[Buildroot] [PATCH] package/python-tornado: bump to version 6.5

[Buildroot] [PATCH] package/python-tornado: bump to version 6.5

[Titouan Christophe via buildroot]

Among other things, this fixes the following CVE:
- CVE-2025-47287: When Tornado's ``multipart/form-data`` parser encounters
                  certain errors, it logs a warning but continues trying to
                  parse the remainder of the data. This allows remote
                  attackers to generate an extremely high volume of logs,
                  constituting a DoS attack.

Read the full changelog:
https://github.com/tornadoweb/tornado/releases/tag/v6.5.0

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
---
 package/python-tornado/python-tornado.hash | 4 ++--
 package/python-tornado/python-tornado.mk   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/python-tornado/python-tornado.hash b/package/python-tornado/python-tornado.hash
index a7ba8f899f..cf52729bb3 100644
--- a/package/python-tornado/python-tornado.hash
+++ b/package/python-tornado/python-tornado.hash
@@ -1,5 +1,5 @@
 # md5, sha256 from https://pypi.org/pypi/tornado/json
-md5  c3a490d9cea9360ecd0805e4c2d1e87e  tornado-6.4.2.tar.gz
-sha256  92bad5b4746e9879fd7bf1eb21dce4e3fc5128d71601f80005afa39237ad620b  tornado-6.4.2.tar.gz
+md5  a14a7d70e304fcf96f06ccc2db98b98d  tornado-6.5.tar.gz
+sha256  c70c0a26d5b2d85440e4debd14a8d0b463a0cf35d92d3af05f5f1ffa8675c826  tornado-6.5.tar.gz
 # Locally computed sha256 checksums
 sha256  cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30  LICENSE
diff --git a/package/python-tornado/python-tornado.mk b/package/python-tornado/python-tornado.mk
index 45883b844d..b6a668e09e 100644
--- a/package/python-tornado/python-tornado.mk
+++ b/package/python-tornado/python-tornado.mk
@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-PYTHON_TORNADO_VERSION = 6.4.2
+PYTHON_TORNADO_VERSION = 6.5
 PYTHON_TORNADO_SOURCE = tornado-$(PYTHON_TORNADO_VERSION).tar.gz
-PYTHON_TORNADO_SITE = https://files.pythonhosted.org/packages/59/45/a0daf161f7d6f36c3ea5fc0c2de619746cc3dd4c76402e9db545bd920f63
+PYTHON_TORNADO_SITE = https://files.pythonhosted.org/packages/63/c4/bb3bd68b1b3cd30abc6411469875e6d32004397ccc4a3230479f86f86a73
 PYTHON_TORNADO_LICENSE = Apache-2.0
 PYTHON_TORNADO_LICENSE_FILES = LICENSE
 PYTHON_TORNADO_CPE_ID_VENDOR = tornadoweb
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/python-tornado: bump to version 6.5

[Thomas Petazzoni via buildroot]

On Mon, 19 May 2025 16:51:26 +0200
Titouan Christophe via buildroot <buildroot@buildroot.org> wrote:

> Among other things, this fixes the following CVE:
> - CVE-2025-47287: When Tornado's ``multipart/form-data`` parser encounters
>                   certain errors, it logs a warning but continues trying to
>                   parse the remainder of the data. This allows remote
>                   attackers to generate an extremely high volume of logs,
>                   constituting a DoS attack.
> 
> Read the full changelog:
> https://github.com/tornadoweb/tornado/releases/tag/v6.5.0
> 
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
> ---
>  package/python-tornado/python-tornado.hash | 4 ++--
>  package/python-tornado/python-tornado.mk   | 4 ++--
>  2 files changed, 4 insertions(+), 4 deletions(-)

Applied to next after cherry-picking the commit from master adding the
security fix, and making sure it gets dropped as part of the version
bump. Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot