Debian alert DLA-4461-1 (python-tornado)
| From: | Daniel Leidert <dleidert@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4461-1] python-tornado security update | |
| Date: | Sun, 01 Feb 2026 03:52:57 +0100 | |
| Message-ID: | <31bcbe940e4b92808251253f8e669a3d51e37cb3.camel@debian.org> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4461-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Daniel Leidert February 01, 2026 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : python-tornado Version : 6.1.0-1+deb11u3 CVE ID : CVE-2025-67724 CVE-2025-67725 CVE-2025-67726 Debian Bug : 1122660 1122661 1122663 Tornado is a scalable, non-blocking Python web framework and asynchronous networking library. CVE-2025-67724 Custom reason phrases can cause multiple vulnerabilities (like XSS, header injection, ...) due to being used unescaped in HTTP headers. CVE-2025-67725 A single maliciously crafted HTTP request can cause a possible DoS due to quadratic performance of repeated header lines. CVE-2025-67726 An inefficient algorithm when parsing parameters for HTTP header values can potentially cause a DoS. For Debian 11 bullseye, these problems have been fixed in version 6.1.0-1+deb11u3. We recommend that you upgrade your python-tornado packages. For the detailed security status of python-tornado please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-tornado Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQJIBAABCgAyFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAml+wAkUHGRsZWlkZXJ0 QGRlYmlhbi5vcmcACgkQS80FZ8KW0F28HA//T4vXnu51D5Nf8BaatnZKbLmgSfRt 0qmTHYigL++8gU/FajN9/AVAlpHceDr/m5PegD9Jrk6sGb6E87pecmz2ZjIurx0P aW9AlNtJyFrDu3dgKX7AtsuZ+vrA7FE6R4hSaUYPkHpf63zyhvFjepVs91O33q+0 rU64LZIjnt85+hsp3zNDPlsQ2WSFngeAKzPgaEg4Jfwhxc00tKM7Wbu8Hzs3zohR Cdp2CbmuNtaH7Sy/1zf5ur5FacVuk7Gk7IE5Dr5LrbjfzlLM5sJcZV5sMpBviMak UObVywBLxT+NRubELhMmKx5LMxyVeVxXUKZ9zTa3RUHs1+S7AZAiQjnbJEuZI7HC FooAjvUNbfjjL5QPN4KK7/XQUWsaP9IeyNN/4AObHKQ9+6+vord1gnr2CEknLWO2 EWydDZmX/K9guhftW2yXcnlusWuciCsAEzSX9Kyv5HpZW65zpARNHwrReYxoSLnQ db8tsiFt4HONFFgxTLYhkM8+tIE+5LERj/Si4oVpSR4//+ydSn5EZlAdVX4lfcGL y/24gtZFf78mE7sfau1ZrJLH1Sfbp7VlxfYk2yFahuQK5J1AO7eN+a7XT7calcG1 08279ywsyGbyT6+2MX88U+wd1z/bIgM0tVoMgMHPG71k0Kq7wEzIKTrspwUm3mjq Vzl/LuWX3qxcvMk= =OHLf -----END PGP SIGNATURE-----