Package: python-tornado | Debian Sources

Package: python-tornado / 6.2.0-3+deb12u2

Metadata

Package	Version	Patches format
python-tornado	6.2.0-3+deb12u2	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
disable domain tests.patch \| (download)	tornado/test/netutil_test.py \| 1 1 + 0 - 0 ! 1 file changed, 1 insertion(+)	disable domain tests to prevent internet access during build
ignoreuserwarning.patch \| (download)	tornado/test/runtests.py \| 1 1 + 0 - 0 ! 1 file changed, 1 insertion(+)	ignore userwarning in tests Required to run tests from source with the package already installed. Else one gets check_version_conflict warning from pkg_resources. Patch-Name: ignoreuserwarning.patch
fix ftbfs on hurd.patch \| (download)	tornado/test/httpserver_test.py \| 2 2 + 0 - 0 ! 1 file changed, 2 insertions(+)	skip unixsockettest on hurd, as unix sockets with SO_REUSEADDR are not supported there A little discussion about unix sockets with SO_REUSEADDR can be found on https://lists.gnu.org/archive/html/bug-hurd/2016-01/msg00039.html
0006 Use local objects.inv for intersphinx mapping.patch \| (download)	docs/conf.py \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	use local objects.inv for intersphinx mapping
0007 Higher test_gc timeout.patch \| (download)	tornado/test/gen_test.py \| 5 4 + 1 - 0 ! 1 file changed, 4 insertions(+), 1 deletion(-)	set timeout in test_gc to higher value
ignore py310 deprecation warnings.patch \| (download)	tornado/test/runtests.py \| 12 12 + 0 - 0 ! 1 file changed, 12 insertions(+)	ignore known deprecationwarnings under python 3.10 Python 3.10 triggers several DeprecationWarnings that haven't been resolved yet, upstream. There are going to be API changes required and they haven't been decided on, yet. Bug-Upstream: https://github.com/tornadoweb/tornado/issues/3033 Bug-Debian: https://bugs.debian.org/1000287
CVE 2024 52804.patch \| (download)	tornado/httputil.py \| 38 10 + 28 - 0 ! tornado/test/httputil_test.py \| 46 46 + 0 - 0 ! 2 files changed, 56 insertions(+), 28 deletions(-)	httputil: fix quadratic performance of cookie parsing Maliciously-crafted cookies can cause Tornado to spend an unreasonable amount of CPU time and block the event loop. This change replaces the quadratic algorithm with a more efficient one. The implementation is copied from the Python 3.13 standard library (the previous one was from Python 3.5). Fixes CVE-2024-52804 See CVE-2024-7592 for a similar vulnerability in cpython. Thanks to github.com/kexinoh for the report.
CVE 2023 28370 1.patch \| (download)	tornado/web.py \| 9 9 + 0 - 0 ! 1 file changed, 9 insertions(+)	web: fix an open redirect in staticfilehandler Under some configurations the default_filename redirect could be exploited to redirect to an attacker-controlled site. This change refuses to redirect to URLs that could be misinterpreted. A test case for the specific vulnerable configuration will follow after the patch has been available.
CVE 2023 28370 2.patch \| (download)	tornado/test/web_test.py \| 31 30 + 1 - 0 ! 1 file changed, 30 insertions(+), 1 deletion(-)	test: add test for open redirect fixed in 6.3.2
CVE 2025 47287.patch \| (download)	tornado/httputil.py \| 29 11 + 18 - 0 ! tornado/test/httpserver_test.py \| 4 2 + 2 - 0 ! tornado/test/httputil_test.py \| 13 8 + 5 - 0 ! tornado/web.py \| 17 13 + 4 - 0 ! 4 files changed, 34 insertions(+), 29 deletions(-)	httputil: raise errors instead of logging in multipart/form-data parsing We used to continue after logging an error, which allowed repeated errors to spam the logs. The error raised here will still be logged, but only once per request, consistent with other error handling in Tornado.

1