Final release notes for 6.5.0

bdarnell · bdarnell · commit 3623024dfc36 · 2025-05-15T16:14:09.000-04:00
diff --git a/docs/releases/v6.5.0.rst b/docs/releases/v6.5.0.rst
@@ -1,22 +1,32 @@
 What's new in Tornado 6.5.0
 ===========================
 
-In progress
------------
+May 15, 2025
+------------
+
+Security Improvements
+~~~~~~~~~~~~~~~~~~~~~
+
+- Previously, malformed ``multipart-form-data`` requests could log multiple warnings and
+  constitute a denial-of-service attack. Now an exception is raised at the first error, so there
+  is only one log message per request. This fixes
+  `CVE-2025-47287 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m>`_.
 
 General Changes
 ~~~~~~~~~~~~~~~
 
 - Python 3.14 is now supported. Older versions of Tornado will work on Python 3.14 but may log
   deprecation warnings.
+- The free-threading mode of Python 3.13 is now supported on an experimental basis. Prebuilt
+  wheels are not yet available for this configuration, but it can be built from source.
 - The minimum supported Python version is 3.9.
 
 Deprecation Notices
 ~~~~~~~~~~~~~~~~~~~
 
 - Support for ``obs-fold`` continuation lines in HTTP headers is deprecated and will be removed in
   Tornado 7.0, as is the use of carriage returns without line feeds as header separators.
-- The ``callback`` argument to ``websocket_connect`` is deprecated and will be removed in
+- The ``callback`` argument to `.websocket_connect` is deprecated and will be removed in
   Tornado 7.0. Note that ``on_message_callback`` is not deprecated.
 - The ``log_message`` and ``args`` attributes of `tornado.web.HTTPError` are deprecated. Use the
   new ``get_message`` method instead.
@@ -38,8 +48,8 @@ Type Annotation Changes
 - `.RequestHandler.get_cookie` now has more accurate types.
 - The return type of `.UIModule.render` may now be either `str` or `bytes`.
 
-``tornado.httputil``
-~~~~~~~~~~~~~~~~~~~~
+`tornado.httputil`
+~~~~~~~~~~~~~~~~~~
 
 - Support for ``obs-fold`` continuation lines in HTTP headers is deprecated and will be removed in
   Tornado 7.0, as is the use of carriage returns without line feeds as header separators.
@@ -53,14 +63,20 @@ Type Annotation Changes
   error to send more than one ``Host`` header, or to omit a ``Host`` header for a request that is
   not using HTTP/1.0.
 
-``tornado.netutil``
-~~~~~~~~~~~~~~~~~~~
+`tornado.ioloop`
+~~~~~~~~~~~~~~~~
 
-- ``.bind_unix_socket`` now supports the Linux abstract namespace.
+- Fixed a bug in which `contextvars` that were set when the event loop was created were not
+  available inside the event loop on Windows.
 
+`tornado.netutil`
+~~~~~~~~~~~~~~~~~
 
-``tornado.platform.twisted``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+- `.bind_unix_socket` now supports the Linux abstract namespace.
+
+
+`tornado.platform.twisted`
+~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 - ``TwistedResolver`` has been deleted. It was already deprecated and scheduled for removal
   in Tornado 7.0, but due to the adoption of RFC 8482 it no longer works for most
@@ -70,19 +86,19 @@ Type Annotation Changes
   and it is also deprecated. Most users should switch to the default resolver, which uses
   threads.
 
-``tornado.web``
-~~~~~~~~~~~~~~~
+`tornado.web`
+~~~~~~~~~~~~~
 
 - The set of characters allowed in (outgoing) HTTP headers now matches the RFCs. Specifically, tab
   characters are now allowed and DEL is not.
 - Invalid ``If-Modified-Since`` headers are now ignored instead of causing a 500 error.
-- ``%`` characters in the log message of ``tornado.web.HTTPError`` are no longer doubled when no
+- ``%`` characters in the log message of `tornado.web.HTTPError` are no longer doubled when no
   additional arguments are passed. This matches the behavior of `logging.LogRecord`. A new method
   ``get_message`` has been added to ``HTTPError`` to allow access to the fully-substituted message;
   directly accessing ``log_message`` and ``args`` is deprecated.
 
-``tornado.websocket``
-~~~~~~~~~~~~~~~~~~~~~
+`tornado.websocket`
+~~~~~~~~~~~~~~~~~~~
 
 - Some bugs involving ``ping_interval`` and ``ping_timeout`` have been fixed. Setting the
   ``ping_timeout`` greater than the ``ping_interval`` is no longer supported. The default
diff --git a/tornado/__init__.py b/tornado/__init__.py
@@ -22,8 +22,8 @@
 # is zero for an official release, positive for a development branch,
 # or negative for a release candidate or beta (after the base version
 # number has been incremented)
-version = "6.5b1"
-version_info = (6, 5, 0, -99)
+version = "6.5"
+version_info = (6, 5, 0, 0)
 
 import importlib
 import typing
