OESA-2026-2727

Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2727
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2026-2727.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2026-2727
Upstream
  • CVE-2026-49853
  • CVE-2026-49854
  • CVE-2026-49855
Published
2026-06-24T13:13:05Z
Modified
2026-06-24T13:30:10.952669594Z
Summary
python-tornado security update
Details

Tornado is an open source version of the scalable, non-blocking web server and tools.

Security Fix(es):

When SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements maxredirects, and removes only the Host header. It does not clear Authorization, authusername, authpassword, or authmode when the redirect target changes origin. As a result, credentials intended for one origin can be forwarded to a different origin when follow_redirects=True, which is the default. Beginning in Tornado 6.5.6, SimpleAsyncHTTPClient matches the default behavior of libcurl (and therefore CurlAsyncHTTPClient): When a redirect changes the scheme, host, or port of the url, the Authorization and Cookie headers will be removed when following the redirect.(CVE-2026-49853)

SummaryTornado's optional native extension tornado.speedups implements websocket_mask without validating that the mask argument is exactly four bytes long. The C function reads four bytes from mask unconditionally, even when Python passes a shorter byte string. This can read beyond the provided buffer, exposing up to 3 bytes of uninitialized memory.The behavior is reachable from Tornado's XSRF token decoder when xsrf_cookies=True and the native extension is active. ### MitigationsThis bug is fixed in Tornado 6.5.6. Prior to upgrading to this version, setting the environment variable TORNADO_EXTENSION=0 will disable the vulnerable code (at the expense of reducing websocket performance).(CVE-2026-49854)

Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate (There has always been a limit for the total compressed size). This allows a malicious server to consume effectively unlimited amounts of memory if it is accessed via SimpleAsyncHTTPClient in its default configuration. HTTPServer is not affected in its default configuration, but it is if decompressrequest=True is set. This bug is fixed in Tornado 6.5.6. maxbody_size is now checked both for the compressed and cumulative decompressed size of the response.(CVE-2026-49855)

Database specific
{
    "severity": "High"
}
References

Affected packages

openEuler:24.03-LTS-SP1 / python-tornado

Package

Name
python-tornado
Purl
pkg:rpm/openEuler/python-tornado&distro=openEuler-24.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.5-5.oe2403sp1

Ecosystem specific

{
    "aarch64": [
        "python-tornado-debuginfo-6.5-5.oe2403sp1.aarch64.rpm",
        "python-tornado-debugsource-6.5-5.oe2403sp1.aarch64.rpm",
        "python-tornado-help-6.5-5.oe2403sp1.aarch64.rpm",
        "python3-tornado-6.5-5.oe2403sp1.aarch64.rpm"
    ],
    "src": [
        "python-tornado-6.5-5.oe2403sp1.src.rpm"
    ],
    "x86_64": [
        "python-tornado-debuginfo-6.5-5.oe2403sp1.x86_64.rpm",
        "python-tornado-debugsource-6.5-5.oe2403sp1.x86_64.rpm",
        "python-tornado-help-6.5-5.oe2403sp1.x86_64.rpm",
        "python3-tornado-6.5-5.oe2403sp1.x86_64.rpm"
    ]
}

Database specific

source
"https://repo.openeuler.org/security/data/osv/OESA-2026-2727.json"