CVS commit: pkgsrc/www/py-tornado

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/py-tornado
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Thu, 11 Dec 2025 15:22:58 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Thu Dec 11 15:22:58 UTC 2025

Modified Files:
        pkgsrc/www/py-tornado: Makefile PLIST distinfo

Log Message:
py-tornado: updated to 6.5.3

What's new in Tornado 6.5.3

Security fixes

- Fixed a denial-of-service vulnerability involving quadratic computation when parsing
  ``multipart/form-data`` request bodies.
  `CVE-2025-67726 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-jhmp-mqwm-3gq8>`_
  Thanks to `Finder16 <https://github.com/Finder16>`_ for reporting this issue.
- Fixed a denial-of-service vulnerability involving quadratic computation when parsing repeated HTTP
  headers.
  `CVE-2025-67725 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-c98p-7wgm-6p64>`_.
  Thanks to `Finder16 <https://github.com/Finder16>`_ for reporting this issue.
- Fixed a header injection and XSS vulnerability involving the ``reason`` argument to
  `.RequestHandler.set_status` and `tornado.web.HTTPError`.
  `CVE-2025-67724 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f>`_.
  Thanks to `Finder16 <https://github.com/Finder16>`_ and
  `Cheshire1225 <https://github.com/Cheshire1225>`_ for reporting this issue.

Demo changes

- Several demo applications bundled with the Tornado repo (``blog``, ``chat``, ``facebook``) had an
  open redirect vulnerability which has been fixed. This is not covered by a CVE or security
  advisory since the demo applications are not included as a part of the Tornado package when
  installed, but developers who have copied code from these demos may which to review their own
  applications for open redirects. Thanks to `J1vvoo <https://github.com/J1vvoo>`_ for reporting this
  issue.
- The ``s3server`` demo application contained some path traversal vulnerabilities. Since this demo
  application was not demonstrating any interesting aspects of Tornado, it has been deleted rather
  than being fixed. Thanks to `J1vvoo <https://github.com/J1vvoo>`_ for reporting this issue.


To generate a diff of this commit:
cvs rdiff -u -r1.44 -r1.45 pkgsrc/www/py-tornado/Makefile
cvs rdiff -u -r1.19 -r1.20 pkgsrc/www/py-tornado/PLIST
cvs rdiff -u -r1.32 -r1.33 pkgsrc/www/py-tornado/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/py-tornado/Makefile
diff -u pkgsrc/www/py-tornado/Makefile:1.44 pkgsrc/www/py-tornado/Makefile:1.45
--- pkgsrc/www/py-tornado/Makefile:1.44 Wed Aug 13 04:42:57 2025
+++ pkgsrc/www/py-tornado/Makefile      Thu Dec 11 15:22:58 2025
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.44 2025/08/13 04:42:57 adam Exp $
+# $NetBSD: Makefile,v 1.45 2025/12/11 15:22:58 adam Exp $
 
-DISTNAME=      tornado-6.5.2
+DISTNAME=      tornado-6.5.3
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME}
 CATEGORIES=    www python
 MASTER_SITES=  ${MASTER_SITE_PYPI:=t/tornado/}

Index: pkgsrc/www/py-tornado/PLIST
diff -u pkgsrc/www/py-tornado/PLIST:1.19 pkgsrc/www/py-tornado/PLIST:1.20
--- pkgsrc/www/py-tornado/PLIST:1.19    Mon Apr 14 20:28:03 2025
+++ pkgsrc/www/py-tornado/PLIST Thu Dec 11 15:22:58 2025
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.19 2025/04/14 20:28:03 adam Exp $
+@comment $NetBSD: PLIST,v 1.20 2025/12/11 15:22:58 adam Exp $
 ${PYSITELIB}/${WHEEL_INFODIR}/METADATA
 ${PYSITELIB}/${WHEEL_INFODIR}/RECORD
 ${PYSITELIB}/${WHEEL_INFODIR}/WHEEL
@@ -6,6 +6,7 @@ ${PYSITELIB}/${WHEEL_INFODIR}/licenses/L
 ${PYSITELIB}/${WHEEL_INFODIR}/top_level.txt
 ${PYSITELIB}/tornado/__init__.py
 ${PYSITELIB}/tornado/__init__.pyc
+${PYSITELIB}/tornado/__init__.pyi
 ${PYSITELIB}/tornado/__init__.pyo
 ${PYSITELIB}/tornado/_locale_data.py
 ${PYSITELIB}/tornado/_locale_data.pyc
@@ -87,6 +88,7 @@ ${PYSITELIB}/tornado/simple_httpclient.p
 ${PYSITELIB}/tornado/simple_httpclient.pyc
 ${PYSITELIB}/tornado/simple_httpclient.pyo
 ${PYSITELIB}/tornado/speedups.abi3.so
+${PYSITELIB}/tornado/speedups.pyi
 ${PYSITELIB}/tornado/tcpclient.py
 ${PYSITELIB}/tornado/tcpclient.pyc
 ${PYSITELIB}/tornado/tcpclient.pyo

Index: pkgsrc/www/py-tornado/distinfo
diff -u pkgsrc/www/py-tornado/distinfo:1.32 pkgsrc/www/py-tornado/distinfo:1.33
--- pkgsrc/www/py-tornado/distinfo:1.32 Wed Aug 13 04:42:57 2025
+++ pkgsrc/www/py-tornado/distinfo      Thu Dec 11 15:22:58 2025
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.32 2025/08/13 04:42:57 adam Exp $
+$NetBSD: distinfo,v 1.33 2025/12/11 15:22:58 adam Exp $
 
-BLAKE2s (tornado-6.5.2.tar.gz) = 5128ac3c3c772adc79825448fbae3f583c390a34275b9222088916aa20611fa7
-SHA512 (tornado-6.5.2.tar.gz) = a0a9a123849571a08a552252f1732418cc46ba51e6f80d2e632c266f971eef26787eb2345cb8ae2f1337dbe06a3af12f99b1ae0d0fa813ede66c1f36700fae4d
-Size (tornado-6.5.2.tar.gz) = 510821 bytes
+BLAKE2s (tornado-6.5.3.tar.gz) = e51ce4ccef1ef1618125915573435e0788c246841cdda1dc5cc56ccb0a566dd6
+SHA512 (tornado-6.5.3.tar.gz) = 025641d9f79d767b8d87a61f94d96c8c58c13ff7b45fc853daff2a515b84ed7ee32ac38caf478061f501502aa10c82a40c860c556f75251b1798eb4f2e27c06e
+Size (tornado-6.5.3.tar.gz) = 513348 bytes

Prev by Date: CVS commit: pkgsrc/databases/py-sqlalchemy
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/databases/py-sqlalchemy
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index