Your message dated Thu, 12 Dec 2024 10:32:27 +0000
with message-id <[email protected]>
and subject line Bug#1088109: fixed in python-aiohttp 3.8.4-1+deb12u1
has caused the Debian Bug report #1088109,
regarding python-aiohttp: CVE-2024-52304
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1088109: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088109
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-aiohttp
Version: 3.10.10-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for python-aiohttp.

CVE-2024-52304[0]:
| aiohttp is an asynchronous HTTP client/server framework for asyncio
| and Python. Prior to version 3.10.11, the Python parser parses
| newlines in chunk extensions incorrectly which can lead to request
| smuggling vulnerabilities under certain conditions. If a pure Python
| version of aiohttp is installed (i.e. without the usual C
| extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker
| may be able to execute a request smuggling attack to bypass certain
| firewalls or proxy protections. Version 3.10.11 fixes the issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-52304
    https://www.cve.org/CVERecord?id=CVE-2024-52304
[1] https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr
[2] 
https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: python-aiohttp
Source-Version: 3.8.4-1+deb12u1
Done: Moritz Mühlenhoff <[email protected]>

We believe that the bug you reported is fixed in the latest version of
python-aiohttp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Mühlenhoff <[email protected]> (supplier of updated python-aiohttp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 28 Nov 2024 20:38:32 +0100
Source: python-aiohttp
Architecture: source
Version: 3.8.4-1+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Moritz Mühlenhoff <[email protected]>
Closes: 1057163 1057164 1062709 1070364 1088109
Changes:
 python-aiohttp (3.8.4-1+deb12u1) bookworm-security; urgency=medium
 .
   * CVE-2023-47627
   * CVE-2023-49081 (Closes: #1057163)
   * CVE-2023-49082 (Closes: #1057164)
   * CVE-2024-23334 (Closes: #1062709)
   * CVE-2024-30251 (Closes: #1070364)
   * CVE-2024-52304 (Closes: #1088109)
Checksums-Sha1:
 8f481c1e33b2b0b2bbdda9e3d18d8ea10f5d0062 2518 
python-aiohttp_3.8.4-1+deb12u1.dsc
 09487833fdd1661f2e34227976516ec33838fd09 7338512 
python-aiohttp_3.8.4.orig.tar.gz
 02b4a6c053056fefb285c74f1e0fa4b7a1ecafb2 18280 
python-aiohttp_3.8.4-1+deb12u1.debian.tar.xz
 6c00c4c4ee9b62f22f3230c5b9c436e75675773f 10120 
python-aiohttp_3.8.4-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
 076b92d4596ef8b9bc832cad92b750d78c8fe2d89808cf7001aa0abc24f1c330 2518 
python-aiohttp_3.8.4-1+deb12u1.dsc
 bf2e1a9162c1e441bf805a1fd166e249d574ca04e03b34f97e2928769e91ab5c 7338512 
python-aiohttp_3.8.4.orig.tar.gz
 0b8da7833e5ea1743c4e58c50bcff941c25b267827eab28a97a5ee8df876ca36 18280 
python-aiohttp_3.8.4-1+deb12u1.debian.tar.xz
 2efc982a350f23199230f975fc56f18cbd7e9b2f637f5760cd981c8e57335475 10120 
python-aiohttp_3.8.4-1+deb12u1_amd64.buildinfo
Files:
 28c52e494b40783d237ce0cf976c5c84 2518 python optional 
python-aiohttp_3.8.4-1+deb12u1.dsc
 8208bc4b519ac4520720577f93561855 7338512 python optional 
python-aiohttp_3.8.4.orig.tar.gz
 89c678114d9daeed6f37a144700ece6f 18280 python optional 
python-aiohttp_3.8.4-1+deb12u1.debian.tar.xz
 4cd4466a4258526333f3ef059fcb8050 10120 python optional 
python-aiohttp_3.8.4-1+deb12u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmdJrPAACgkQEMKTtsN8
TjYd1g//UGU6llGyItw7aFrUNSKWzpg34V75Rxtt62dDTKuH3+mhUuATTF129CyN
0DjxeNxHVfrndRdGKjRR60jgpxk8zcVbYmOSwVN/Y2Ko8Fnjbteqg76Q7bC2+cJd
PhpIdLcZoNKx7Rp8QPoiJ/yjYC85W68mQ8yz+gyMtg9nd1LbJTsyL8h5i1QAao4X
XsIrTzsIyWjvtGG8qeEaytrDoAXsKkgHNZ+5mxiRdF9Vi6RKTd3xQYAcFsmWfSnH
z43qSXZmOlEjimJl2jH9x608YyGRy2O14so9xK2gyx+jA1m7AzvX4oQC2+xHhSY/
+CfF0Q4NhxszL0AVRgvl4MMW0HdZp/bIDtLaLKTyaO+LVTdDHpW/HIsvs64gBmgr
H8LKqge1L7vFcgRAgG7+u/ZvN8J0+w08TjR+0d6GsemIo2O3aKHJDrY/nszb2mbH
nKaJJ4Mw47flvGHtnGvOwnIvSH58zO7Ai2LbIliR4/43qlQoGC/Sm/ywHZY8YuxV
uPFX5/CWO7fv5b6vNoVbMt5Q0iKlXhZL/Yrx8zhXE+qrdvRxWJ20CPahJIXUTRD4
r7270sSEmvZLQ3s6nXsX81WOOQ7N/gn+NxaEJDLVZ39YdfXC0sdiE2Txe7T/++OM
tHGJIMprTtphhtxcMnOGNCaCIYliMEwvCm2l/p0WXAsFfvzHTyQ=
=bHjf
-----END PGP SIGNATURE-----

Attachment: pgp7V_s1hYxbb.pgp
Description: PGP signature


--- End Message ---

Reply via email to