An update for python-tornado is now available for openEuler-24.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2728 Final 1.0 1.0 2026-06-24 Initial 2026-06-24 2026-06-24 openEuler SA Tool V1.0 2026-06-24 python-tornado security update An update for python-tornado is now available for openEuler-24.03-LTS-SP3 Tornado is an open source version of the scalable, non-blocking web server and tools. Security Fix(es): When SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements max_redirects, and removes only the Host header. It does not clear Authorization, auth_username, auth_password, or auth_mode when the redirect target changes origin. As a result, credentials intended for one origin can be forwarded to a different origin when follow_redirects=True, which is the default. Beginning in Tornado 6.5.6, SimpleAsyncHTTPClient matches the default behavior of libcurl (and therefore CurlAsyncHTTPClient): When a redirect changes the scheme, host, or port of the url, the Authorization and Cookie headers will be removed when following the redirect.(CVE-2026-49853) SummaryTornado's optional native extension `tornado.speedups` implements `websocket_mask` without validating that the `mask` argument is exactly four bytes long. The C function reads four bytes from `mask` unconditionally, even when Python passes a shorter byte string. This can read beyond the provided buffer, exposing up to 3 bytes of uninitialized memory.The behavior is reachable from Tornado's XSRF token decoder when `xsrf_cookies=True` and the native extension is active. ### MitigationsThis bug is fixed in Tornado 6.5.6. Prior to upgrading to this version, setting the environment variable TORNADO_EXTENSION=0 will disable the vulnerable code (at the expense of reducing websocket performance).(CVE-2026-49854) Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate (There has always been a limit for the total *compressed* size). This allows a malicious server to consume effectively unlimited amounts of memory if it is accessed via SimpleAsyncHTTPClient in its default configuration. HTTPServer is not affected in its default configuration, but it is if decompress_request=True is set. This bug is fixed in Tornado 6.5.6. max_body_size is now checked both for the compressed and cumulative decompressed size of the response.(CVE-2026-49855) An update for python-tornado is now available for openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High python-tornado https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2728 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-49853 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-49854 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-49855 https://nvd.nist.gov/vuln/detail/CVE-2026-49853 https://nvd.nist.gov/vuln/detail/CVE-2026-49854 https://nvd.nist.gov/vuln/detail/CVE-2026-49855 openEuler-24.03-LTS-SP3 python-tornado-6.5-5.oe2403sp3.src.rpm python-tornado-debuginfo-6.5-5.oe2403sp3.aarch64.rpm python-tornado-debugsource-6.5-5.oe2403sp3.aarch64.rpm python-tornado-help-6.5-5.oe2403sp3.aarch64.rpm python3-tornado-6.5-5.oe2403sp3.aarch64.rpm python-tornado-debuginfo-6.5-5.oe2403sp3.x86_64.rpm python-tornado-debugsource-6.5-5.oe2403sp3.x86_64.rpm python-tornado-help-6.5-5.oe2403sp3.x86_64.rpm python3-tornado-6.5-5.oe2403sp3.x86_64.rpm When SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements max_redirects, and removes only the Host header. It does not clear Authorization, auth_username, auth_password, or auth_mode when the redirect target changes origin. As a result, credentials intended for one origin can be forwarded to a different origin when follow_redirects=True, which is the default. Beginning in Tornado 6.5.6, SimpleAsyncHTTPClient matches the default behavior of libcurl (and therefore CurlAsyncHTTPClient): When a redirect changes the scheme, host, or port of the url, the Authorization and Cookie headers will be removed when following the redirect. 2026-06-24 CVE-2026-49853 openEuler-24.03-LTS-SP3 High 7.7 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N python-tornado security update 2026-06-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2728 SummaryTornado's optional native extension `tornado.speedups` implements `websocket_mask` without validating that the `mask` argument is exactly four bytes long. The C function reads four bytes from `mask` unconditionally, even when Python passes a shorter byte string. This can read beyond the provided buffer, exposing up to 3 bytes of uninitialized memory.The behavior is reachable from Tornado's XSRF token decoder when `xsrf_cookies=True` and the native extension is active. ### MitigationsThis bug is fixed in Tornado 6.5.6. Prior to upgrading to this version, setting the environment variable TORNADO_EXTENSION=0 will disable the vulnerable code (at the expense of reducing websocket performance). 2026-06-24 CVE-2026-49854 openEuler-24.03-LTS-SP3 Low 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N python-tornado security update 2026-06-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2728 Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate (There has always been a limit for the total *compressed* size). This allows a malicious server to consume effectively unlimited amounts of memory if it is accessed via SimpleAsyncHTTPClient in its default configuration. HTTPServer is not affected in its default configuration, but it is if decompress_request=True is set. This bug is fixed in Tornado 6.5.6. max_body_size is now checked both for the compressed and cumulative decompressed size of the response. 2026-06-24 CVE-2026-49855 openEuler-24.03-LTS-SP3 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H python-tornado security update 2026-06-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2728