Security update for python-tornado6 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:4137-1 Final 1 1 2024-12-02T12:28:43Z current 2024-12-02T12:28:43Z 2024-12-02T12:28:43Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-tornado6 This update for python-tornado6 fixes the following issues: - CVE-2024-52804: Fixed a denial of service caused by quadratic performance of cookie parsing (bsc#1233668) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-4137,SUSE-SLE-Module-Python3-15-SP5-2024-4137,SUSE-SLE-Module-Python3-15-SP6-2024-4137,openSUSE-SLE-15.5-2024-4137,openSUSE-SLE-15.6-2024-4137 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20244137-1/ Link for SUSE-SU-2024:4137-1 https://lists.suse.com/pipermail/sle-security-updates/2024-December/019892.html E-Mail link for SUSE-SU-2024:4137-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1233668 SUSE Bug 1233668 https://www.suse.com/security/cve/CVE-2024-52804/ SUSE CVE CVE-2024-52804 page SUSE Linux Enterprise Module for Python 3 15 SP5 SUSE Linux Enterprise Module for Python 3 15 SP6 openSUSE Leap 15.5 openSUSE Leap 15.6 python311-tornado6-6.3.2-150400.9.6.1 python311-tornado6-6.3.2-150400.9.6.1 as a component of SUSE Linux Enterprise Module for Python 3 15 SP5 python311-tornado6-6.3.2-150400.9.6.1 as a component of SUSE Linux Enterprise Module for Python 3 15 SP6 python311-tornado6-6.3.2-150400.9.6.1 as a component of openSUSE Leap 15.5 python311-tornado6-6.3.2-150400.9.6.1 as a component of openSUSE Leap 15.6 Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue. CVE-2024-52804 SUSE Linux Enterprise Module for Python 3 15 SP5:python311-tornado6-6.3.2-150400.9.6.1 SUSE Linux Enterprise Module for Python 3 15 SP6:python311-tornado6-6.3.2-150400.9.6.1 openSUSE Leap 15.5:python311-tornado6-6.3.2-150400.9.6.1 openSUSE Leap 15.6:python311-tornado6-6.3.2-150400.9.6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20244137-1/ https://www.suse.com/security/cve/CVE-2024-52804.html CVE-2024-52804 https://bugzilla.suse.com/1233668 SUSE Bug 1233668