1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1105886: python-tornado: CVE-2025-47287

    From Salvatore Bonaccorso@21:1/5 to All on Fri May 16 18:10:02 2025
    Source: python-tornado
    Version: 6.4.2-1
    Severity: grave
    Tags: security upstream
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

    Hi,

    The following vulnerability was published for python-tornado.

    CVE-2025-47287[0]:
    | Tornado is a Python web framework and asynchronous networking
    | library. When Tornado's ``multipart/form-data`` parser encounters
    | certain errors, it logs a warning but continues trying to parse the
    | remainder of the data. This allows remote attackers to generate an
    | extremely high volume of logs, constituting a DoS attack. This DoS
    | is compounded by the fact that the logging subsystem is synchronous.
    | All versions of Tornado prior to 6.5.0 are affected. The vulnerable
    | parser is enabled by default. Upgrade to Tornado version 6.50 to
    | receive a patch. As a workaround, risk can be mitigated by blocking
    | `Content-Type: multipart/form-data` in a proxy.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-47287
    https://www.cve.org/CVERecord?id=CVE-2025-47287
    [1] https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m
    [2] https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3

    Please adjust the affected versions in the BTS as needed, all versions
    before 6.5.0 should be affected.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Sun May 18 17:50:01 2025
    Processing control commands:

    tag -1 pending
    Bug #1105886 [src:python-tornado] python-tornado: CVE-2025-47287
    Added tag(s) pending.

    --
    1105886: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105886
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Colin Watson@21:1/5 to All on Sun May 18 17:50:01 2025
    Control: tag -1 pending

    Hello,

    Bug #1105886 in python-tornado reported by you has been fixed in the
    Git repository and is awaiting an upload. You can see the commit
    message below and you can check the diff of the fix at:

    https://salsa.debian.org/python-team/packages/python-tornado/-/commit/efc055b9de7a8b10a5184a8e9e5096ede39aa55c

    ------------------------------------------------------------------------ httputil: Raise errors instead of logging in multipart/form-data parsing

    Closes: #1105886 ------------------------------------------------------------------------

    (this message was generated automatically)
    --
    Greetings

    https://bugs.debian.org/1105886

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Sun May 18 18:10:02 2025
    This is a multi-part message in MIME format...

    Your message dated Sun, 18 May 2025 16:06:30 +0000
    with message-id <E1uGgX0-00HDdc-KT@fasolo.debian.org>
    and subject line Bug#1105886: fixed in python-tornado 6.4.2-2
    has caused the Debian Bug report #1105886,
    regarding python-tornado: CVE-2025-47287
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1105886: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105886
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 16 May 2025 15:57:06 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-10.1 required=4.0 tests=BAYES_00,FOURLA,
    FROMDEVELOPER,MD5_SHA1_SUM,RDNS_NONE,SPF_HELO_NONE,SPF_NONE,
    XMAILER_REPORTBUG autolearn=ham autolearn_force=no
    version=3.4.6-bugs.debian.org_2005_01_02
    X-Spam-Bayes: score:0.0000 Tokens: new, 27; hammy, 150; neutral, 81; spammy,
    0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
    0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--H*r:eldamar.lan,
    0.000-+--H*M:reportbug
    Return-path: <carnil@debian.org>
    Received: from [2a0d:f302:e054:54:ffff:9a36:ead8:547c] (port=54128 helo=eldamar.lan)
    by buxtehude.debian.org with esmtp (Exim 4.94.2)
    (envelope-from <carnil@debian.org>)
    id 1uFxQm-003WB
  • From Debian Bug Tracking System@21:1/5 to All on Fri Jun 6 23:00:01 2025
    This is a multi-part message in MIME format...

    Your message dated Fri, 06 Jun 2025 20:54:48 +0000
    with message-id <E1uNe5Q-00FOec-Qv@fasolo.debian.org>
    and subject line Bug#1105886: fixed in python-tornado 6.2.0-3+deb12u2
    has caused the Debian Bug report #1105886,
    regarding python-tornado: CVE-2025-47287
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1105886: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105886
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 16 May 2025 15:57:06 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-10.1 required=4.0 tests=BAYES_00,FOURLA,
    FROMDEVELOPER,MD5_SHA1_SUM,RDNS_NONE,SPF_HELO_NONE,SPF_NONE,
    XMAILER_REPORTBUG autolearn=ham autolearn_force=no
    version=3.4.6-bugs.debian.org_2005_01_02
    X-Spam-Bayes: score:0.0000 Tokens: new, 27; hammy, 150; neutral, 81; spammy,
    0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
    0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--H*r:eldamar.lan,
    0.000-+--H*M:reportbug
    Return-path: <carnil@debian.org>
    Received: from [2a0d:f302:e054:54:ffff:9a36:ead8:547c] (port=54128 helo=eldamar.lan)
    by buxtehude.debian.org with esmtp (Exim 4.94.2)
    (envelope-from <carnil@debian.org>)
    id 1uFxQm-003WB