[GHSA-7cx3-6m66-7c5m] Tornado vulnerable to excessive logging caused by malformed multipart form data

[zvxr]

Updates

• Affected products
• Description

Comments
The version is incorrect-- this was fixed in 6.4.2: GHSA-8w49-h785-mj3c

[github]

Hi there @bdarnell! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[bdarnell]

It looks like you've got two security advisories mixed up. This PR is for GHSA-7cx3-6m66-7c5m, the multipart/form-data parsing issue, which was fixed in 6.5.0. GHSA-8w49-h785-mj3c is the quadratic cookie parsing issue, which was fixed in 6.4.2.

The original advisory is correct and this PR should be closed.

[helixplant]

Hi @zvxr,
As @bdarnell said, GHSA-8w49-h785-mj3c and GHSA-7cx3-6m66-7c5m are two separate vulnerabilities which is why they have different ranges listed for affected and patched versions. Therefore, I'm closing the community contribution pull request.