The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests.
See also CVE-2024-7592 for a similar vulnerability in cpython.
This PR contains the following updates:
==6.4.1->==6.4.2GitHub Vulnerability Alerts
CVE-2024-52804
The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests.
See also CVE-2024-7592 for a similar vulnerability in cpython.
Release Notes
tornadoweb/tornado (tornado)
### [`v6.4.2`](https://redirect.github.com/tornadoweb/tornado/compare/v6.4.1...v6.4.2) [Compare Source](https://redirect.github.com/tornadoweb/tornado/compare/v6.4.1...v6.4.2)Configuration
📅 Schedule: Branch creation - "" in timezone Etc/UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
â™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.