Hi,

I would like to request your feedback. I'm currently working on another
aiohttp update round. I have a specific issue with CVE-2026-54273 [1].
The fix is based on a major overhaul [2], which also changed the
processing logic. To fix the issue in the C parser, I had to backport
at least  major parts of the C parser logic and adjust it to the
processing logic in the earlier versions. And I do not feel comfortable
with that.

IMHO, fixing this properly is intrusive. I have marked this issue as
ignored for Bookworm and Bullseye for now, and I am thinking of
releasing the Trixie SPU with a partial fix [3] (it would just be a
minor improvement when using the C parser, but not a fix). Or should I
not touch it at all and ignore it for Trixie as well? What do you
think?

[1] https://deb.freexian.com/extended-lts/tracker/CVE-2026-54273
[2] 
https://github.com/aio-libs/aiohttp/commit/b502ae655c8788b469dcc832923a85d661719699
[3] 
https://salsa.debian.org/python-team/packages/python-aiohttp/-/commit/a120dd9dddaba54e061601fed94ab935b167354a

Regards, Daniel

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to