| Package | python-tornado |
|---|---|
| Version | 4.4.3-1+deb9u3 (stretch), 5.1.1-4+deb10u4 (buster) |
| Related CVEs | CVE-2026-31958 |
Multiple vulnerabilities were discovered in python-tornado, a scalable, non-blocking Python web framework and asynchronous networking library.
CVE-2026-31958
Introduce new limits on the size and complexity of multipart bodies,
including a default limit of 100 parts per request to mitigate a possible
DoS. It is also possible to disable parsing multipart/form-data entirely
if not required
GHSA-78cv-mqj4-43f7 (CVE not assigned yet)
Values passed to the domain, path, and samesite arguments of
RequestHandler.set_cookie are not completely validated. In particular,
semicolons are allowed, which could be used to inject attacker-controlled
values for other cookie attributes.
For Debian 10 buster, these problems have been fixed in version 5.1.1-4+deb10u4.
For Debian 9 stretch, these problems have been fixed in version 4.4.3-1+deb9u3.
We recommend that you upgrade your python-tornado packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.