--- /dev/null
+What's new in Tornado 6.4.2
+===========================
+
+Nov 21, 2024
+------------
+
+Security Improvements
+~~~~~~~~~~~~~~~~~~~~~
+
+- Parsing of the cookie header is now much more efficient. The older algorithm sometimes had
+ quadratic performance which allowed for a denial-of-service attack in which the server would spend
+ excessive CPU time parsing cookies and block the event loop. This change fixes CVE-2024-7592.
\ No newline at end of file
# is zero for an official release, positive for a development branch,
# or negative for a release candidate or beta (after the base version
# number has been incremented)
-version = "6.4.1"
-version_info = (6, 4, 0, 1)
+version = "6.4.2"
+version_info = (6, 4, 2, 0)
import importlib
import typing
projects / thirdparty / tornado.git / commitdiff
