Debian released security updates for python-tornado and the GStreamer media plugins used across multiple distributions. The tornado update blocks attacks involving cookie injection and denial of service via multipart bodies. Meanwhile the GStreamer plugins address serious flaws where opening a malformed file could lead to code execution on the host machine.

Debian GNU/Linux 9 (Stretch) and 10 (Buster) ELTS:
ELA-1672-1 python-tornado security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4520-1] python-tornado security update

Debian GNU/Linux 12 (Bookworm) and 13 (Trixie):
[DSA 6191-1] gst-plugins-ugly1.0 security update
[DSA 6190-1] gst-plugins-bad1.0 security update

[SECURITY] [DLA 4520-1] python-tornado security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4520-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
April 01, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : python-tornado
Version : 6.1.0-1+deb11u4
CVE ID : CVE-2026-31958
Debian Bug : 1130507 1132367

Tornado is a scalable, non-blocking Python web framework and
asynchronous networking library.

CVE-2026-31958

Introduce new limits on the size and complexity of multipart bodies,
including a default limit of 100 parts per request to mitigate a
possible DoS. It is also possible to disable parsing multipart/form-
data entirely if not required

GHSA-78cv-mqj4-43f7 (CVE not available yet)

Values passed to the domain, path, and samesite arguments of
RequestHandler.set_cookie are not completely validated. In
particular, semicolons are allowed, which could be used to inject
attacker-controlled values for other cookie attributes.

For Debian 11 bullseye, this problem has been fixed in version
6.1.0-1+deb11u4.

We recommend that you upgrade your python-tornado packages.

For the detailed security status of python-tornado please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-tornado

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1672-1 python-tornado security update

Package : python-tornado
Version : 4.4.3-1+deb9u3 (stretch), 5.1.1-4+deb10u4 (buster)

Related CVEs :
CVE-2026-31958

Multiple vulnerabilities were discovered in python-tornado, a scalable,
non-blocking Python web framework and asynchronous networking library.
CVE-2026-31958
Introduce new limits on the size and complexity of multipart bodies,
including a default limit of 100 parts per request to mitigate a possible
DoS. It is also possible to disable parsing multipart/form-data entirely
if not required

GHSA-78cv-mqj4-43f7 (CVE not assigned yet)
Values passed to the domain, path, and samesite arguments of
RequestHandler.set_cookie are not completely validated. In particular,
semicolons are allowed, which could be used to inject attacker-controlled
values for other cookie attributes.

ELA-1672-1 python-tornado security update

[SECURITY] [DSA 6191-1] gst-plugins-ugly1.0 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6191-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 01, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gst-plugins-ugly1.0
CVE ID : CVE-2026-2920 CVE-2026-2922

Multiple vulnerabilities were discovered in plugins for the GStreamer
media framework and its codecs and demuxers, which may result in denial
of service or potentially the execution of arbitrary code if a malformed
media file is opened.

For the oldstable distribution (bookworm), these problems have been fixed
in version 1.22.0-2+deb12u2.

For the stable distribution (trixie), these problems have been fixed in
version 1.26.3-4+deb13u1.

We recommend that you upgrade your gst-plugins-ugly1.0 packages.

For the detailed security status of gst-plugins-ugly1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-ugly1.0

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 6190-1] gst-plugins-bad1.0 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6190-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 01, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gst-plugins-bad1.0
CVE ID : CVE-2026-2923 CVE-2026-3081 CVE-2026-3082 CVE-2026-3084
CVE-2026-3086

Multiple multiple vulnerabilities were discovered in plugins for the
GStreamer media framework and its codecs and demuxers, which may result
in denial of service or potentially the execution of arbitrary code if
a malformed media file is opened.

For the oldstable distribution (bookworm), these problems have been fixed
in version 1.22.0-4+deb12u7.

For the stable distribution (trixie), these problems have been fixed in
version 1.26.2-3+deb13u1.

We recommend that you upgrade your gst-plugins-bad1.0 packages.

For the detailed security status of gst-plugins-bad1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-bad1.0

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/