python-tornado-6.5.5-1.el9
エラータID: AXSA:2026-964:02
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.
Security Fix(es):
* tornado-python: Tornado: Denial of Service via large multipart bodies (CVE-2026-31958)
* tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments (CVE-2026-35536)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2026-31958
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.
CVE-2026-35536
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
Update packages.
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
N/A
SRPMS
- python-tornado-6.5.5-1.el9.src.rpm
MD5: f804ddcd32411ec31f0528bc6e147a69
SHA-256: 5bc1c79e60b6b3c97c7f8ebcbf09e5ee84ab08bfd02e7b508ac0f0fdd4b5e060
Size: 546.06 kB
Asianux Server 9 for x86_64
- python3-tornado-6.5.5-1.el9.x86_64.rpm
MD5: 8389fe01f1b255219f18d613bbab391b
SHA-256: 043a2d3c8e3bd298448c6e677bba83e17e10884f48f2f0237c2e6c978911007c
Size: 731.73 kB