Project not found: openSUSE:Factory:Staging:adi:18
Overview

File _patchinfo of Package patchinfo.41998

<patchinfo incident="41998">
  <issue tracker="cve" id="2025-67725"/>
  <issue tracker="cve" id="2025-67724"/>
  <issue tracker="cve" id="2025-67726"/>
  <issue tracker="bnc" id="1254903">VUL-0: CVE-2025-67724: python-tornado,python-tornado6: missing validation of the supplied reason phrase</issue>
  <issue tracker="bnc" id="1254905">VUL-0: CVE-2025-67725: python-tornado,python-tornado6: Denial of Service (DoS) via maliciously crafted HTTP request caused by the HTTPHeaders.add method</issue>
  <issue tracker="bnc" id="1254904">VUL-0: CVE-2025-67726: python-tornado,python-tornado6: inefficient algorithm when parsing parameters for HTTP header values</issue>
  <packager>nkrapp</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for python-tornado6</summary>
  <description>This update for python-tornado6 fixes the following issues:

- CVE-2025-67724: unescaped `reason` argument used in HTTP headers and in HTML default error pages can be used by
  attackers to launch header injection or XSS attacks (bsc#1254903).
- CVE-2025-67725: quadratic complexity of string concatenation operations used by the `HTTPHeaders.add` method can lead
  to DoS when processing a maliciously crafted HTTP request (bsc#1254905).
- CVE-2025-67726: quadratic complexity algorithm used in the `_parseparam` function of `httputil.py` can lead to DoS
  when processing maliciously crafted parameters in a `Content-Disposition` header (bsc#1254904).
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places