chore(deps): update dependency tornado to v6 [security] #5361
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
from
566f9fa to
43c8e55
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
from
43c8e55 to
e7f89ab
Compare
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
3 times, most recently
from
55185d3 to
7ea5cf7
Compare
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
2 times, most recently
from
e8d2aa1 to
4bbd149
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
from
4bbd149 to
beb5050
Compare
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
from
beb5050 to
7967645
Compare
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
2 times, most recently
from
af2aae4 to
485cf59
Compare
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
3 times, most recently
from
72bd66e to
3b490ed
Compare
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
from
3b490ed to
020dfb2
Compare
annagav
approved these changes
Apr 25, 2024
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
from
020dfb2 to
758337d
Compare
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
from
758337d to
e8e7e5a
Compare
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
2 times, most recently
from
73b9a48 to
dce94b4
Compare
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
from
dce94b4 to
28fa207
Compare
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
from
28fa207 to
690939f
Compare
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
2 times, most recently
from
7625ef6 to
ee35efd
Compare
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
from
ee35efd to
178f78d
Compare
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
3 times, most recently
from
07736df to
82dfb59
Compare
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
from
82dfb59 to
d572078
Compare
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
from
d572078 to
613d59e
Compare
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
3 times, most recently
from
7ae80c1 to
3fb486f
Compare
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
3 times, most recently
from
cec8e4b to
f1ae391
Compare
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
2 times, most recently
from
b1cfe74 to
7812d1a
Compare
renovate
bot
force-pushed
the
renovate/pypi-tornado-vulnerability
branch
from
7812d1a to
a81f32f
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==5.1.1->==6.3.3GitHub Vulnerability Alerts
CVE-2023-28370
Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.
GHSA-qppv-j76h-2rpx
Summary
Tornado interprets
-,+, and_in chunk length andContent-Lengthvalues, which are not allowed by the HTTP RFCs. This can result in request smuggling when Tornado is deployed behind certain proxies that interpret those non-standard characters differently. This is known to apply to older versions of haproxy, although the current release is not affected.Details
Tornado uses the
intconstructor to parse the values ofContent-Lengthheaders and chunk lengths in the following locations:tornado/http1connection.py:445tornado/http1connection.py:621tornado/http1connection.py:671Because
int("0_0") == int("+0") == int("-0") == int("0"), using theintconstructor to parse and validate strings that should contain only ASCII digits is not a good strategy.Release Notes
tornadoweb/tornado (tornado)
v6.3.3Compare Source
v6.3.2Compare Source
v6.3.1Compare Source
v6.3Compare Source
v6.2Compare Source
v6.1Compare Source
v6.0.4Compare Source
v6.0.3Compare Source
v6.0.2Compare Source
v6.0.1Compare Source
v6.0Compare Source
Configuration
📅 Schedule: Branch creation - "" in timezone US/Eastern, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.