Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 944393

Summary: <dev-python/tornado-6.4.2: ReDoS in cookie parsing
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 944394    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-11-22 06:21:15 UTC 
+- Parsing of the cookie header is now much more efficient. The older algorithm sometimes had
+  quadratic performance which allowed for a denial-of-service attack in which the server would spend
+  excessive CPU time parsing cookies and block the event loop. This change fixes CVE-2024-7592.

Apparently they've reused CPython's CVE.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-12-12 12:27:44 UTC 
cleanup done.