Advisories » MGASA-2026-0216

Updated python-tornado packages fix security vulnerabilities

Publication date: 17 Jun 2026
Modification date: 17 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-31958 , CVE-2026-35536

Description

Tornado has a DoS due to too many multipart parts. (CVE-2026-31958)
In Tornado, cookie attribute injection could occur because the domain,
path, and samesite arguments to .RequestHandler.set_cookie were not
checked for crafted characters. (CVE-2026-35536)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=35420
• https://ubuntu.com/security/notices/USN-8198-1
• https://www.cve.org/CVERecord?id=CVE-2026-31958
• https://www.cve.org/CVERecord?id=CVE-2026-35536

SRPMS

9/core

• python-tornado-6.3.2-1.4.mga9