Debian alert DLA-4613-1 (python-aiohttp)
| From: | Daniel Leidert <dleidert@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4613-1] python-aiohttp security update | |
| Date: | Mon, 01 Jun 2026 06:56:28 +0200 | |
| Message-ID: | <16fea35504214d6cbc57629cf90ba41570fb8737.camel@debian.org> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4613-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Daniel Leidert June 01, 2026 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : python-aiohttp Version : 3.7.4-1+deb11u2 CVE ID : CVE-2025-53643 CVE-2025-69224 CVE-2025-69225 CVE-2025-69226 CVE-2025-69227 CVE-2025-69228 CVE-2025-69229 CVE-2026-22815 CVE-2026-34513 CVE-2026-34514 CVE-2026-34516 CVE-2026-34517 CVE-2026-34518 CVE-2026-34519 CVE-2026-34520 CVE-2026-34525 Several vulnerabilities have been found in aiohttp, an asynchronous HTTP client/server framework for asyncio and Python. CVE-2025-53643 Request smuggling vulnerability due to not parsing trailer sections of an HTTP request. CVE-2025-69224 Possible request smuggling attack in the HTTP parser with the presence of non-ASCII characters. CVE-2025-69225 Parser logic which allows non-ASCII decimals to be present in the Range header. CVE-2025-69226 Path traversal vulnerability that allows an attacker to ascertain the existence of path components. CVE-2025-69227 When processing a POST body, an infinite loop can occur when assert statements are bypassed leading to a possible DoS attack. CVE-2025-69228 Possible DoS attack that can freeze the server by exhausting the memory using Request.post(). CVE-2025-69229 The handling of chunked messages that can result in an excessive blocking of CPU usage when receiving a large number of chunks. CVE-2026-22815 Uncapped memory usage due to insufficient restrictions in header and trailer handling. CVE-2026-34513 Excessive memory usage possibly resulting in a DoS due to an an unbounded DNS cache. CVE-2026-34514 Header injection. CVE-2026-34516 Potential DoS vulnerability caused by a response with an excessive number of multipart headers. CVE-2026-34517 Possible excessive memory usage caused by some multipart form fields due to reading the entiry field into memory before checking client_max_size. CVE-2026-34518 Leaking sensitive information by dropping the Cookie and the Proxy- Authorization headers When following redirects to a different origin. CVE-2026-34519 Header injection via the reason parameter. CVE-2026-34520 Possible security bypass by checking header values for control characters accordingly to RFC 9110. CVE-2026-34525 Headers can be duplicated, e.g. the host header. For Debian 11 bullseye, these problems have been fixed in version 3.7.4-1+deb11u2. We recommend that you upgrade your python-aiohttp packages. For the detailed security status of python-aiohttp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-aiohttp Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQJIBAABCgAyFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmodEPwUHGRsZWlkZXJ0 QGRlYmlhbi5vcmcACgkQS80FZ8KW0F3WBQ//R4kBVagiSwQlb+sQj3/kC51hI0zR HPHyQ5EBi8eXJ7WkNKAp3IEMgWwUfRAUGGoFBSehMVPXz2entaNkEk1tD9shq6eu 3PIDySHxJd47d7/6/zcTDl+CvbrjitTtFJJy3ET+umYdtFn6dpKoqeNJA0tlnoWv PCPZmkQw3BqBnZjHOcwpl2JodzceYFwwR6rA+VQiMzXcG+At5mOfncIYP9/KvJQ2 RHf8qJ42ud2SKJsGQBQOAMDTBVmBZJ8HQsO3TO/utxAqiRlwEVk6JsLqxh6Aks+J 2sBrd3pVF6irMxVfYS8bVXIszVVTaCtmibpGuanNr3b1kpscRYrPPBh1YBQHdS9s Zq1ljIPZxN+Eoq46/n8JwWFb3eBLdCYU5Tp4I3Rfe+ZZN7IgrZxknWhb06VjiEYr IXV3ecJ6GF+51po9OT7IKZRXWn2leUAtC9YP4v1oQ2X/Log7s87hwar0EzpHdrRQ rgg1WD08wdSLNx013VWYLWyny+B0YtdH9Iy7hEpYQ0K0rkUmBvWolc7flLNz69U8 YDywb+iZ/1NfqNOXlhAR7cFWw+JJrifyt197J72pT+HhsB66zyfj0YtiyNJaqzoY BNBnf41xvBVfPZQ/rgYRCutlP2RI/a2Vtdvs97l7uOXu93rYpdKcuMrjfyYGnMEL hkg/ViK/F7U66mo= =8pDF -----END PGP SIGNATURE-----