SUSE-SU-2026:20028-1

This update for python-tornado6 fixes the following issues:

• CVE-2025-67724: unescaped reason argument used in HTTP headers and in HTML default error pages can be used by attackers to launch header injection or XSS attacks (bsc#1254903).
• CVE-2025-67725: quadratic complexity of string concatenation operations used by the HTTPHeaders.add method can lead o DoS when processing a maliciously crafted HTTP request (bsc#1254905).
• CVE-2025-67726: quadratic complexity algorithm used in the _parseparam function of httputil.py can lead to DoS when processing maliciously crafted parameters in a Content-Disposition header (bsc#1254904).