Alerts This Week
Warning Icon 1 666
Alerts This Week
Warning Icon 1 666

Stay Secure with the Latest Linux Advisories

Debianlts Large Esm H800
Debian LTS

Debian Dovecot High Severity Service Disruption Info Leak Flaw DLA-4617-1

Calendar White Jun 05, 2026
Important
Debianlts Large Esm H900
Debian LTS

Debian 11 gsasl Critical DoS Threat Advisory DLA-4618-1 CVE-2026-48829

Calendar White Jun 05, 2026
Critical
Suse Large Esm H900
SuSE

SUSE MozillaThunderbird Important Memory Safety Fix Advisory 2026-2271-1

Calendar White Jun 05, 2026
Important
Suse Large Esm H800
SuSE

SUSE Linux Micro 6.0 Ignition Key HTTP Transport Loop Patch 2026-21987-1

Calendar White Jun 05, 2026
Important
Suse Large Esm H900
SuSE

SUSE Linux Micro 6.0 Important Libzypp Libsolv Security Update 2026-21988-1

Calendar White Jun 05, 2026
Important
Suse Large Esm H900
SuSE

SUSE Google-Guest-Agent Important Security Update 2026-21989-1

Calendar White Jun 05, 2026
Important
Suse Large Esm H800
SuSE

SUSE Linux Micro Important Salt Multi-Linux Manager Vuln 2026-21990-1

Calendar White Jun 05, 2026
Important
Suse Large Esm H900
SuSE

SUSE Linux Micro Critical Ignition Patch CVE-2026-33814

Calendar White Jun 05, 2026
Important
Suse Large Esm H900
SuSE

SUSE Linux Micro 6.1 Security Update for libzypp libsolv Key 2026-21992-1

Calendar White Jun 05, 2026
Important
Filter Icon Refine advisories
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

More Polls

What got you started with Linux?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/150-what-got-you-started-with-linux?task=poll.vote&format=json
150
radio
0
[{"id":483,"title":"Self-taught through trial and error","votes":545,"type":"x","order":1,"pct":78.42,"resources":[]},{"id":484,"title":"Formal training or courses","votes":30,"type":"x","order":2,"pct":4.32,"resources":[]},{"id":485,"title":"A job that required it","votes":34,"type":"x","order":3,"pct":4.89,"resources":[]},{"id":486,"title":"Other","votes":86,"type":"x","order":4,"pct":12.37,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security advisories

We found -2 articles for you...
100
Ls Advisories Suse Esm H240
Price Tag 1security advisoryupdatemoderate threat

SUSE Linux Micro: 2025:20096-1 moderate: python-tornado6 cookie parsing

* bsc#1233668 Cross-References: * CVE-2024-52804 . # Security update for python-tornado6 Announcement ID: SUSE-SU-2025:20096-1 Release Date: 2025-02-03T09:13:20Z Rating: moderate References: * bsc#1233668 Cross-References: * CVE-2024-52804 CVSS scores: * CVE-2024-52804 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2024-52804 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2024-52804 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * SUSE Linux Micro 6.0 An update that solves one vulnerability can now be installed. ## Description: This update for python-tornado6 fixes the following issues: * CVE-2024-52804: Avoid quadratic performance of cookie parsing (bsc#1233668). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Micro 6.0 zypper in -t patch SUSE-SLE-Micro-6.0-141=1 ## Package List: * SUSE Linux Micro 6.0 (aarch64 s390x x86_64) * python311-tornado6-debuginfo-6.4-2.1 * python-tornado6-debugsource-6.4-2.1 * python311-tornado6-6.4-2.1 ## References: * https://www.suse.com/security/cve/CVE-2024-52804.html * https://bugzilla.suse.com/show_bug.cgi?id=1233668 . SUSE Linux Micro has launched an update to rectify a cookie parsing vulnerability related to python-tornado6, categorized with a moderate severity level.. SUSE Linux Micro, python-tornado6, security advisory, cookie parsing, update. . LinuxSecurity.com Team

Calendar 2 Jun 04, 2025 SuSE
100
Ls Advisories Suse Esm H240
Price Tag 1security advisorymoderateSUSE

SUSE: 2025:20096-1 moderate: python-tornado6 Cookie Parsing Fix

* bsc#1233668 Cross-References: * CVE-2024-52804 . # Security update for python-tornado6 Announcement ID: SUSE-SU-2025:20096-1 Release Date: 2025-02-03T09:13:20Z Rating: moderate References: * bsc#1233668 Cross-References: * CVE-2024-52804 CVSS scores: * CVE-2024-52804 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2024-52804 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2024-52804 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * SUSE Linux Micro 6.0 An update that solves one vulnerability can now be installed. ## Description: This update for python-tornado6 fixes the following issues: * CVE-2024-52804: Avoid quadratic performance of cookie parsing (bsc#1233668). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Micro 6.0 zypper in -t patch SUSE-SLE-Micro-6.0-141=1 ## Package List: * SUSE Linux Micro 6.0 (aarch64 s390x x86_64) * python-tornado6-debugsource-6.4-2.1 * python311-tornado6-6.4-2.1 * python311-tornado6-debuginfo-6.4-2.1 ## References: * https://www.suse.com/security/cve/CVE-2024-52804.html * https://bugzilla.suse.com/show_bug.cgi?id=1233668 . The recent patch for python-tornado6 resolves slight efficiency concerns tied to cookie handling weaknesses found in SUSE Linux systems.. SUSE Python Tornado6 Security Update, Performance Issue, Cookie Parsing Vulnerability. . LinuxSecurity.com Team

Calendar 2 Jun 04, 2025 SuSE
Banner 1 1028x280 1708121660 1771599717
89
Ls Advisories Fedora Esm H240
Price Tag 1security advisoryFedoraDoS

Fedora 41: 2025-db6e9bb7fb low: python-tornado cookie parsing DoS

This contains the backported fix for CVE-2024-52804 (cookie parsing DoS vuln). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-db6e9bb7fb 2025-05-31 01:33:18.712928+00:00 -------------------------------------------------------------------------------- Name : python-tornado Product : Fedora 41 Version : 6.3.3 Release : 9.fc41 URL : https://www.tornadoweb.org/en/stable/ Summary : Scalable, non-blocking web server and tools Description : Tornado is an open source version of the scalable, non-blocking web server and tools. The framework is distinct from most mainstream web server frameworks (and certainly most Python frameworks) because it is non-blocking and reasonably fast. Because it is non-blocking and uses epoll, it can handle thousands of simultaneous standing connections, which means it is ideal for real-time web services. -------------------------------------------------------------------------------- Update Information: This contains the backported fix for CVE-2024-52804 (cookie parsing DoS vuln) -------------------------------------------------------------------------------- ChangeLog: * Tue May 20 2025 Robby Callicotte - 6.3.3-9 - Backported fix for CVE-2024-52804 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2328101 - CVE-2024-52804 python-tornado: Tornado has HTTP cookie parsing DoS vulnerability [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2328101 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-db6e9bb7fb' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More detailson the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it. Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue . Updated python-tornado addresses a cookie parsing vulnerability in Fedora 41, enhancing both security and reliability.. python tornado update, Fedora security fix, DoS prevention, software backport. . Severity: Low. LinuxSecurity.com Team

Calendar 2 May 31, 2025 Low Fedora
87
Ls Advisories Debian Esm H240
Price Tag 1security advisorydebianmoderate severity

Debian 9.4.50-4: DSA-5507-1 Moderate: Jetty9 Cookie Parsing Flaw

Multiple security vulnerabilities were found in Jetty, a Java based web server and servlet engine. The org.eclipse.jetty.servlets.CGI class has been deprecated. It is potentially . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5507-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/security/ Markus Koschany September 28, 2023 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : jetty9 CVE ID : CVE-2023-26048 CVE-2023-26049 CVE-2023-36479 CVE-2023-40167 CVE-2023-41900 Multiple security vulnerabilities were found in Jetty, a Java based web server and servlet engine. The org.eclipse.jetty.servlets.CGI class has been deprecated. It is potentially unsafe to use it. The upstream developers of Jetty recommend to use Fast CGI instead. See also CVE-2023-36479. CVE-2023-26048 In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. CVE-2023-26049 Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. CVE-2023-40167 Prior to this version Jetty accepted the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it isconceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. CVE-2023-36479 Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. CVE-2023-41900 Jetty is vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` is capable of rejecting previously authenticated users. For the oldstable distribution (bullseye), these problems have been fixed in version 9.4.39-3+deb11u2. For the stable distribution (bookworm), these problems have been fixed in version 9.4.50-4+deb12u1. We recommend that you upgrade your jetty9 packages. For the detailed security status of jetty9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/source-package/jetty9 Further information about Debian Security Advisories, how to apply these updates to your system andfrequently asked questions can be found at: https://www.debian.org/security/ Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it. . Several vulnerabilities in Tomcat necessitate immediate patches to ensure user protection and system reliability. Update advised.. Java Server Security, Jetty Update, Debian Security Advisory, Web Server Threats, Servlet Vulnerabilities. . LinuxSecurity.com Team

Calendar 2 Sep 28, 2023 Debian
Banner 1 1028x280 1708121660 1771599717
87
Ls Advisories Debian Esm H240
Price Tag 1security advisorysecurity issueDebian

Debian: DSA-5471-2 Important: Python-Django Security Flaw Notification

Several vulnerabilities were discovered in python-werkzeug, a collection of utilities for WSGI applications. CVE-2023-23934 . - ------------------------------------------------------------------------- Debian Security Advisory DSA-5470-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/security/ Salvatore Bonaccorso August 06, 2023 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : python-werkzeug CVE ID : CVE-2023-23934 CVE-2023-25577 Debian Bug : 1031370 Several vulnerabilities were discovered in python-werkzeug, a collection of utilities for WSGI applications. CVE-2023-23934 It was discovered that Werkzeug did not properly handle the parsing of nameless cookies which may allow shadowing of other cookies. CVE-2023-25577 It was discovered that Werkzeug could parse unlimited number of parts, including file parts, which may result in denial of service. For the oldstable distribution (bullseye), these problems have been fixed in version 1.0.1+dfsg1-2+deb11u1. We recommend that you upgrade your python-werkzeug packages. For the detailed security status of python-werkzeug please refer to its security tracker page at: https://security-tracker.debian.org/tracker/source-package/python-werkzeug Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it. . Update the python-werkzeug package on Debian to mitigate several security vulnerabilities, including potential denial of service and vulnerabilities in cookie parsing mechanisms.. Debian Security Advisory, python-werkzeug update, WSGI application security. . Severity: Important. LinuxSecurity.com Team

Calendar 2 Aug 06, 2023 Important Debian
89
Ls Advisories Fedora Esm H240
Price Tag 1security advisorycriticalFedora

Fedora 24: Updated python-tornado for Critical XSRF Issues

Update to 4.4.2 Security fixes * A difference in cookie parsing between Tornado and web browsers (especially when combined with Google Analytics) could allow an attacker to set arbitrary cookies and bypass XSRF protection. The cookie parser has been rewritten to fix this attack. Backwards-compatibility notes * Cookies containing certain special characters (in particular. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2016-a3618d9ef6 2016-12-12 20:34:17.077213 -------------------------------------------------------------------------------- Name : python-tornado Product : Fedora 24 Version : 4.4.2 Release : 1.fc24 URL : https://www.tornadoweb.org/en/stable/ Summary : Scalable, non-blocking web server and tools Description : Tornado is an open source version of the scalable, non-blocking web server and tools. The framework is distinct from most mainstream web server frameworks (and certainly most Python frameworks) because it is non-blocking and reasonably fast. Because it is non-blocking and uses epoll, it can handle thousands of simultaneous standing connections, which means it is ideal for real-time web services. -------------------------------------------------------------------------------- Update Information: Update to 4.4.2 Security fixes * A difference in cookie parsing between Tornado and web browsers (especially when combined with Google Analytics) could allow an attacker to set arbitrary cookies and bypass XSRF protection. The cookie parser has been rewritten to fix this attack. Backwards-compatibility notes * Cookies containing certain special characters (in particular semicolon and square brackets) are now parsed differently. * If the cookie header contains a combination of valid and invalid cookies, the valid ones will be returned (older versions of Tornado would reject the entire header for a single invalid cookie). Seealso https://www.tornadoweb.org/en/stable/releases/v4.4.0.html -------------------------------------------------------------------------------- References: [ 1 ] Bug #1399570 - python-tornado: XSRF protection bypass via cookie parsing differences https://bugzilla.redhat.com/show_bug.cgi?id=1399570 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade python-tornado' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. . Essential patch resolving CSRF safety vulnerabilities in python-tornado for Fedora 24 incorporating alternative cookie handling techniques.. python-tornado Security Fix,Fedora Software Update,XSRF Protection Improvement. . Severity: Critical. LinuxSecurity.com Team

Calendar 2 Dec 13, 2016 Critical Fedora
Banner 1 1028x280 1708121660 1771599717
89
Ls Advisories Fedora Esm H240
Price Tag 1security advisoryFedorasecurity fix

Fedora: python-tornado 4.4.2 moderate: XSRF Cookie Parsing Update

Update to 4.4.2: Security fixes * A difference in cookie parsing between Tornado and web browsers (especially when combined with Google Analytics) could allow an attacker to set arbitrary cookies and bypass XSRF protection. The cookie parser has been rewritten to fix this attack. Backwards-compatibility notes * Cookies containing certain special characters (in particular semicolon. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2016-24478a88fe 2016-11-26 21:26:03.994850 -------------------------------------------------------------------------------- Name : python-tornado Product : Fedora 25 Version : 4.4.2 Release : 1.fc25 URL : https://www.tornadoweb.org/en/stable/ Summary : Scalable, non-blocking web server and tools Description : Tornado is an open source version of the scalable, non-blocking web server and tools. The framework is distinct from most mainstream web server frameworks (and certainly most Python frameworks) because it is non-blocking and reasonably fast. Because it is non-blocking and uses epoll, it can handle thousands of simultaneous standing connections, which means it is ideal for real-time web services. -------------------------------------------------------------------------------- Update Information: Update to 4.4.2: Security fixes * A difference in cookie parsing between Tornado and web browsers (especially when combined with Google Analytics) could allow an attacker to set arbitrary cookies and bypass XSRF protection. The cookie parser has been rewritten to fix this attack. Backwards-compatibility notes * Cookies containing certain special characters (in particular semicolon and square brackets) are now parsed differently. * If the cookie header contains a combination of valid and invalid cookies, the valid ones will be returned (older versions of Tornado would reject the entire header for a single invalidcookie). -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade python-tornado' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. . Enhance the Python Tornado framework to version 4.4.2, resolving cookie interpretation challenges and fortifying XSRF defenses.. Fedora Security Update, Python Tornado, XSRF Protection, Cookie Parsing, Security Fixes. . LinuxSecurity.com Team

Calendar 2 Nov 26, 2016 Fedora
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

More Polls

What got you started with Linux?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/150-what-got-you-started-with-linux?task=poll.vote&format=json
150
radio
0
[{"id":483,"title":"Self-taught through trial and error","votes":545,"type":"x","order":1,"pct":78.42,"resources":[]},{"id":484,"title":"Formal training or courses","votes":30,"type":"x","order":2,"pct":4.32,"resources":[]},{"id":485,"title":"A job that required it","votes":34,"type":"x","order":3,"pct":4.89,"resources":[]},{"id":486,"title":"Other","votes":86,"type":"x","order":4,"pct":12.37,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200

Search Topics

Your message here