Security update for python-tornado6 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20445-1 Final 1 1 2025-06-24T08:54:05Z current 2025-06-24T08:54:05Z 2025-06-24T08:54:05Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-tornado6 This update for python-tornado6 fixes the following issues: - CVE-2024-52804: Fixed excessive CPU consumption by the algorithm used for parsing HTTP cookies (bsc#1233668) - CVE-2025-47287: Fixed denial-of-service via generation of an extremely high volume of logs due to multipart/form-data parser (bsc#1243268) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.1-157 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520445-1/ Link for SUSE-SU-2025:20445-1 https://lists.suse.com/pipermail/sle-updates/2025-June/040560.html E-Mail link for SUSE-SU-2025:20445-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1233668 SUSE Bug 1233668 https://bugzilla.suse.com/1243268 SUSE Bug 1243268 https://www.suse.com/security/cve/CVE-2024-52804/ SUSE CVE CVE-2024-52804 page https://www.suse.com/security/cve/CVE-2025-47287/ SUSE CVE CVE-2025-47287 page SUSE Linux Micro 6.1 python311-tornado6-6.4-slfo.1.1_2.1 python311-tornado6-6.4-slfo.1.1_2.1 as a component of SUSE Linux Micro 6.1 Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue. CVE-2024-52804 SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520445-1/ https://www.suse.com/security/cve/CVE-2024-52804.html CVE-2024-52804 https://bugzilla.suse.com/1233668 SUSE Bug 1233668 Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy. CVE-2025-47287 SUSE Linux Micro 6.1:python311-tornado6-6.4-slfo.1.1_2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520445-1/ https://www.suse.com/security/cve/CVE-2025-47287.html CVE-2025-47287 https://bugzilla.suse.com/1243268 SUSE Bug 1243268