Your message dated Mon, 30 Dec 2024 00:57:26 +0000
with message-id <[email protected]>
and subject line Bug#1088108: fixed in python-aiohttp 3.10.11-1
has caused the Debian Bug report #1088108,
regarding python-aiohttp: CVE-2024-52303
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1088108: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088108
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-aiohttp
Version: 3.10.10-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-aiohttp.
CVE-2024-52303[0]:
| aiohttp is an asynchronous HTTP client/server framework for asyncio
| and Python. In versions starting with 3.10.6 and prior to 3.10.11, a
| memory leak can occur when a request produces a MatchInfoError. This
| was caused by adding an entry to a cache on each request, due to the
| building of each MatchInfoError producing a unique cache entry. An
| attacker may be able to exhaust the memory resources of a server by
| sending a substantial number (100,000s to millions) of such
| requests. Those who use any middlewares with aiohttp.web should
| upgrade to version 3.10.11 to receive a patch.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-52303
https://www.cve.org/CVERecord?id=CVE-2024-52303
[1] https://github.com/aio-libs/aiohttp/security/advisories/GHSA-27mf-ghqm-j3j8
[2]
https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-aiohttp
Source-Version: 3.10.11-1
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-aiohttp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated python-aiohttp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 30 Dec 2024 00:23:32 +0000
Source: python-aiohttp
Architecture: source
Version: 3.10.11-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 1088108
Changes:
python-aiohttp (3.10.11-1) unstable; urgency=medium
.
* Team upload.
* New upstream release:
- CVE-2024-52303: Fix system routes polluting the middleware cache
(closes: #1088108).
Checksums-Sha1:
0acffddc38cc8a671173a18162e45d33b722308c 2812 python-aiohttp_3.10.11-1.dsc
868ce48614e5abe2c8be122086d7dc5bf2173483 7551886
python-aiohttp_3.10.11.orig.tar.gz
f74de421210a3d02e6db1c911d8c214d189869a6 9252
python-aiohttp_3.10.11-1.debian.tar.xz
Checksums-Sha256:
dfad65ffdfdeccc159a6429992faf9e4f1f81937ebf4737cb3dac5922c03c76f 2812
python-aiohttp_3.10.11-1.dsc
9dc2b8f3dcab2e39e0fa309c8da50c3b55e6f34ab25f1a71d3288f24924d33a7 7551886
python-aiohttp_3.10.11.orig.tar.gz
8fb75cae1a953a50aef037e47dd51c6a21000b7b7c74617d85c160a8c01d9ea8 9252
python-aiohttp_3.10.11-1.debian.tar.xz
Files:
59fac9a9fd73cb10c2d2ba279f84c3c5 2812 python optional
python-aiohttp_3.10.11-1.dsc
35f6e5c3b1f53ae205c0083feb642641 7551886 python optional
python-aiohttp_3.10.11.orig.tar.gz
776d808b6f7846f9ce321d7d25088c02 9252 python optional
python-aiohttp_3.10.11-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmdx6C0ACgkQOTWH2X2G
UAvR0xAAq2V5cVL2ilO/K6nIKHmLAMORgkB4YM1f8SRtdPfycB5qhbmo/95yIJkr
v5cvk4HHZPeQoLEF3QWulNf1pX/Pda2sn+i1b9Flq9rcqBHfHWZTFpuyn75YewzF
6X5yo4xF3ddGeLGupm/F98wimG9T4CdBxNoRIhkebA0oLHVVMwZHLV++5je5B/Ex
G7EJQKoYZp2u3Z5NpNh+UtTjLHp5QR69xwdPsmKKPuJs8z9Qw/RI6Q/7QCroZkdi
yuteNwrjPvsQNUCRV0zcYtA7HnUJ4YZt9UisTFukxUbTWCglM2tnnKpQ+GURH885
HmXGuxAWnT+CL8VSrP1DdiiBfq/3U/+odG0YuxmazNs62PozUo5uHFZlkeWf+U6E
AGfCKvPN6HzgDmsAioFh7WprsqhX9m9iRiNUPmyHstvIJTUwspZNaZd0N3/84lpT
cqHufdG2RrTzph9DHFpA2d4liGSXQaAmI+AvNxIR2VZGYOBYr45esiWfe5Ds/ym7
TWamPathQnquw8XF1SOHdz9z2QOye7zYtQ5LyaNi7IGCHNSfRP7cf1U/TbCsfmR2
Vx6YaqaO3R87Ndkb493PgSBmuRj7dOuaV4p3KEjJzjQbcT/4zN/3L1QIfmEmIOqo
/oopt27maLuZrgBh4lYCUvRJrGIKoOOb5xZJHRv87F6Fg83j0Yo=
=adof
-----END PGP SIGNATURE-----
pgpsF9Jmn1OSH.pgp
Description: PGP signature
--- End Message ---
