python-tornado-6.4.2-1.el9_5

エラータID: AXSA:2024-9436:01

Release date: 
Thursday, December 19, 2024 - 22:54
Subject: 
python-tornado-6.4.2-1.el9_5
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

Tornado is a Python web framework and asynchronous networking library that provides an open source version of scalable, non-blocking web server and tools.

Security Fix(es):

* python-tornado: Tornado has HTTP cookie parsing DoS vulnerability (CVE-2024-52804)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-52804
Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.

Solution: 

Update packages.

CVEs: 
CVE-2024-52804
Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.
Additional Info: 

N/A

Download: 

SRPMS
  1. python-tornado-6.4.2-1.el9_5.src.rpm
    MD5: ab4f35747c3e8a24c0efa2428a0f232e
    SHA-256: 0eccb406126fab021437891dd32d61216dd792a574a457967ad03dbd61c14117
    Size: 533.37 kB

Asianux Server 9 for x86_64
  1. python3-tornado-6.4.2-1.el9_5.x86_64.rpm
    MD5: 38aecec7a8a8a9bbcc3920801f98cef2
    SHA-256: b3150537b94af502b213efdce1c5603a1b3b80b5619cc199ac72d883d08378aa
    Size: 719.44 kB