|
|
Log in / Subscribe / Register

Ubuntu alert USN-8198-2 (python-tornado)



From:
              noreply+usn-bot@canonical.com


To:
              ubuntu-security-announce@lists.ubuntu.com


Subject:
              [USN-8198-2] Tornado vulnerabilities


Date:
              Tue, 28 Apr 2026 20:34:45 +0000


Message-ID:
              <E1wHp8n-0003uT-2P@lists.ubuntu.com>


==========================================================================
Ubuntu Security Notice USN-8198-2
April 28, 2026

python-tornado vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS

Summary:

Several security issues were fixed in Tornado.

Software Description:
- python-tornado: scalable, non-blocking web server and tools

Details:

USN-8198-1 fixed vulnerabilities in Tornado. This update provides the
corresponding updates for Ubuntu 26.04 LTS.

Original advisory details:

 It was discovered that Tornado incorrectly handled parsing of large
 multipart request bodies. An attacker could possibly use this issue to
 cause a denial of service. (CVE-2026-31958)

 It was discovered that Tornado did not properly validate characters in
 cookie values. An attacker could possibly use this issue to inject
 arbitrary cookie attributes. (CVE-2026-35536)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
  python3-tornado                 6.5.4-0.1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8198-2
  https://ubuntu.com/security/notices/USN-8198-1
  CVE-2026-31958, CVE-2026-35536

Package Information:
  https://launchpad.net/ubuntu/+source/python-tornado/6.5.4...




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmnxGb4ACgkQcpJm3tlz
hgEqZhAAxGjmdcbdBEVWEARBv856/kYmyld6KLDlgfKq8e4MEXk3bL5F9afYZLK2
MUSHEsxsJAw9YunUd13Qb0T4RoSFV+1Bqo52WMrDvR6OUr0WScISVMfb0LXz0Zjp
wDOBt9RZf5DGKa2ehPov5Vz3uYFmD387LmtI+NeChDxZ6VyVUeanGJSx4gCCXqr9
qZkHK7Gbhxs0BC0voyLJb5Rm1+dg3E089eyChw459NKPKcLa/ebHNLpo0EVhRyRr
Hcrlsk/l/Uq7A9aP3Q8eb1ISEhmO8tvf5m72jn8J0kMpq1VueGk0KHBLUxLN3d+V
oEBUxbpD9a5k8A6DizjspnNISklpHwm+uO1I0GEnkFeCb5PSsuyTX/3HO4GDHlrT
4giyAJy+HQAk3NmZX0Ux/y/4XhwUUHQEN1S9SQe0ebV5WTFvjHNTzMgeDhkzspuA
HnCAlnV2r9tdy9aR0O8mRH8dNOOX7895yJk22ULwK3Buyqwn6EYJSQBc0bGOd/jh
+BnIGVzYp8rTddd+fFoJ1laGTM2CkfKMPilQrQcrBMdaoqpQuCQgMpOEcJNcTPV1
4BUUqMa/VvFthIriDkjOQBEDJ6ConRoEvGSEI7tQN9Z0N62b4F8HaZhBbVOY5yh7
smdN5X1BeszyaTGDag39hjZyMNbsdUVqsH6mko0Edeu4dbT4CpM=
=5+JQ
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds