{"schema_version":"1.7.2","id":"OESA-2026-2728","modified":"2026-06-24T13:13:07Z","published":"2026-06-24T13:13:07Z","upstream":["CVE-2026-49853","CVE-2026-49854","CVE-2026-49855"],"summary":"python-tornado security update","details":"Tornado is an open source version of the scalable, non-blocking web server and tools.\r\n\r\nSecurity Fix(es):\n\nWhen SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements max_redirects, and removes only the Host header. It does not clear Authorization, auth_username, auth_password, or auth_mode when the redirect target changes origin. As a result, credentials intended for one origin can be forwarded to a different origin when follow_redirects=True, which is the default. Beginning in Tornado 6.5.6, SimpleAsyncHTTPClient matches the default behavior of libcurl (and therefore CurlAsyncHTTPClient): When a redirect changes the scheme, host, or port of the url, the Authorization and Cookie headers will be removed when following the redirect.(CVE-2026-49853)\n\nSummaryTornado&apos;s optional native extension `tornado.speedups` implements `websocket_mask` without validating that the `mask` argument is exactly four bytes long. The C function reads four bytes from `mask` unconditionally, even when Python passes a shorter byte string. This can read beyond the provided buffer, exposing up to 3 bytes of uninitialized memory.The behavior is reachable from Tornado&apos;s XSRF token decoder when `xsrf_cookies=True` and the native extension is active. ### MitigationsThis bug is fixed in Tornado 6.5.6. Prior to upgrading to this version, setting the environment variable TORNADO_EXTENSION=0 will disable the vulnerable code (at the expense of reducing websocket performance).(CVE-2026-49854)\n\nTornado&apos;s gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate (There has always been a limit for the total *compressed* size). This allows a malicious server to consume effectively unlimited amounts of memory if it is accessed via SimpleAsyncHTTPClient in its default configuration. HTTPServer is not affected in its default configuration, but it is if decompress_request=True is set. This bug is fixed in Tornado 6.5.6. max_body_size is now checked both for the compressed and cumulative decompressed size of the response.(CVE-2026-49855)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP3","name":"python-tornado","purl":"pkg:rpm/openEuler/python-tornado&distro=openEuler-24.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.5-5.oe2403sp3"}]}],"ecosystem_specific":{"aarch64":["python-tornado-debuginfo-6.5-5.oe2403sp3.aarch64.rpm","python-tornado-debugsource-6.5-5.oe2403sp3.aarch64.rpm","python-tornado-help-6.5-5.oe2403sp3.aarch64.rpm","python3-tornado-6.5-5.oe2403sp3.aarch64.rpm"],"src":["python-tornado-6.5-5.oe2403sp3.src.rpm"],"x86_64":["python-tornado-debuginfo-6.5-5.oe2403sp3.x86_64.rpm","python-tornado-debugsource-6.5-5.oe2403sp3.x86_64.rpm","python-tornado-help-6.5-5.oe2403sp3.x86_64.rpm","python3-tornado-6.5-5.oe2403sp3.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2728"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49853"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49854"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49855"}],"database_specific":{"severity":"High"}}
