VULN UPGRADE: tornado (minor → 6.5.4) [python/tornado6-blog]

[campaigner-prod]

Summary: High-severity security update — 1 package upgraded (MINOR changes included)

Manifests changed:

• python/tornado6-blog (pip)

Updates

Package	From	To	Type	Vulnerabilities Fixed
tornado	6.0.3	6.5.4	minor	2 HIGH, 4 MODERATE, 1 UNKNOWN

---

Security Details

🚨 Critical & High Severity (2 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
tornado	GHSA-7cx3-6m66-7c5m	HIGH	Tornado vulnerable to excessive logging caused by malformed multipart form data	6.0.3	6.5
tornado	GHSA-8w49-h785-mj3c	HIGH	Tornado has an HTTP cookie parsing DoS vulnerability	6.0.3	6.4.2

ℹ️ Other Vulnerabilities (5)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
tornado	GHSA-hj3f-6gcp-jg8j	MODERATE	Open redirect in Tornado	6.0.3	6.3.2
tornado	GHSA-qppv-j76h-2rpx	MODERATE	Tornado vulnerable to HTTP request smuggling via improper parsing of Content-Length fields and chunk lengths	6.0.3	6.3.3
tornado	GHSA-w235-7p84-xx57	MODERATE	Tornado has a CRLF injection in CurlAsyncHTTPClient headers	6.0.3	6.4.1
tornado	GHSA-753j-mpmx-qq6g	MODERATE	Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in tornado	6.0.3	6.4.1
tornado	PYSEC-2023-75	unknown	-	6.0.3	6.3.2

⚠️ Dependencies that have Reached EOL (1)

Dependency	Unsafe Version	EOL Date	New Version	Path
tornado	6.0.3	-	6.5.4	python/tornado6-blog/requirements.txt

---

Review Checklist

Enhanced review recommended for this update:

• Review changes for compatibility with your code
• Check release notes for breaking changes
• Run integration tests to verify service behavior
• Test in staging environment before production
• Monitor key metrics after deployment

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System