File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -14,12 +14,15 @@ Security fixes
1414 Wang](https://github.com/noobone123) for being first to report this issue, as well as additional
1515 reporters [Kai Aizen](https://github.com/SnailSploit), [HunSec](https://github.com/0xHunSec), and
1616 [Thai Son Dinh](https://github.com/sondt99).
17+ `CVE-2026-49853 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-3x9g-8vmp-wqvf >`_
1718- ``SimpleAsyncHTTPClient `` now enforces ``max_body_size `` on the decompressed size of the response,
1819 rather than the compressed size. This prevents a denial-of-service attack via a very large
1920 compressed response. Thanks to [Yuichiro Kedashiro](https://github.com/yuui25) for reporting this
2021 issue.
22+ `CVE-2026-49855 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-mgf9-4vpg-hj56 >`_
2123- Fixed a bug in the C extension that could have read up to three bytes past the end of an input
2224 array. Thanks to [Thai Son Dinh](https://github.com/sondt99) for reporting this issue.
25+ `CVE-2026-49854 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-cx3h-4qpv-8hc9 >`_
2326- ``OpenIDMixin `` has improved parsing for the ``check_authentication `` response. Thanks to
2427 [Yannick Wang](https://github.com/noobone123) for reporting this issue.
2528
You can’t perform that action at this time.
0 commit comments