Your message dated Mon, 30 Dec 2024 05:40:48 +0100
with message-id <[email protected]>
and subject line [[email protected]: Accepted python-aiohttp
3.10.11-1 (source) into unstable]
has caused the Debian Bug report #1088109,
regarding python-aiohttp: CVE-2024-52304
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1088109: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088109
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-aiohttp
Version: 3.10.10-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-aiohttp.
CVE-2024-52304[0]:
| aiohttp is an asynchronous HTTP client/server framework for asyncio
| and Python. Prior to version 3.10.11, the Python parser parses
| newlines in chunk extensions incorrectly which can lead to request
| smuggling vulnerabilities under certain conditions. If a pure Python
| version of aiohttp is installed (i.e. without the usual C
| extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker
| may be able to execute a request smuggling attack to bypass certain
| firewalls or proxy protections. Version 3.10.11 fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-52304
https://www.cve.org/CVERecord?id=CVE-2024-52304
[1] https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr
[2]
https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-aiohttp
Source-Version: 3.10.11-1
----- Forwarded message from Debian FTP Masters
<[email protected]> -----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 30 Dec 2024 00:23:32 +0000
Source: python-aiohttp
Architecture: source
Version: 3.10.11-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 1088108
Changes:
python-aiohttp (3.10.11-1) unstable; urgency=medium
.
* Team upload.
* New upstream release:
- CVE-2024-52303: Fix system routes polluting the middleware cache
(closes: #1088108).
Checksums-Sha1:
0acffddc38cc8a671173a18162e45d33b722308c 2812 python-aiohttp_3.10.11-1.dsc
868ce48614e5abe2c8be122086d7dc5bf2173483 7551886
python-aiohttp_3.10.11.orig.tar.gz
f74de421210a3d02e6db1c911d8c214d189869a6 9252
python-aiohttp_3.10.11-1.debian.tar.xz
Checksums-Sha256:
dfad65ffdfdeccc159a6429992faf9e4f1f81937ebf4737cb3dac5922c03c76f 2812
python-aiohttp_3.10.11-1.dsc
9dc2b8f3dcab2e39e0fa309c8da50c3b55e6f34ab25f1a71d3288f24924d33a7 7551886
python-aiohttp_3.10.11.orig.tar.gz
8fb75cae1a953a50aef037e47dd51c6a21000b7b7c74617d85c160a8c01d9ea8 9252
python-aiohttp_3.10.11-1.debian.tar.xz
Files:
59fac9a9fd73cb10c2d2ba279f84c3c5 2812 python optional
python-aiohttp_3.10.11-1.dsc
35f6e5c3b1f53ae205c0083feb642641 7551886 python optional
python-aiohttp_3.10.11.orig.tar.gz
776d808b6f7846f9ce321d7d25088c02 9252 python optional
python-aiohttp_3.10.11-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmdx6C0ACgkQOTWH2X2G
UAvR0xAAq2V5cVL2ilO/K6nIKHmLAMORgkB4YM1f8SRtdPfycB5qhbmo/95yIJkr
v5cvk4HHZPeQoLEF3QWulNf1pX/Pda2sn+i1b9Flq9rcqBHfHWZTFpuyn75YewzF
6X5yo4xF3ddGeLGupm/F98wimG9T4CdBxNoRIhkebA0oLHVVMwZHLV++5je5B/Ex
G7EJQKoYZp2u3Z5NpNh+UtTjLHp5QR69xwdPsmKKPuJs8z9Qw/RI6Q/7QCroZkdi
yuteNwrjPvsQNUCRV0zcYtA7HnUJ4YZt9UisTFukxUbTWCglM2tnnKpQ+GURH885
HmXGuxAWnT+CL8VSrP1DdiiBfq/3U/+odG0YuxmazNs62PozUo5uHFZlkeWf+U6E
AGfCKvPN6HzgDmsAioFh7WprsqhX9m9iRiNUPmyHstvIJTUwspZNaZd0N3/84lpT
cqHufdG2RrTzph9DHFpA2d4liGSXQaAmI+AvNxIR2VZGYOBYr45esiWfe5Ds/ym7
TWamPathQnquw8XF1SOHdz9z2QOye7zYtQ5LyaNi7IGCHNSfRP7cf1U/TbCsfmR2
Vx6YaqaO3R87Ndkb493PgSBmuRj7dOuaV4p3KEjJzjQbcT/4zN/3L1QIfmEmIOqo
/oopt27maLuZrgBh4lYCUvRJrGIKoOOb5xZJHRv87F6Fg83j0Yo=
=adof
-----END PGP SIGNATURE-----
----- End forwarded message -----
--- End Message ---
