Skip to content

Bump tornado & requests for sec advisories

Iain Powrierequested to merge
sec/bump-tornado into dev

What does this MR do and why?

Bump tornado to 6.4.1 for GHSA-753j-mpmx-qq6g & GHSA-w235-7p84-xx57
Bump requests to 2.32.0 for CVE-2024-35195

Resolves:

  • GHSA-753j-mpmx-qq6g Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in tornado
  • GHSA-w235-7p84-xx57 Tornado has a CRLF injection in CurlAsyncHTTPClient headers
  • CVE-2024-35195 Requests Session object does not verify requests after making first request with verify=False

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

  • Have you checked this doesn't interfere/conflict/duplicate someone elses work?
  • Have you fully tested your changes?
  • Have you resolved any lint issues?
  • Have you assigned a reviewer?
  • Have you applied correct labels?
Edited by Iain Powrie

Merge request reports