Hi, I would like to request your feedback. I'm currently working on another aiohttp update round. I have a specific issue with CVE-2026-54273 [1]. The fix is based on a major overhaul [2], which also changed the processing logic. To fix the issue in the C parser, I had to backport at least major parts of the C parser logic and adjust it to the processing logic in the earlier versions. And I do not feel comfortable with that.
IMHO, fixing this properly is intrusive. I have marked this issue as ignored for Bookworm and Bullseye for now, and I am thinking of releasing the Trixie SPU with a partial fix [3] (it would just be a minor improvement when using the C parser, but not a fix). Or should I not touch it at all and ignore it for Trixie as well? What do you think? [1] https://deb.freexian.com/extended-lts/tracker/CVE-2026-54273 [2] https://github.com/aio-libs/aiohttp/commit/b502ae655c8788b469dcc832923a85d661719699 [3] https://salsa.debian.org/python-team/packages/python-aiohttp/-/commit/a120dd9dddaba54e061601fed94ab935b167354a Regards, Daniel
signature.asc
Description: This is a digitally signed message part
