SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for python312-tornado6-6.4.1-security.52.23.x86_64.rpm :

* Wed Jul 31 2024 Dominique Leuenberger - Update to version 6.4.1: + Security Improvements: - Parsing of the ``Transfer-Encoding`` header is now stricter. Unexpected transfer-encoding values were previously ignored and treated as the HTTP/1.0 default of read-until-close. This can lead to framing issues with certain proxies. We now treat any unexpected value as an error. - Handling of whitespace in headers now matches the RFC more closely. Only space and tab characters are treated as whitespace and stripped from the beginning and end of header values. Other unicode whitespace characters are now left alone. This could also lead to framing issues with certain proxies. - `tornado.curl_httpclient` now prohibits carriage return and linefeed headers in HTTP headers (matching the behavior of `simple_httpclient`). These characters could be used for header injection or request smuggling if untrusted data were used in headers. + General Changes: - `tornado.iostream`: `SLIOStream` now understands changes to error codes from OpenSSL 3.2. The main result of this change is to reduce the noise in the logs for certain errors. - `tornado.simple_httpclient`: `simple_httpclient` now prohibits carriage return characters in HTTP headers. It had previously prohibited only linefeed characters. - `tornado.testing`: `.AsyncTestCase` subclasses can now be instantiated without being associated with a test method. Improves compatibility with test discovery in Pytest 8.2.- Drop support-pytest-8.2.patch: fixed upstream.- Drop openssl-3.2.patch: fixed upstream.
* Fri May 17 2024 Steve Kowalik - Add patch support-pytest-8.2.patch:
* Support pytest >= 8.2 changes.
* Thu Jan 11 2024 Daniel Garcia - Add patch openssl-3.2.patch gh#tornadoweb/tornado#3355
* Wed Jan 03 2024 Dirk Müller - update to 6.4:
* https://www.tornadoweb.org/en/stable/releases/v6.4.0.html
* Python 3.12 is now supported.- drop py312-datetime.patch (upstream)
* Thu Sep 21 2023 Markéta Machová - Update to 6.3.3
* The Content-Length header and chunked Transfer-Encoding sizes are now parsed more strictly (according to the relevant RFCs) to avoid potential request-smuggling vulnerabilities when deployed behind certain proxies.- Add py312-datetime.patch to fix build with Python 3.12
* Tue May 30 2023 Dan Čermák - New upstream release 6.3.2 (bsc#1211741, CVE-2023-28370) - Security improvements - Fixed an open redirect vulnerability in StaticFileHandler under certain configurations. - ``tornado.web`` - `.RequestHandler.set_cookie` once again accepts capitalized keyword arguments for backwards compatibility. This is deprecated and in Tornado 7.0 only lowercase arguments will be accepted. - What\'s new in Tornado 6.3.0 - The new `.Application` setting ``xsrf_cookie_name`` can now be used to take advantage of the ``__Host`` cookie prefix for improved security. To use it, add ``{\"xsrf_cookie_name\": \"__Host-xsrf\", \"xsrf_cookie_kwargs\": {\"secure\": True}}`` to your `.Application` settings. Note that this feature currently only works when HTTPS is used. - `.WSGIContainer` now supports running the application in a ``ThreadPoolExecutor`` so the event loop is no longer blocked. - `.AsyncTestCase` and `.AsyncHTTPTestCase`, which were deprecated in Tornado 6.2, are no longer deprecated. - WebSockets are now much faster at receiving large messages split into many fragments. - General changes - Python 3.7 is no longer supported; the minimum supported . Python version is 3.8 Python 3.12 is now supported . - To avoid spurious deprecation warnings, users of Python 3.10 should upgrade to at least version 3.10.9, and users of Python 3.11 should upgrade to at least version 3.11.1. - Tornado submodules are now imported automatically on demand. This means it is now possible to use a single ``import tornado`` statement and refer to objects in submodules such as `tornado.web.RequestHandler`. - Deprecation notices - In Tornado 7.0, `tornado.testing.ExpectLog` will match ``WARNING`` and above regardless of the current logging configuration, unless the ``level`` argument is used. - `.RequestHandler.get_secure_cookie` is now a deprecated alias for `.RequestHandler.get_signed_cookie`. `.RequestHandler.set_secure_cookie` is now a deprecated alias for `.RequestHandler.set_signed_cookie`. - `.RequestHandler.clear_all_cookies` is deprecated. No direct replacement is provided; `.RequestHandler.clear_cookie` should be used on individual cookies. - Calling the `.IOLoop` constructor without a ``make_current`` argument, which was deprecated in Tornado 6.2, is no longer deprecated. - `.AsyncTestCase` and `.AsyncHTTPTestCase`, which were deprecated in Tornado 6.2, are no longer deprecated. - `.AsyncTestCase.get_new_ioloop` is deprecated. - ``tornado.auth`` - New method `.GoogleOAuth2Mixin.get_google_oauth_settings` can now be overridden to get credentials from a source other than the `.Application` settings. - ``tornado.gen`` - `contextvars` now work properly when a ``AATTgen.coroutine`` calls a native coroutine. - ``tornado.options`` - `~.OptionParser.parse_config_file` now recognizes single comma-separated strings (in addition to lists of strings) for options with ``multiple=True``. - ``tornado.web`` - New `.Application` setting ``xsrf_cookie_name`` can be used to change the name of the XSRF cookie. This is most useful to take advantage of the ``__Host-`` cookie prefix. - `.RequestHandler.get_secure_cookie` and `.RequestHandler.set_secure_cookie` (and related methods and attributes) have been renamed to `~.RequestHandler.get_signed_cookie` and `~.RequestHandler.set_signed_cookie`. This makes it more explicit what kind of security is provided, and avoids confusion with the ``Secure`` cookie attribute and ``__Secure-`` cookie prefix. The old names remain supported as deprecated aliases. - `.RequestHandler.clear_cookie` now accepts all keyword arguments accepted by `~.RequestHandler.set_cookie`. In some cases clearing a cookie requires certain arguments to be passed the same way in which it was set. - `.RequestHandler.clear_all_cookies` now accepts additional keyword arguments for the same reason as ``clear_cookie``. However, since the requirements for additional arguments mean that it cannot reliably clear all cookies, this method is now deprecated. - ``tornado.websocket`` - It is now much faster (no longer quadratic) to receive large messages that have been split into many fragments. - `.websocket_connect` now accepts a ``resolver`` parameter. - ``tornado.wsgi`` - `.WSGIContainer` now accepts an ``executor`` parameter which can be used to run the WSGI application on a thread pool. - What\'s new in Tornado 6.2.0 - Deprecation notice - Python 3.10 has begun the process of significant changes to the APIs for managing the event loop. Calls to methods such as `asyncio.get_event_loop` may now raise `DeprecationWarning` if no event loop is running. This has significant impact on the patterns for initializing applications, and in particular invalidates patterns that have long been the norm in Tornado\'s documentation and actual usage. In the future (with some as-yet-unspecified future version of Python), the old APIs will be removed. The new recommended pattern is to start the event loop with `asyncio.run`. More detailed migration guides will be coming in the future. - The `.IOLoop` constructor is deprecated unless the ``make_current=False`` argument is used. Use `.IOLoop.current` when the loop is already running instead. - `.AsyncTestCase` (and `.AsyncHTTPTestCase`) are deprecated. Use `unittest.IsolatedAsyncioTestCase` instead. - Multi-process `.TCPServer.bind`/`.TCPServer.start` is deprecated. See `.TCPServer` docs for supported alternatives. - `.AnyThreadEventLoopPolicy` is deprecated. This class controls the creation of the \"current\" event loop so it will be removed when that concept is no longer supported. - `.IOLoop.make_current` and `.IOLoop.clear_current` are deprecated. In the future the concept of a \"current\" event loop as distinct from one that is currently running will be removed. - ``TwistedResolver`` and ``CaresResolver`` are deprecated and will be removed in Tornado 7.0. - General changes - The minimum supported Python version is now 3.7. - Wheels are now published with the Python stable ABI (``abi3``) for compatibility across versions of Python. - SSL certificate verfication and hostname checks are now enabled by default in more places (primarily in client-side usage of `.SSLIOStream`). - Various improvements to type hints throughout the package. - CI has moved from Travis and Appveyor to Github Actions. - `tornado.gen` - Fixed a bug in which ``WaitIterator.current_index`` could be incorrect. - ``tornado.gen.TimeoutError``` is now an alias for `asyncio.TimeoutError`. - `tornado.http1connection` - ``max_body_size`` may now be set to zero to disallow a non-empty body. - ``Content-Encoding: gzip`` is now recognized case-insensitively. - `tornado.httpclient` - ``curl_httpclient`` now supports non-ASCII (ISO-8859-1) header values, same as ``simple_httpclient``. - `tornado.ioloop` - `.PeriodicCallback` now understands coroutines and will not start multiple copies if a previous invocation runs too long. - `.PeriodicCallback` now accepts `datetime.timedelta` objects in addition to numbers of milliseconds. - Avoid logging \"Event loop is closed\" during shutdown-related race conditions. - Tornado no longer calls `logging.basicConfig` when starting an IOLoop; this has been unnecessary since Python 3.2 added a logger of last resort. - The `.IOLoop` constructor now accepts an ``asyncio_loop`` keyword argument to initialize with a specfied asyncio event loop. - It is now possible to construct an `.IOLoop` on one thread (with ``make_current=False``) and start it on a different thread. - `tornado.iostream` - `.SSLIOStream` now supports reading more than 2GB at a time. - ``IOStream.write`` now supports typed `memoryview` objects. - `tornado.locale` - `.load_gettext_translations` no longer logs errors when language directories exist but do not contain the expected file. - `tornado.netutil` - `.is_valid_ip` no longer raises exceptions when the input is too long. - The default resolver now uses the same methods (and thread pool) as `asyncio`. - `tornado.tcpserver` - `.TCPServer.listen` now supports more arguments to pass through to `.netutil.bind_sockets`. - `tornado.testing` - `.bind_unused_port` now takes an optional ``address`` argument. - Wrapped test methods now include the ``__wrapped__`` attribute. - `tornado.web` - When using a custom `.StaticFileHandler` subclass, the ``reset()`` method is now called on this subclass instead of the base class. - Improved handling of the ``Accept-Language`` header. - `.Application.listen` now supports more arguments to pass through to `.netutil.bind_sockets`. - `tornado.websocket` - `.WebSocketClientConnection.write_message` now accepts `dict` arguments for consistency with `.WebSocketHandler.write_message`. - `.WebSocketClientConnection.write_message` now raises an exception as documented if the connection is already closed.- Gave rpmlint a hug- Remove upstreamed ignore-py310-deprecation-warnings.patch
* Fri Apr 21 2023 Dirk Müller - add sle15_python_module_pythons (jsc#PED-68)
* Fri Aug 19 2022 Dirk Müller - update to 6.2:
* https://www.tornadoweb.org/en/stable/releases/v6.2.0.html- drop remove-multiheader-http-test.patch (upstream)
* Thu Apr 28 2022 Steve Kowalik - Add patch remove-multiheader-http-test.patch:
* Do not test multi-line headers.
* Sat Dec 11 2021 Ben Greiner - Filter Python 3.10 deprecation warnings during testing
* ignore-py310-deprecation-warnings.patch
* gh#tornadoweb/tornado#3033
* Thu Aug 05 2021 Ben Greiner - Remove exec bits from demos: fix boo#1189066- Add python-tornado6-rpmlintrc for empty JS resource in demo
* Mon Feb 08 2021 Ben Greiner - back to version 6.1. Tornado pin in distributed is removed.- Dear bot, here are the patch names:
* re-drop python-tornado6-httpclient-test.patch
* re-drop skip-failing-tests.patch
* re-drop tornado-testsuite_timeout.patch
* refreshed ignore-resourcewarning-doctests.patch
* Sun Feb 07 2021 Matej Cepl - Revert back to 6.0.4 for incompatibility with python-distributed.- Adds back patches:
* python-tornado6-httpclient-test.patch
* skip-failing-tests.patch
* tornado-testsuite_timeout.patch
* Sat Jan 30 2021 Ben Greiner - Update to version 6.1.0
* Full changelog can be found at https://www.tornadoweb.org/en/stable/releases/v6.1.0.html- Drop patches not applying anymore.
* python-tornado6-httpclient-test.patch
* skip-failing-tests.patch
* tornado-testsuite_timeout.patch- Refresh and comment ignore-resourcewarning-doctests.patch- Fix documentation deduplication
 
ICM