Release notes and version bump for v6.5.5

diff --git a/docs/releases.rst b/docs/releases.rst
index 23502c2fec44a95c24f86dfb4aa3b317aa541e6e..da95c9917de4a4facf7079c334cba02ab929f440 100644 (file)
--- a/docs/releases.rst
+++ b/docs/releases.rst
@@ -4,6 +4,7 @@ Release notes
 .. toctree::
    :maxdepth: 2
 
+   releases/v6.5.5
    releases/v6.5.4
    releases/v6.5.3
    releases/v6.5.2

diff --git a/docs/releases/v6.5.5.rst b/docs/releases/v6.5.5.rst
new file mode 100644 (file)
index 0000000..87cc9ff
--- /dev/null
+++ b/docs/releases/v6.5.5.rst
@@ -0,0 +1,19 @@
+What's new in Tornado 6.5.5
+===========================
+
+Mar 10, 2026
+------------
+
+Security fixes
+~~~~~~~~~~~~~~
+
+- ``multipart/form-data`` requests are now limited to 100 parts by default, to prevent a
+  denial-of-service attack via very large requests with many parts. This limit is configurable
+  via `tornado.httputil.ParseMultipartConfig`. Multipart parsing can also be disabled completely
+  if not required for the application. Thanks to [0x-Apollyon](https://github.com/0x-Apollyon) and
+  [bekkaze](https://github.com/bekkaze) for reporting this issue.
+- The ``domain``, ``path``, and ``samesite`` arguments to `.RequestHandler.set_cookie` are now
+  validated for illegal characters, which could be abused to inject other attributes on the cookie.
+  Thanks to Dhiral Vyas (Praetorian) for reporting this issue.
+- Carriage return characters are no longer accepted in ``multipart/form-data`` headers. Thanks to 
+  [sergeykochanov](https://github.com/sergeykochanov) for reporting this issue.
\ No newline at end of file