Your message dated Fri, 29 Nov 2024 13:34:31 +0000
with message-id <[email protected]>
and subject line Bug#1088112: fixed in python-tornado 6.4.2-1
has caused the Debian Bug report #1088112,
regarding python-tornado: CVE-2024-52804
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1088112: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088112
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-tornado
Version: 6.4.1-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-tornado.
CVE-2024-52804[0]:
| Tornado is a Python web framework and asynchronous networking
| library. The algorithm used for parsing HTTP cookies in Tornado
| versions prior to 6.4.2 sometimes has quadratic complexity, leading
| to excessive CPU consumption when parsing maliciously-crafted cookie
| headers. This parsing occurs in the event loop thread and may block
| the processing of other requests. Version 6.4.2 fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-52804
https://www.cve.org/CVERecord?id=CVE-2024-52804
[1]
https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c
[2]
https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-tornado
Source-Version: 6.4.2-1
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-tornado, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated python-tornado package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 29 Nov 2024 13:09:50 +0000
Source: python-tornado
Architecture: source
Version: 6.4.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 1088112
Changes:
python-tornado (6.4.2-1) unstable; urgency=medium
.
* Team upload.
* New upstream release:
- CVE-2024-52804: Parsing of the cookie header is now much more
efficient. The older algorithm sometimes had quadratic performance
which allowed for a denial-of-service attack in which the server would
spend excessive CPU time parsing cookies and block the event loop
(closes: #1088112).
Checksums-Sha1:
66524e7bbb59ba2bf10ccd5f60b122f983fde40a 2561 python-tornado_6.4.2-1.dsc
94ec7bc896d8b62364abcfc2a906165d80e1baa6 533897
python-tornado_6.4.2.orig.tar.gz
d659b53cd62ad8c7d984240c1288e8757191b73d 10256
python-tornado_6.4.2-1.debian.tar.xz
Checksums-Sha256:
5c865b4facece26025a96f9233087bd16bfae709bd2e878d6f258812800bc3bc 2561
python-tornado_6.4.2-1.dsc
a45eec6f5fc01ed78b01a9dafceb81bf0d0440309bd478a9daadfa7c87bdd893 533897
python-tornado_6.4.2.orig.tar.gz
f84da84704d13c2076090ce0e3f8b0e366d432330d0df6abc883d620e739d653 10256
python-tornado_6.4.2-1.debian.tar.xz
Files:
5502a9e01d65d5d0f97d2296c9ad020a 2561 web optional python-tornado_6.4.2-1.dsc
721215aa1ab1253e79b17fd67b83a46e 533897 web optional
python-tornado_6.4.2.orig.tar.gz
0f533e1cd6381b6a93e330211d312389 10256 web optional
python-tornado_6.4.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmdJvWUACgkQOTWH2X2G
UAvBeQ/7BLrUfPp504qzjXuz/n7Nej3+FDXUZuHfDiKDmAOb8bqn9v4i1GVUkoHR
2T4xp9ZRBokteZ3DEXBO4zpBM1mnDAw2F1wvofU19YVKBkzArSALnCf4bVUAu5uf
FnucaR3bzNzSpgJA8wD+ttwaMkUqJgZgghQmg8gXeYn27sK25VHWcULq7xCL0PG+
8mmZVJueIgmogGGmecTbXZEZVvxF36hJgwIYrYCskxxsfolMceaza8/pe3o5l/ki
PQXPFrkn7mF4OuNPyR4X2E1xUpoWDcLgkoflgng1RKbpsOCcfbVxxynBHdvy/Xug
B06/zKTGejBl03tBmyrEbhdZYPECnumpu+8NchXeCn24d1q1qHm4snfTQlxaeF4D
FENrbyUGM30zg9OrGj3FwY4DujC91LPsrMeCyixmYa9Fctq5pg0py21W3/7fmuaK
bT6xzDFIURzadSVvQLpt4+ibMeqA815rgsMSMNwQDUoe+EaGt1lkLhRxHPGwA7z6
TDONRvZQ7h2RhY3Vf9e/B7X1LIiNMGQYZiJEIp920gCtgNB5L/qDRdw97SIf9M9C
3726kV3pRY9ixqfihBEIiyWQ1zR6kxxV5gmKnwTF63yZ3CnqQLjBmBAIsf//OZJn
coipl3miILZDGF3Bh2sZQkS5W6BFIbd/jWqW+ZalmGudLK8Z2cI=
=qMX7
-----END PGP SIGNATURE-----
pgpSI9nQFDSnp.pgp
Description: PGP signature
--- End Message ---
