openSUSE-SU-2026:20406-1

Опубликовано: 20 мар. 2026

Источник: suse-cvrf

Описание

Security update for python-tornado6

This update for python-tornado6 fixes the following issues:

CVE-2026-31958: parsing large multipart bodies with many parts can cause a denial of service (bsc#1259553).
incomplete validation of cookie attributes allows for injection of user-controlled values in other cookie attributes (bsc#1259630).

Список пакетов

openSUSE Leap 16.0

python313-tornado6-6.5-160000.4.1

Ссылки

https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1259553
SUSE Bug 1259553
https://bugzilla.suse.com/1259630
SUSE Bug 1259630
https://www.suse.com/security/cve/CVE-2026-31958/
SUSE CVE CVE-2026-31958 page

Описание

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.

Затронутые продукты

openSUSE Leap 16.0:python313-tornado6-6.5-160000.4.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-31958.html
CVE-2026-31958
https://bugzilla.suse.com/1259552
SUSE Bug 1259552

openSUSE-SU-2026:20406-1

Описание

Список пакетов

openSUSE Leap 16.0

Ссылки

Уязвимость: CVE-2026-31958

Описание

Затронутые продукты

Ссылки