Overview

File _patchinfo of Package patchinfo.43040

<patchinfo incident="43040">
  <issue tracker="bnc" id="1254904">VUL-0: CVE-2025-67726: python-tornado,python-tornado6: inefficient algorithm when parsing parameters for HTTP header values</issue>
  <issue tracker="bnc" id="1254905">VUL-0: CVE-2025-67725: python-tornado,python-tornado6: Denial of Service (DoS) via maliciously crafted HTTP request caused by the HTTPHeaders.add method</issue>
  <issue tracker="bnc" id="1240532">Salt Keys page is loading for abnormally long interval of time</issue>
  <issue tracker="bnc" id="1246130">Hardware profile refresh takes 3 hours on top of SLE Micro arm client</issue>
  <issue tracker="bnc" id="1254903">VUL-0: CVE-2025-67724: python-tornado,python-tornado6: missing validation of the supplied reason phrase</issue>
  <issue tracker="bnc" id="1254325">salt.modules.postgres fails to modify privileges with PostgreSQL</issue>
  <issue tracker="bnc" id="1254400">VUL-0: CVE-2025-13836: python,python3,python310,python311,python312,python313,python36,python39: When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length.</issue>
  <issue tracker="cve" id="2025-13836"/>
  <issue tracker="cve" id="2025-67726"/>
  <issue tracker="cve" id="2025-67725"/>
  <issue tracker="cve" id="2025-67724"/>
  <packager>vizhestkov</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for salt</summary>
  <description>This update for salt fixes the following issues:

- Security issues fixed:

  * CVE-2025-67724: Fixed missing validation of supplied reason phrase (bsc#1254903)
  * CVE-2025-67725: Fixed DoS via malicious HTTP request (bsc#1254905)
  * CVE-2025-67726: Fixed HTTP header parameter parsing algorithm (bsc#1254904)
  * CVE-2025-13836: Set a safe limit to http.client response read (bsc#1254400)

- Made syntax in httputil_test compatible with Python 3.6
- Fixed KeyError in postgres module with PostgreSQL 17 (bsc#1254325)
- Use internal deb classes instead of external aptsource lib
- Improved wheel key.finger call (bsc#1240532)
- Improved utils.find_json function (bsc#1246130)
- Extended warn_until period to 2027

</description>
  <zypp_restart_needed/>
</patchinfo>
openSUSE Build Service is sponsored by
Places