.1.0-1+deb11u4.debian.tar.xz 2659c565d12fd0c203ebb25e5cb14eea 10295 web optional python-tornado_6.1.0-1+deb11u4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmnM7XUACgkQS80FZ8KW 0F3OYg//aFjxSuk+oa8mHD5oompFn1Mt70ji7cjWoLReHxLJgbX7SR2BjVVq89Y6 QrBYpF1yvaqFW7x+mzo96E8fa2mHRD9cdUV/+fGjPZiJJcVPcBN7tjKMGFb5ScdD iDiGINevVzZogvOjkbTBh0IaX+CeUwUPD9Wl4Ua0H709dV9Cm+LGKqEqDzw+8RjF tvacgEzNz0uyiV/m2RzqUyaeg93V1rI6HmFNG3J1LxkXhbvD10Mrj3Fm1JOjXZVA s123qJm/XjsWNlwnjFErKwKUrkS5NTieMhsbJLfuUSuDEKW4mMLph7kbUULs1zah NZR31Hw14x03FdpwWvYK5KVzXwZhxBKxU27naHW5JP50EIcQyHhTYm63II+YTSBe 3vPCgV+clH++ci3g07u5oDx7NvqZqNqNoPT813glLsPpKfDeSArXTUNxafTdCMql Jn8BkSDV/Kur3TBMuDNlJCYgdwuENSfut70ySChErd8Qcr+blR4P8Q3681M6vU4K lllur7kxky/EfwIge16uMOWYFWNoa7YzL5XqAPtXXVMT6cZLwVt1VXUyRyAcV215 8lfAEBC8eG42VlJkimak9ezoiiL2/52kcZtKWwMJQNH4WLcsHRrzOGuSy5vaqDsy 8Yh6OEYCqEV6X+Asj+L/i67xkBpdK/3NEL5PdwyxBOUKmbizOxk= =Jesw -----END PGP SIGNATURE-----
