python-tornado - Debian Package Tracker

general

source: python-tornado (main)
version: 6.5.5-2
maintainer: Debian Python Team (DMD)
uploaders: Yaroslav Halchenko [DMD] – Julian Taylor [DMD] – Carl Chenet [DMD] – Julien Puydt [DMD]
arch: all any
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 6.1.0-1
o-o-sec: 6.1.0-1+deb11u4
oldstable: 6.2.0-3+deb12u4
old-sec: 6.2.0-3+deb12u4
stable: 6.4.2-3+deb13u2
stable-sec: 6.4.2-3+deb13u2
testing: 6.5.5-1
unstable: 6.5.5-2

versioned links

6.1.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.1.0-1+deb11u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.2.0-3+deb12u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.4.2-3+deb13u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.5.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.5.5-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python-tornado-doc
python3-tornado

action needed

2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:

CVE-2026-31958: Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.
CVE-2026-35536: In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.

Created: 2025-12-12 Last update: 2026-05-16 15:30

2 security issues in bookworm high

There are 2 open security issues in bookworm.

2 important issues:

CVE-2026-31958: Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.
CVE-2026-35536: In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.

Created: 2025-12-12 Last update: 2026-05-16 15:30

lintian reports 2 errors and 1 warning high

Lintian reports 2 errors and 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2026-05-15 Last update: 2026-05-15 22:30

debian/patches: 1 patch with invalid metadata, 2 patches to forward upstream high

Among the 9 debian patches available in version 6.5.5-2 of the package, we noticed the following issues:

1 patch with invalid metadata that ought to be fixed.
2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2024-09-25 Last update: 2026-05-15 11:17

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2026-04-06 Last update: 2026-05-17 22:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.0).

Created: 2025-02-21 Last update: 2026-05-14 22:31

testing migrations

excuses:
- Migration status for python-tornado (6.5.5-1 to 6.5.5-2): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Autopkgtest for dask.distributed/2024.12.1+ds-1: amd64: Failed (not a regression) ♻ (reference ♻), arm64: Failed (not a regression) ♻ (reference ♻), i386: Test triggered (will not be considered a regression) ♻ (reference ♻), ppc64el: Failed (not a regression) ♻ (reference ♻), riscv64: Test triggered (failure will be ignored), s390x: Test triggered (will not be considered a regression) ♻ (reference ♻)
- ∙ ∙ Autopkgtest for emacs-websocket/1.15-2: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for ipykernel/7.2.0-1: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered (will not be considered a regression) ♻ (reference ♻), s390x: Test triggered
- ∙ ∙ Autopkgtest for ipyparallel/9.0.2-1: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for jupyter-client/8.8.0-1: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for jupyter-notebook/6.4.13-5: amd64: Failed (not a regression) ♻ (reference ♻), arm64: Failed (not a regression) ♻ (reference ♻), i386: Test triggered (will not be considered a regression) ♻ (reference ♻), ppc64el: Failed (not a regression) ♻ (reference ♻), riscv64: Test triggered, s390x: Test triggered (will not be considered a regression) ♻ (reference ♻)
- ∙ ∙ Autopkgtest for jupyter-server/2.17.0-1: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for jupyterlab/4.0.11+ds2+~cs11.25.27-1: amd64: No tests, superficial or marked flaky ♻, arm64: No tests, superficial or marked flaky ♻, i386: Test triggered, ppc64el: No tests, superficial or marked flaky ♻, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for laniakea/0.1.1-5: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: No tests, superficial or marked flaky ♻, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for mopidy/3.4.2-7: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for pcs/0.12.2-1: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for pytest-testinfra/10.2.2-1: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for pytest-tornado/0.8.1-5: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for pytest-tornasync/0.6.0.post2-2: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-bonsai/1.5.3+ds-1: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-bottle/0.13.2-1.1: amd64: No tests, superficial or marked flaky ♻, arm64: No tests, superficial or marked flaky ♻, i386: Test triggered, ppc64el: No tests, superficial or marked flaky ♻, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-httpretty/1.1.4-6: amd64: No tests, superficial or marked flaky ♻, arm64: No tests, superficial or marked flaky ♻, i386: Test triggered, ppc64el: No tests, superficial or marked flaky ♻, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-jaeger-client/4.8.0-4: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-livereload/2.7.1-0.1: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-opentracing/2.4.0-3: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-pika/1.3.2-4: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-streamz/0.6.5-2: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-tenacity/9.1.4-2: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-tornado/6.5.5-2: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-ws4py/0.6.0+dfsg1-2: amd64: No tests, superficial or marked flaky ♻, arm64: No tests, superficial or marked flaky ♻, i386: Test triggered, ppc64el: No tests, superficial or marked flaky ♻, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for python-wslink/2.5.6-1: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for pyzmq/27.1.0-1: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for satpy/0.60.0-1: amd64: Pass, arm64: Pass, i386: Test triggered (will not be considered a regression) ♻ (reference ♻), ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Autopkgtest for terminado/0.18.1-1: amd64: Failed (not a regression) ♻ (reference ♻), arm64: Failed (not a regression) ♻ (reference ♻), i386: Test triggered (will not be considered a regression) ♻ (reference ♻), ppc64el: Failed (not a regression) ♻ (reference ♻), riscv64: Test triggered, s390x: Test triggered (will not be considered a regression) ♻ (reference ♻)
- ∙ ∙ Autopkgtest for vcr.py/8.1.1-2: amd64: Pass, arm64: Pass, i386: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Test triggered
- ∙ ∙ Too young, only 3 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/p/python-tornado.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- Not considered

news

[rss feed]

[2026-05-14] Accepted python-tornado 6.5.5-2 (source) into unstable (Scott Talbert)
[2026-04-07] python-tornado 6.5.5-1 MIGRATED to testing (Debian testing watch)
[2026-04-06] Accepted python-tornado 6.2.0-3+deb12u4 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2026-04-06] Accepted python-tornado 6.4.2-3+deb13u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2026-04-03] Accepted python-tornado 6.4.2-3+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Daniel Leidert)
[2026-04-03] Accepted python-tornado 6.4.2-3+deb13u2 (source) into stable-security (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2026-04-03] Accepted python-tornado 6.2.0-3+deb12u4 (source) into oldstable-security (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2026-04-03] Accepted python-tornado 6.2.0-3+deb12u3 (source) into oldstable-security (Debian FTP Masters) (signed by: Daniel Leidert)
[2026-04-01] Accepted python-tornado 6.1.0-1+deb11u4 (source) into oldoldstable-security (Daniel Leidert)
[2026-03-30] Accepted python-tornado 6.5.5-1 (source) into unstable (Daniel Leidert)
[2026-03-10] python-tornado 6.5.4-1 MIGRATED to testing (Debian testing watch)
[2026-03-06] Accepted python-tornado 6.5.4-1 (source) into unstable (Carlos Henrique Lima Melara)
[2026-01-31] Accepted python-tornado 6.1.0-1+deb11u3 (source) into oldoldstable-security (Daniel Leidert)
[2026-01-09] python-tornado 6.5.4-0.1 MIGRATED to testing (Debian testing watch)
[2026-01-07] Accepted python-tornado 6.5.4-0.1 (source) into unstable (Adrian Bunk)
[2025-10-09] python-tornado 6.5.2-3 MIGRATED to testing (Debian testing watch)
[2025-10-05] Accepted python-tornado 6.5.2-3 (source) into unstable (Bo YU)
[2025-09-28] Accepted python-tornado 6.5.2-2 (source) into unstable (Thomas Goirand)
[2025-08-26] Accepted python-tornado 6.5.2-1 (source) into experimental (Thomas Goirand)
[2025-06-06] Accepted python-tornado 6.2.0-3+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Daniel Leidert)
[2025-06-06] Accepted python-tornado 6.2.0-3+deb12u2 (source) into stable-security (Debian FTP Masters) (signed by: Daniel Leidert)
[2025-05-29] Accepted python-tornado 6.1.0-1+deb11u2 (source) into oldstable-security (Daniel Leidert)
[2025-05-25] python-tornado 6.4.2-3 MIGRATED to testing (Debian testing watch)
[2025-05-22] Accepted python-tornado 6.4.2-3 (source) into unstable (Bo YU)
[2025-05-18] Accepted python-tornado 6.4.2-2 (source) into unstable (Colin Watson)
[2025-01-03] Accepted python-tornado 6.2.0-3+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Daniel Leidert)
[2025-01-01] Accepted python-tornado 6.1.0-1+deb11u1 (source) into oldstable-security (Daniel Leidert)
[2024-12-04] python-tornado 6.4.2-1 MIGRATED to testing (Debian testing watch)
[2024-11-29] Accepted python-tornado 6.4.2-1 (source) into unstable (Colin Watson)
[2024-09-30] python-tornado 6.4.1-3 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 1

links

homepage
lintian (2, 1)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
l10n (-, 100)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 6.5.4-0.1
1 bug