Your message dated Wed, 07 Jan 2026 11:48:24 +0000
with message-id <[email protected]>
and subject line Bug#1122660: fixed in python-tornado 6.5.4-0.1
has caused the Debian Bug report #1122660,
regarding python-tornado: CVE-2025-67724
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1122660: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122660
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-tornado
Version: 6.5.2-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-tornado.
CVE-2025-67724[0]:
| Tornado is a Python web framework and asynchronous networking
| library. In versions 6.5.2 and below, the supplied reason phrase is
| used unescaped in HTTP headers (where it could be used for header
| injection) or in HTML in the default error page (where it could be
| used for XSS) and can be exploited by passing untrusted or malicious
| data into the reason argument. Used by both
| RequestHandler.set_status and tornado.web.HTTPError, the argument is
| designed to allow applications to pass custom "reason" phrases (the
| "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line
| (mainly for non-standard status codes). This issue is fixed in
| version 6.5.3.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-67724
https://www.cve.org/CVERecord?id=CVE-2025-67724
[1]
https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f
[2]
https://github.com/tornadoweb/tornado/commit/9c163aebeaad9e6e7d28bac1f33580eb00b0e421
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-tornado
Source-Version: 6.5.4-0.1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-tornado, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated python-tornado package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 05 Jan 2026 13:12:01 +0200
Source: python-tornado
Architecture: source
Version: 6.5.4-0.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1122660 1122661 1122663
Changes:
python-tornado (6.5.4-0.1) unstable; urgency=medium
.
* Non-maintainer upload.
* New upstream release.
- CVE-2025-67724: Header injection and XSS via reason argument.
(Closes: #1122660)
- CVE-2025-67725: Quadratic DoS via Repeated Header Coalescing.
(Closes: #1122661)
- CVE-2025-67726: Quadratic DoS via Crafted Multipart Parameters.
(Closes: #1122663)
Checksums-Sha1:
c2022a276961ea81569467b75843c51d7568526a 2449 python-tornado_6.5.4-0.1.dsc
6523109ebb1b064da3bc79639259d9f1f326b0c7 544183
python-tornado_6.5.4.orig.tar.gz
597a136a5d52c20584384965904a812188e79eb6 10852
python-tornado_6.5.4-0.1.debian.tar.xz
Checksums-Sha256:
79bcf12c1e9cb008ae09a312efd9409f3370816d941d8c47095a516a43876895 2449
python-tornado_6.5.4-0.1.dsc
983f151603e388932ec2b6f5e0f5231c95d1ac8d1ac28fca834c0962ff9369e1 544183
python-tornado_6.5.4.orig.tar.gz
9cb862cc5420fa2e09cf3a2a6761fd2d0b094bbb57007146e51390f4c459053c 10852
python-tornado_6.5.4-0.1.debian.tar.xz
Files:
224ab98071b8e150aaba8378031a0194 2449 web optional python-tornado_6.5.4-0.1.dsc
6fffedfe64e08eb94532df3079fd79fe 544183 web optional
python-tornado_6.5.4.orig.tar.gz
b997dbb20cfc757d2a9d5642fb060233 10852 web optional
python-tornado_6.5.4-0.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmlboHAACgkQiNJCh6LY
mLGqbA/8CSGx7WPzReOM0+PAQQTbAwoa3gvEy/o1jDmR3e6cPvvjjPDCkFc3+TaW
qwjVWX+OLKoO/hv1Ra+7yThUDxKZJsuDQ6KrR/zsvySCjD7WBrrTRNzOw1ujMUqn
e209UF496bHvdBL/YX/cQzoLWeno+SWMOHBeH/zKZZpT1EdlUnNyWK1y8W+SA0bP
5OPIGhXVJoGMa6DlKQrsqZtsOw4rXza8LVZFbhwcEaEeI+r5YNIDUkLZ1y3gAxU3
A8gLUiXEo9xHTSzO/X6UWlywRx0nmU+iotTXBpD4Ba2gjzZF+OxtUKxsPCJuSqIp
4VGozKa76YcgBN4x3qHEs60bEsJ+sV482utnfEhKlkalDie8ICe7/Oes+QUPiIgb
vICfqOxYtjYnWEwVkIyd3eZvs1kiHawKgtEkoWoJ7w5+oDVaYG1LeHlKvwbBMI9G
lvnbKRizrXZ7ESCAjfTtRIXq9gmSBMJkKrtc3VupxUSPWM0OjW1KCJa2DBLDJGAT
YEv2oPRRNqMHJ1EMpYFbMi2Va7YM0XK86K7D2yKGO9IvsiYajsoy6HuazhaW6hli
0G3PCpNbFzElJlXX4WAw53SJnU7mbKFHfhSSaj+gQUaHo3+KCo7mWy1ADwSovnwy
2LrlQpbhaDXxf1r9Xphd43RvYZUK1DpYYfJq4MjFFcAwClp9mf0=
=/jHX
-----END PGP SIGNATURE-----
pgpg3twq4gVZ7.pgp
Description: PGP signature
--- End Message ---
