Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69228
Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../python3-aiohttp/CVE-2025-69228.patch | 47 +++++++++++++++++++ .../python/python3-aiohttp_3.12.15.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69228.patch diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69228.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69228.patch new file mode 100644 index 0000000000..74e383ea1b --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69228.patch @@ -0,0 +1,47 @@ +From 8426e0e6df8a3481c7482d4fbce749bfe77e2e44 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari <[email protected]> +Date: Sat, 3 Jan 2026 02:48:45 +0000 +Subject: [PATCH] Enforce client_max_size over entire multipart form (#11889) + (#11908) + +From: Sam Bull <[email protected]> + +(cherry picked from commit ed90718fab5d34c127a283e10385f19440df7dd0) + +CVE: CVE-2025-69228 +Upstream-Status: Backport [https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + aiohttp/web_request.py | 2 +- + tests/test_web_functional.py | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/aiohttp/web_request.py b/aiohttp/web_request.py +index 96222b0..b5fa40c 100644 +--- a/aiohttp/web_request.py ++++ b/aiohttp/web_request.py +@@ -721,8 +721,8 @@ class BaseRequest(MutableMapping[str, Any], HeadersMixin): + multipart = await self.multipart() + max_size = self._client_max_size + ++ size = 0 + while (field := await multipart.next()) is not None: +- size = 0 + field_ct = field.headers.get(hdrs.CONTENT_TYPE) + + if isinstance(field, BodyPartReader): +diff --git a/tests/test_web_functional.py b/tests/test_web_functional.py +index c33b3ce..8ec237b 100644 +--- a/tests/test_web_functional.py ++++ b/tests/test_web_functional.py +@@ -1705,8 +1705,8 @@ async def test_app_max_client_size(aiohttp_client) -> None: + await resp.release() + + +-async def test_app_max_client_size_adjusted(aiohttp_client) -> None: +- async def handler(request): ++async def test_app_max_client_size_adjusted(aiohttp_client: AiohttpClient) -> None: ++ async def handler(request: web.Request) -> web.Response: + await request.post() + return web.Response(body=b"ok") + diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb index 644c07153d..55ff57d05c 100644 --- a/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb +++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb @@ -8,6 +8,7 @@ SRC_URI += "file://CVE-2025-69224.patch \ file://CVE-2025-69225.patch \ file://CVE-2025-69226.patch \ file://CVE-2025-69227.patch \ + file://CVE-2025-69228.patch \ " SRC_URI[sha256sum] = "4fc61385e9c98d72fcdf47e6dd81833f47b2f77c114c29cd64a361be57a763a2"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124140): https://lists.openembedded.org/g/openembedded-devel/message/124140 Mute This Topic: https://lists.openembedded.org/mt/117637138/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
