Bump version to 6.4.2

2024-11-21 16:26:44 -05:00 · 2024-11-21 16:26:44 -05:00 · a5ecfab15e
parent bc7df6bafd
commit a5ecfab15e
3 changed files with 15 additions and 2 deletions
--- a/docs/releases.rst
+++ b/docs/releases.rst
@ -4,6 +4,7 @@ Release notes
 .. toctree::
   :maxdepth: 2

+   releases/v6.4.2
   releases/v6.4.1
   releases/v6.4.0
   releases/v6.3.3
--- a/docs/releases/v6.4.2.rst
+++ b/docs/releases/v6.4.2.rst
@ -0,0 +1,12 @@
+What's new in Tornado 6.4.2
+===========================
+
+Nov 21, 2024
+------------
+
+Security Improvements
+~~~~~~~~~~~~~~~~~~~~~
+
+- Parsing of the cookie header is now much more efficient. The older algorithm sometimes had
+  quadratic performance which allowed for a denial-of-service attack in which the server would spend
+  excessive CPU time parsing cookies and block the event loop. This change fixes CVE-2024-7592.
--- a/tornado/init.py
+++ b/tornado/init.py
@ -22,8 +22,8 @@
 # is zero for an official release, positive for a development branch,
 # or negative for a release candidate or beta (after the base version
 # number has been incremented)
-version = "6.4.1"
-version_info = (6, 4, 0, 1)
+version = "6.4.2"
+version_info = (6, 4, 2, 0)

 import importlib
 import typing