Early Access — Mondoo Vulnerability Intelligence is currently in preview.

SUSE-SU-2026:0010-1

UNKNOWN

Security update for python-tornado6

Published Jan 5, 2026

Modified 1 weeks ago

Fix available

Details

This update for python-tornado6 fixes the following issues:

CVE-2025-67724: unescaped reason argument used in HTTP headers and in HTML default error pages can be used by attackers to launch header injection or XSS attacks (bsc#1254903).
CVE-2025-67725: quadratic complexity of string concatenation operations used by the HTTPHeaders.add method can lead to DoS when processing a maliciously crafted HTTP request (bsc#1254905).
CVE-2025-67726: quadratic complexity algorithm used in the _parseparam function of httputil.py can lead to DoS when processing maliciously crafted parameters in a Content-Disposition header (bsc#1254904).

Affected Packages

SUSE:Linux Enterprise High Performance Computing 15 SP4-ESPOSpython-tornado6

Fixed in:

6.3.2-150400.9.12.1

SUSE:Linux Enterprise High Performance Computing 15 SP4-ESPOSpython311-tornado6

Fixed in:

6.3.2-150400.9.12.1

SUSE:Linux Enterprise High Performance Computing 15 SP4-LTSSpython-tornado6

Fixed in:

6.3.2-150400.9.12.1

SUSE:Linux Enterprise High Performance Computing 15 SP4-LTSSpython311-tornado6

Fixed in:

6.3.2-150400.9.12.1

SUSE:Linux Enterprise High Performance Computing 15 SP5-ESPOSpython-tornado6

Fixed in:

6.3.2-150400.9.12.1

SUSE:Linux Enterprise High Performance Computing 15 SP5-ESPOSpython311-tornado6

Fixed in:

6.3.2-150400.9.12.1

SUSE:Linux Enterprise High Performance Computing 15 SP5-LTSSpython-tornado6

Fixed in:

6.3.2-150400.9.12.1

SUSE:Linux Enterprise High Performance Computing 15 SP5-LTSSpython311-tornado6

Fixed in:

6.3.2-150400.9.12.1

SUSE:Linux Enterprise Module for Python 3 15 SP7python-tornado6

Fixed in:

6.3.2-150400.9.12.1

SUSE:Linux Enterprise Module for Python 3 15 SP7python311-tornado6

Fixed in:

6.3.2-150400.9.12.1

SUSE:Linux Enterprise Server 15 SP4-LTSSpython-tornado6

Fixed in:

6.3.2-150400.9.12.1

SUSE:Linux Enterprise Server 15 SP4-LTSSpython311-tornado6

Fixed in:

6.3.2-150400.9.12.1

SUSE:Linux Enterprise Server 15 SP5-LTSSpython-tornado6

Fixed in:

6.3.2-150400.9.12.1

SUSE:Linux Enterprise Server 15 SP5-LTSSpython311-tornado6

Fixed in:

6.3.2-150400.9.12.1

SUSE:Linux Enterprise Server 15 SP6-LTSSpython-tornado6

Fixed in:

6.3.2-150400.9.12.1

SUSE:Linux Enterprise Server 15 SP6-LTSSpython311-tornado6

Fixed in:

6.3.2-150400.9.12.1

SUSE:Linux Enterprise Server for SAP Applications 15 SP4python-tornado6

Fixed in:

6.3.2-150400.9.12.1

SUSE:Linux Enterprise Server for SAP Applications 15 SP4python311-tornado6

Fixed in:

6.3.2-150400.9.12.1

SUSE:Linux Enterprise Server for SAP Applications 15 SP5python-tornado6

Fixed in:

6.3.2-150400.9.12.1

SUSE:Linux Enterprise Server for SAP Applications 15 SP5python311-tornado6

Fixed in:

6.3.2-150400.9.12.1

SUSE:Linux Enterprise Server for SAP Applications 15 SP6python-tornado6

Fixed in:

6.3.2-150400.9.12.1

SUSE:Linux Enterprise Server for SAP Applications 15 SP6python311-tornado6

Fixed in:

6.3.2-150400.9.12.1

openSUSE:Leap 15.6python-tornado6

Fixed in:

6.3.2-150400.9.12.1

openSUSE:Leap 15.6python311-tornado6

Fixed in:

6.3.2-150400.9.12.1

References

REPORThttps://bugzilla.suse.com/1254903 REPORThttps://bugzilla.suse.com/1254904 REPORThttps://bugzilla.suse.com/1254905 WEBhttps://www.suse.com/security/cve/CVE-2025-67724 WEBhttps://www.suse.com/security/cve/CVE-2025-67725 WEBhttps://www.suse.com/security/cve/CVE-2025-67726 ADVISORYhttps://www.suse.com/support/update/announcement/2026/suse-su-20260010-1/

Upstream

CVE-2025-67724 CVE-2025-67725 CVE-2025-67726

Ecosystems

Timeline

PublishedJan 5, 2026

ModifiedJan 5, 2026

SUSE-SU-2026:0010-1 | Mondoo Vulnerability Intelligence

SUSE-SU-2026:0010-1

Details

Affected Packages

References

Upstream

Related

Ecosystems

Timeline