python3-aiohttp: fix CVE-2025-53643 and drop CVE-2024-42367 patch - linux/meta-openembedded.git - Mirror of git.openembedded.org/meta-openembedded

diff options

author	Jiaying Song <jiaying.song.cn@windriver.com>	2025-07-16 15:37:58 +0800
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-09-06 16:27:05 +0200
commit	78afe9d40cb41f9b7691b4ec4183ca442e70fb63 (patch)
tree	6618e6bd598b9ac16572b890908801e6e64a1fa1 /meta-python/recipes-devtools/python/python-pyroute2/import-simplejson-as-json.patch
parent	89b98ccbfb7c52577ebab7c4306c9fdb8aee81a6 (diff)
download	meta-openembedded-78afe9d40cb41f9b7691b4ec4183ca442e70fb63.tar.gz

python3-aiohttp: fix CVE-2025-53643 and drop CVE-2024-42367 patch

- Fix CVE-2025-53643: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue. References: https://nvd.nist.gov/vuln/detail/CVE-2025-53643 - Drop CVE-2024-42367.patch: According to upstream discussion and advisory [1][2], aiohttp 3.8.6 is not affected by CVE-2024-42367, and the patch is therefore no longer needed. [1] https://github.com/advisories/GHSA-jwhx-xcg6-8xhj [2] https://github.com/aio-libs/aiohttp/issues/11149 Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>

Diffstat (limited to 'meta-python/recipes-devtools/python/python-pyroute2/import-simplejson-as-json.patch')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: