mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-01-27 12:01:38 +01:00
78afe9d40c
- Fix CVE-2025-53643: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue. References: https://nvd.nist.gov/vuln/detail/CVE-2025-53643 - Drop CVE-2024-42367.patch: According to upstream discussion and advisory [1][2], aiohttp 3.8.6 is not affected by CVE-2024-42367, and the patch is therefore no longer needed. [1] https://github.com/advisories/GHSA-jwhx-xcg6-8xhj [2] https://github.com/aio-libs/aiohttp/issues/11149 Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> |
||
|---|---|---|
| .. | ||
| CVE-2023-49081.patch | ||
| CVE-2023-49082.patch | ||
| CVE-2024-23334.patch | ||
| CVE-2024-27306.patch | ||
| CVE-2024-30251.patch | ||
| CVE-2024-52304.patch | ||
| CVE-2025-53643.patch | ||