Bug#1106819: bookworm-pu: package python-tornado/6.2.0-3+deb12u2

To: Daniel Leidert <dleidert@debian.org>, 1106819@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>
Subject: Bug#1106819: bookworm-pu: package python-tornado/6.2.0-3+deb12u2
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 3 Jun 2025 08:42:45 +0200
Message-id: <[🔎] aD6ZZXicw20QTEEe@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1106819@bugs.debian.org
In-reply-to: <174857631025.421128.12089782164821521282.reportbug@localhost>
References: <174857631025.421128.12089782164821521282.reportbug@localhost> <174857631025.421128.12089782164821521282.reportbug@localhost>

Hi Daniel,

On Fri, May 30, 2025 at 05:38:30AM +0200, Daniel Leidert wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> X-Debbugs-Cc: python-tornado@packages.debian.org
> Control: affects -1 + src:python-tornado
> User: release.debian.org@packages.debian.org
> Usertags: pu
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> [ Reason ]
> This upload intends to fix the vulnerability CVE-2025-47287.
> 
> CVE-2025-47287 allows a remote attacker to create an extremely high volume of
> log entries, constituting a DoS attack.
> 
> [ Impact ]
> Users of Debian Bookworm will continue to be vulnerable to the mentioned issues
> if the update is not approved.
> 
> [ Tests ]
> The package comes with the testsuite enabled. The tests were adjusted to match
> the new behavior to throw errors instead of logging warnings. All tests succeed.
> 
> [ Risks ]
> The changes are quite simple. However, regressions are always possible. The
> fact that the tests are successful reduce the risk of regressions.
> 
> [ Checklist ]
>   [x] *all* changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in (old)stable
>   [x] the issue is verified as fixed in unstable
> 
> [ Changes ]
> Instead of logging warning messages, errors are created which preserve the
> backtrace. Parsing the body has been moved within the code into
> RequestHandler._execute() to be in the right exception handler scope. The tests
> have been adjusted to this change.
> 
> [ Other info ]
> All patches contain links to the original reports and commits.

Technically we had the package already in mind for a DSA, so this
could as well go via a DSA (cc'ing my teammates from Debian security
team). One comment below:

> diff -Nru python-tornado-6.2.0/debian/patches/CVE-2023-28370.patch python-tornado-6.2.0/debian/patches/CVE-2023-28370.patch
> --- python-tornado-6.2.0/debian/patches/CVE-2023-28370.patch	1970-01-01 01:00:00.000000000 +0100
> +++ python-tornado-6.2.0/debian/patches/CVE-2023-28370.patch	2025-05-30 05:19:15.000000000 +0200

The patch seems wrongly named, should be CVE-2025-47287.patch instead
and samewise then in debian/patches/series to avoid confusion.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#1106819: bookworm-pu: package python-tornado/6.2.0-3+deb12u2
  - From: Daniel Leidert <dleidert@debian.org>

Prev by Date: Bug#1107205: unblock: libmawk/1.0.4-4
Next by Date: Processed: bookworm-pu: package libfile-tail-perl/1.3-7+deb12u1
Previous by thread: Bug#1107205: marked as done (unblock: libmawk/1.0.4-4)
Next by thread: Bug#1106819: bookworm-pu: package python-tornado/6.2.0-3+deb12u2
Index(es):
- Date
- Thread