Your message dated Thu, 04 Jun 2026 12:24:46 +0000
with message-id <[email protected]>
and subject line Bug#1138781: fixed in python-aiohttp 3.14.0-1
has caused the Debian Bug report #1138781,
regarding python-aiohttp: CVE-2026-34993
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138781: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138781
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-aiohttp
Version: 3.13.5-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-aiohttp.
CVE-2026-34993[0]:
| AIOHTTP is an asynchronous HTTP client/server framework for asyncio
| and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with
| untrusted input may allow arbitrary code execution. Most
| applications using this function will be doing so with the user's
| own data, so this is unlikely to affect many applications. Version
| 3.14.0 patches the issue. If an application does allow attacker
| controlled files to be loaded, a workaround on older releases would
| be to sanitize the files before loading.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-34993
https://www.cve.org/CVERecord?id=CVE-2026-34993
[1] https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jg22-mg44-37j8
[2]
https://github.com/aio-libs/aiohttp/commit/dcf40f30637e8752c76781cf6703b5a236749a00
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-aiohttp
Source-Version: 3.14.0-1
Done: Edward Betts <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-aiohttp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Edward Betts <[email protected]> (supplier of updated python-aiohttp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 04 Jun 2026 11:24:23 +0100
Source: python-aiohttp
Architecture: source
Version: 3.14.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Edward Betts <[email protected]>
Closes: 1138780 1138781
Changes:
python-aiohttp (3.14.0-1) unstable; urgency=medium
.
* New upstream release.
* Fix CVE-2026-47265 (Closes: #1138780)
* Fix CVE-2026-34993 (Closes: #1138781)
* Upstream added sphinxcontrib-mermaid, myst-parser and
pytest-timeout dependencies.
* Rebase patches.
* Skip another test failing during autopkgtest.
Checksums-Sha1:
bb6ef991cfaafc85d8d3b31eee88986cacd8ef00 3037 python-aiohttp_3.14.0-1.dsc
2999e736697208d4c2433b7b4a2a6470a148a17b 7940674
python-aiohttp_3.14.0.orig.tar.gz
8f8443c13c8080f56167ff6048cd4c682ced48fb 10528
python-aiohttp_3.14.0-1.debian.tar.xz
4b0e889f226fe274ae5c5cd5d0d92640e18d9a99 11556
python-aiohttp_3.14.0-1_source.buildinfo
Checksums-Sha256:
3c0307a26ed936234aa502dc01b24d6c4974ef00b46e589c99bfee52f91d1275 3037
python-aiohttp_3.14.0-1.dsc
2882de819734c715fd1b9c11c97e09fa020d14438203d1d354d8ed1702791c9b 7940674
python-aiohttp_3.14.0.orig.tar.gz
e440653a36b7b64cf94dc0e13bc0ad4949b3259962e7e021c8195e7103dd6e7a 10528
python-aiohttp_3.14.0-1.debian.tar.xz
7cbba911a7b59fc274b8d26910e7c73e4512ff4aa75cc11a59f47031c40421dd 11556
python-aiohttp_3.14.0-1_source.buildinfo
Files:
3ce9c6b5ac98c0fa3caa109a8f3df96c 3037 python optional
python-aiohttp_3.14.0-1.dsc
aa9c0bbc001188ca3659b75655396294 7940674 python optional
python-aiohttp_3.14.0.orig.tar.gz
496f5ab098ed07c11a415aa79593a4d6 10528 python optional
python-aiohttp_3.14.0-1.debian.tar.xz
ab5888afbd80eab105f30112fe3ceb6f 11556 python optional
python-aiohttp_3.14.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE+4rPp4xyYInDitAmlgWhCYxjuSoFAmohagUACgkQlgWhCYxj
uSol/A//W+/UMkGImauut9YTdeNq5Oj/FFUH56TyMpYGG1zi84sh425pOmiqsRoM
o9DH52jJCFo/C0vINDZdbp5MOkd4IOANOK055GM/ZGyUkIToi+vfSIgbU33CBpCK
6F2Vv+pJIeD2eadMq+Z+xoDeSjfiBhOGf0sgQXNyg9VD4eAZ5nberhdqxvGeE3/6
AiiL8EaQyUkuMiUOBr9W167j1xMlXTLJPaTzKoASfo5BfZZCxz0rQB7+KjJ9yAms
ZxjBKkGoFwoSWmrAyNbgcdoW3Xg/hzs8jJWw2SE+l6VLTmGNGTiVqnnEAg+A1BIs
WGgzn2WOuaqaK8/8iWqv8yufltlMsieTybYP14rsV+l25X/UQdpKlDDmvr4Q3HWO
YDKgc1cQ/CEG8y2R9PMChP0Pb3Uz6X/aYLNwm2tGDJecuOL5xjzq4I/JG89wkuQo
/14J5LeUI8vPW/Iesy0GkgSp3LUYDeMecfiSiZ68MLEuY2kjjG5/xou6DVNf85rS
CdPYYmvNVr3mQATH9PmuxVuFlXzFGR2hZHnpVJBZE7prOhzBlADRcvmepUH9jH5f
XgTN0oks6tm/9nNkF8sojPY5Aji3eFL673RFSwSWUPmX2Ut1woB+x+IM/AYtyLo5
UvPiSPOEudngcOc7Q5yGgVoY1ar9SUfSJailTrEUi2mhqa6kVFE=
=HtWW
-----END PGP SIGNATURE-----
pgpAeKI6MMnK8.pgp
Description: PGP signature
--- End Message ---
