Source: python-aiohttp Version: 3.13.3-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for python-aiohttp. CVE-2026-34513[0]: | AIOHTTP is an asynchronous HTTP client/server framework for asyncio | and Python. Prior to version 3.13.4, an unbounded DNS cache could | result in excessive memory usage possibly resulting in a DoS | situation. This issue has been patched in version 3.13.4. CVE-2026-34514[1]: | AIOHTTP is an asynchronous HTTP client/server framework for asyncio | and Python. Prior to version 3.13.4, an attacker who controls the | content_type parameter in aiohttp could use this to inject extra | headers or similar exploits. This issue has been patched in version | 3.13.4. CVE-2026-34516[2]: | AIOHTTP is an asynchronous HTTP client/server framework for asyncio | and Python. Prior to version 3.13.4, a response with an excessive | number of multipart headers may be allowed to use more memory than | intended, potentially allowing a DoS vulnerability. This issue has | been patched in version 3.13.4. CVE-2026-34517[3]: | AIOHTTP is an asynchronous HTTP client/server framework for asyncio | and Python. Prior to version 3.13.4, for some multipart form fields, | aiohttp read the entire field into memory before checking | client_max_size. This issue has been patched in version 3.13.4. CVE-2026-34518[4]: | AIOHTTP is an asynchronous HTTP client/server framework for asyncio | and Python. Prior to version 3.13.4, when following redirects to a | different origin, aiohttp drops the Authorization header, but | retains the Cookie and Proxy-Authorization headers. This issue has | been patched in version 3.13.4. CVE-2026-34519[5]: | AIOHTTP is an asynchronous HTTP client/server framework for asyncio | and Python. Prior to version 3.13.4, an attacker who controls the | reason parameter when creating a Response may be able to inject | extra headers or similar exploits. This issue has been patched in | version 3.13.4. CVE-2026-34520[6]: | AIOHTTP is an asynchronous HTTP client/server framework for asyncio | and Python. Prior to version 3.13.4, the C parser (the default for | most installs) accepted null bytes and control characters in | response headers. This issue has been patched in version 3.13.4. CVE-2026-34525[7]: | AIOHTTP is an asynchronous HTTP client/server framework for asyncio | and Python. Prior to version 3.13.4, multiple Host headers were | allowed in aiohttp. This issue has been patched in version 3.13.4. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-34513 https://www.cve.org/CVERecord?id=CVE-2026-34513 [1] https://security-tracker.debian.org/tracker/CVE-2026-34514 https://www.cve.org/CVERecord?id=CVE-2026-34514 [2] https://security-tracker.debian.org/tracker/CVE-2026-34516 https://www.cve.org/CVERecord?id=CVE-2026-34516 [3] https://security-tracker.debian.org/tracker/CVE-2026-34517 https://www.cve.org/CVERecord?id=CVE-2026-34517 [4] https://security-tracker.debian.org/tracker/CVE-2026-34518 https://www.cve.org/CVERecord?id=CVE-2026-34518 [5] https://security-tracker.debian.org/tracker/CVE-2026-34519 https://www.cve.org/CVERecord?id=CVE-2026-34519 [6] https://security-tracker.debian.org/tracker/CVE-2026-34520 https://www.cve.org/CVERecord?id=CVE-2026-34520 [7] https://security-tracker.debian.org/tracker/CVE-2026-34525 https://www.cve.org/CVERecord?id=CVE-2026-34525 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
