Skip to content

Commit 38014dd

Browse files
bdarnellbdarnell
authored
Merge pull request #3558 from bdarnell/relnotes-653
Release notes and version bump for 6.5.3
2 parents 083e2b2 + a5e50e2 commit 38014dd

File tree

3 files changed

+36
-2
lines changed

3 files changed

+36
-2
lines changed

docs/releases.rst

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ Release notes
44
.. toctree::
55
:maxdepth: 2
66

7+
releases/v6.5.3
78
releases/v6.5.2
89
releases/v6.5.1
910
releases/v6.5.0

docs/releases/v6.5.3.rst

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
What's new in Tornado 6.5.3
2+
===========================
3+
4+
Dec 10, 2025
5+
------------
6+
7+
Security fixes
8+
~~~~~~~~~~~~~~
9+
- Fixed a denial-of-service vulnerability involving quadratic computation when parsing
10+
``multipart/form-data`` request bodies.
11+
`CVE-2025-67726 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-jhmp-mqwm-3gq8>`_
12+
Thanks to `Finder16 <https://github.com/Finder16>`_ for reporting this issue.
13+
- Fixed a denial-of-service vulnerability involving quadratic computation when parsing repeated HTTP
14+
headers.
15+
`CVE-2025-67725 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-c98p-7wgm-6p64>`_.
16+
Thanks to `Finder16 <https://github.com/Finder16>`_ for reporting this issue.
17+
- Fixed a header injection and XSS vulnerability involving the ``reason`` argument to
18+
`.RequestHandler.set_status` and `tornado.web.HTTPError`.
19+
`CVE-2025-67724 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f>`_.
20+
Thanks to `Finder16 <https://github.com/Finder16>`_ and
21+
`Cheshire1225 <https://github.com/Cheshire1225>`_ for reporting this issue.
22+
23+
Demo changes
24+
~~~~~~~~~~~~
25+
- Several demo applications bundled with the Tornado repo (``blog``, ``chat``, ``facebook``) had an
26+
open redirect vulnerability which has been fixed. This is not covered by a CVE or security
27+
advisory since the demo applications are not included as a part of the Tornado package when
28+
installed, but developers who have copied code from these demos may which to review their own
29+
applications for open redirects. Thanks to `J1vvoo <https://github.com/J1vvoo>`_ for reporting this
30+
issue.
31+
- The ``s3server`` demo application contained some path traversal vulnerabilities. Since this demo
32+
application was not demonstrating any interesting aspects of Tornado, it has been deleted rather
33+
than being fixed. Thanks to `J1vvoo <https://github.com/J1vvoo>`_ for reporting this issue.

tornado/__init__.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,8 +22,8 @@
2222
# is zero for an official release, positive for a development branch,
2323
# or negative for a release candidate or beta (after the base version
2424
# number has been incremented)
25-
version = "6.5.2"
26-
version_info = (6, 5, 2, 0)
25+
version = "6.5.3"
26+
version_info = (6, 5, 3, 0)
2727

2828
import importlib
2929
import typing

0 commit comments

Comments
 (0)