Your message dated Fri, 26 Sep 2025 21:06:07 +0000
with message-id <[email protected]>
and subject line Bug#1109336: fixed in python-aiohttp 3.12.15-1
has caused the Debian Bug report #1109336,
regarding python-aiohttp: CVE-2025-53643
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109336: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109336
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-aiohttp
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for python-aiohttp.
CVE-2025-53643[0]:
| AIOHTTP is an asynchronous HTTP client/server framework for asyncio
| and Python. Prior to version 3.12.14, the Python parser is
| vulnerable to a request smuggling vulnerability due to not parsing
| trailer sections of an HTTP request. If a pure Python version of
| aiohttp is installed (i.e. without the usual C extensions) or
| AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to
| execute a request smuggling attack to bypass certain firewalls or
| proxy protections. Version 3.12.14 contains a patch for this issue.
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9548-qrrj-x5pj
https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a
(v3.12.14)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-53643
https://www.cve.org/CVERecord?id=CVE-2025-53643
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: python-aiohttp
Source-Version: 3.12.15-1
Done: Edward Betts <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-aiohttp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Edward Betts <[email protected]> (supplier of updated python-aiohttp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 26 Sep 2025 19:15:20 +0000
Source: python-aiohttp
Architecture: source
Version: 3.12.15-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Edward Betts <[email protected]>
Closes: 1109336
Changes:
python-aiohttp (3.12.15-1) unstable; urgency=medium
.
* Team upload.
* New upstream release.
- CVE-2025-53643: Fix request smuggling vulnerability (closes: #1109336).
* Remove 'Rules-Requires-Root: no', now the default.
* Refresh patches.
Checksums-Sha1:
ad9e4e656c8d8364f6259e85aeb7389a26025b78 2690 python-aiohttp_3.12.15-1.dsc
b5037d9e97dc66eea0ffdd2dc621a3997bfa9916 7823716
python-aiohttp_3.12.15.orig.tar.gz
2ff7590b077ea2751df8fcc2b9e62058e99e9fe0 9552
python-aiohttp_3.12.15-1.debian.tar.xz
f16190dda552ba3895d0037acc85538854b08520 10726
python-aiohttp_3.12.15-1_source.buildinfo
Checksums-Sha256:
bb69cb78414a06ecf660cc4ee5f2f282f335717fc0225c5c1ee5cba74b66a343 2690
python-aiohttp_3.12.15-1.dsc
4fc61385e9c98d72fcdf47e6dd81833f47b2f77c114c29cd64a361be57a763a2 7823716
python-aiohttp_3.12.15.orig.tar.gz
d85ecb7b8c43b93f7682e86ad82e97b7a7c679c2f068ed7323dc3d2bdb8012b0 9552
python-aiohttp_3.12.15-1.debian.tar.xz
782ed1292d75edaf5a9a417279c5c1f6a64b73ef1fe5eca3ceef396329c23421 10726
python-aiohttp_3.12.15-1_source.buildinfo
Files:
6913d1ef5b8daa1cc2e65142838cc19a 2690 python optional
python-aiohttp_3.12.15-1.dsc
2fdd3437623fa0d86313a3a3c7d1e2b5 7823716 python optional
python-aiohttp_3.12.15.orig.tar.gz
aa52ecc8458a68f80dd57071b55a0c2e 9552 python optional
python-aiohttp_3.12.15-1.debian.tar.xz
4c287a6583d7811e27469c1285a82956 10726 python optional
python-aiohttp_3.12.15-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE+4rPp4xyYInDitAmlgWhCYxjuSoFAmjW/SoACgkQlgWhCYxj
uSpXchAAnXSBqB9KFnLtoNU1ZTwZTgt1Br1f+S71nbKFBemAkHoND++SNf5Oicfu
UqO3qcwduXyPBt47W7Y4IbNUIpzaMxFZHH+vZ9926AwTPsvhGHXlgGfe1RE/WyRo
NCuXhgBROkx/siUS6T6ffV/pNcqjoLszMKsahEyriAbWK0yyv0c2PUesNYq+25ZZ
zHlMsnpZ3ATsLg/WsjscfeOpWEJczFE/8YUvAFYjnlkRIh3XVGKvqO7HsatzjNOm
6NOWtL/l8jdpEqw/PHXw+/g7JGXCcV+BQGZenbmVtsYRUM7h75gyPiUFAc19vhPl
xOfO5dSprIyne+kf41yyeuIfPtm+fgM0DnQ0G6tItzWk+nstW9AhSKY73SauvweH
axwEkGfYtU7uyJ3hAoRHM6Nd9Gt6doX/JFJaxq1dqcwpOXOzANiJL6B8ceqtPEYT
tYVpfNQUJN71FPizHv/STbpkh3zZDLikNDaM1w/CgJYTe63+rhKL/CnEs/SaiEnH
bndyRMwUnbDfwYC3a+RtFCmMyccQCG5/db5jDc7DqwoU9n1jZsPMYxveQbjPzYCE
GWo81BL+cjx8Q6lZEXYMvEE6L8OnSt4SeQIB6y9OyBYVOu+gZjRTnCoZ5uot7VEI
XzDkeNiiKI8QuTpWpzNkqIf44jpu9JT0u6zfI9xRSLspCVIkKV0=
=zvXl
-----END PGP SIGNATURE-----
pgpcnj1ywHECv.pgp
Description: PGP signature
--- End Message ---
