SUSE-SU-2026:1171-1

Details

This update for python-tornado fixes the following issues:

CVE-2026-31958: parsing large multipart bodies with many parts can cause a denial of service (bsc#1259553).
incomplete validation of cookie attributes allows for injection of user-controlled values in other cookie attributes (bsc#1259630).

Affected Packages

python-tornado

SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOSSUSE Linux Enterprise High Performance Computing 15 SP4-LTSSSUSE Linux Enterprise High Performance Computing 15 SP5-ESPOSSUSE Linux Enterprise High Performance Computing 15 SP5-LTSSSUSE Linux Enterprise Micro 5.2

Fixed in:

4.5.3-150000.3.19.1

python3-tornado

SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOSSUSE Linux Enterprise High Performance Computing 15 SP4-LTSSSUSE Linux Enterprise High Performance Computing 15 SP5-ESPOSSUSE Linux Enterprise High Performance Computing 15 SP5-LTSSSUSE Linux Enterprise Micro 5.2

Fixed in:

4.5.3-150000.3.19.1

References

REPORT

https://bugzilla.suse.com/1254905

REPORT

https://bugzilla.suse.com/1259553

REPORT

https://bugzilla.suse.com/1259630

WEB

https://www.suse.com/security/cve/CVE-2026-31958

ADVISORY

https://www.suse.com/support/update/announcement/2026/suse-su-20261171-1/