[Git][security-tracker-team/security-tracker][master] Reserve DLA-4041-1 for python-aiohttp

Jochen Sprickerhof (@jspricke) jspricke at debian.org
Mon Feb 3 13:39:44 GMT 2025 


Jochen Sprickerhof pushed to branch master at Debian Security Tracker / security-tracker


Commits:
94abe6e9 by Jochen Sprickerhof at 2025-02-03T14:39:28+01:00
Reserve DLA-4041-1 for python-aiohttp

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -81981,7 +81981,6 @@ CVE-2024-28076 (The SolarWinds Platform was susceptible to a Arbitrary Open Redi
 CVE-2024-27306 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...)
 	- python-aiohttp 3.9.5-1 (bug #1070665)
 	[bookworm] - python-aiohttp <ignored> (Minor issue)
-	[bullseye] - python-aiohttp <no-dsa> (Minor issue)
 	[buster] - python-aiohttp <postponed> (Minor issue)
 	NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-7gpw-8wmc-pm8g
 	NOTE: https://github.com/aio-libs/aiohttp/pull/8319
@@ -104737,7 +104736,6 @@ CVE-2023-6780 (An integer overflow was found in the __vsyslog_internal function
 CVE-2024-23829 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...)
 	- python-aiohttp 3.9.5-1 (bug #1062708)
 	[bookworm] - python-aiohttp <ignored> (Minor issue)
-	[bullseye] - python-aiohttp <no-dsa> (Minor issue)
 	[buster] - python-aiohttp <no-dsa> (Minor issue)
 	NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2
 	NOTE: https://github.com/aio-libs/aiohttp/pull/8074
@@ -104746,7 +104744,6 @@ CVE-2024-23829 (aiohttp is an asynchronous HTTP client/server framework for asyn
 CVE-2024-23334 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...)
 	{DSA-5828-1}
 	- python-aiohttp 3.9.5-1 (bug #1062709)
-	[bullseye] - python-aiohttp <no-dsa> (Minor issue)
 	[buster] - python-aiohttp <no-dsa> (Minor issue)
 	NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f
 	NOTE: https://github.com/aio-libs/aiohttp/pull/8079
@@ -116777,7 +116774,6 @@ CVE-2023-49087 (xml-security is a library that implements XML signatures and enc
 CVE-2023-49082 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...)
 	{DSA-5828-1}
 	- python-aiohttp 3.9.1-1 (bug #1057164)
-	[bullseye] - python-aiohttp <no-dsa> (Minor issue)
 	[buster] - python-aiohttp <postponed> (Minor issue, limited request smuggling)
 	NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx
 	NOTE: https://github.com/aio-libs/aiohttp/commit/493f06797654c383242f0e8007f6e06b818a1fbc (master)
@@ -116785,7 +116781,6 @@ CVE-2023-49082 (aiohttp is an asynchronous HTTP client/server framework for asyn
 CVE-2023-49081 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...)
 	{DSA-5828-1}
 	- python-aiohttp 3.9.1-1 (bug #1057163)
-	[bullseye] - python-aiohttp <no-dsa> (Minor issue)
 	[buster] - python-aiohttp <postponed> (Minor issue, limited request smuggling)
 	NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2
 	NOTE: https://github.com/aio-libs/aiohttp/pull/7835
@@ -118803,7 +118798,6 @@ CVE-2023-47678 (An improper access control vulnerability exists in RT-AC87U all
 	NOT-FOR-US: ASUSTeK
 CVE-2023-47641 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...)
 	- python-aiohttp 3.8.1-1
-	[bullseye] - python-aiohttp <no-dsa> (Minor issue)
 	[buster] - python-aiohttp <no-dsa> (Minor issue)
 	NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j
 	NOTE: https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371 (v3.8.0b0)
@@ -118816,7 +118810,6 @@ CVE-2023-47630 (Kyverno is a policy engine designed for Kubernetes. An issue was
 CVE-2023-47627 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...)
 	{DSA-5828-1}
 	- python-aiohttp 3.8.6-1
-	[bullseye] - python-aiohttp <no-dsa> (Minor issue)
 	[buster] - python-aiohttp <no-dsa> (Minor issue)
 	NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg
 	NOTE: https://github.com/aio-libs/aiohttp/commit/d5c12ba890557a575c313bb3017910d7616fce3d (v3.8.6)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[03 Feb 2025] DLA-4041-1 python-aiohttp - security update
+	{CVE-2023-47627 CVE-2023-47641 CVE-2023-49081 CVE-2023-49082 CVE-2024-23334 CVE-2024-23829 CVE-2024-27306 CVE-2024-30251 CVE-2024-52304}
+	[bullseye] - python-aiohttp 3.7.4-1+deb11u1
 [03 Feb 2025] DLA-4040-1 pam-u2f - security update
 	{CVE-2025-23013}
 	[bullseye] - pam-u2f 1.1.0-1.1+deb11u1


=====================================
data/dla-needed.txt
=====================================
@@ -191,14 +191,6 @@ pgagent
 php-nesbot-carbon
   NOTE: 20250119: Added by Front-Desk (rouca)
 --
-python-aiohttp (jspricke)
-  NOTE: 20240523: Added by oldstable Security Team (jmm)
-  NOTE: 20240815: A bookworm DSA is planned (Beuc/front-desk)
-  NOTE: 20241030: Started preparing patches for Bullseye. In version 3.8.0, http-parser was replaced by llhttp. Thus Bookworm is different from Bullseye. (dleidert)
-  NOTE: 20241030: <https://github.com/aio-libs/aiohttp/commit/485a5fc49050f8f8bf0d7eec8a85b4d9b450386c> (dleidert)
-  NOTE: 20241030: Maybe it makes sense to upload the Bookworm version to Bullseye to reduce maintenance and patch both at the same time. (dleidert)
-  NOTE: 20241030: Also added autopkgtest test scripts to run test suite. (dleidert)
---
 qemu (santiago)
   NOTE: 20240815: Added by Front-Desk (Beuc)
   NOTE: 20240815: Follow fixes from bookworm 12.4 (CVE-2023-5088)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94abe6e9f28fba6a655d6badb7497960d49ea962

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94abe6e9f28fba6a655d6badb7497960d49ea962
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250203/7d0debc6/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list