[Git][security-tracker-team/security-tracker][master] Weaken assessment for CVE-2026-54278
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Tue Jun 30 21:39:38 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
52e1df11 by Salvatore Bonaccorso at 2026-06-30T22:38:00+02:00
Weaken assessment for CVE-2026-54278
There was a major refactoring but it is not excluded that the zip bomb
edge case is not present before. Err on the safe side and waken the
claim, but ignore the issue for trixie as backporting the major
refactoring would be too intrusive.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -6512,12 +6512,12 @@ CVE-2026-54279 (AIOHTTP is an asynchronous HTTP client/server framework for asyn
NOTE: Fixed by: https://github.com/aio-libs/aiohttp/commit/a329a7aacad5284f087af36103aff778746da0f2 (v3.14.1)
CVE-2026-54278 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
- python-aiohttp 3.14.1-1
- [trixie] - python-aiohttp <not-affected> (Vulnerable code not present)
+ [trixie] - python-aiohttp <ignored> (Intrusive to backport)
[bookworm] - python-aiohttp <not-affected> (Vulnerable code not present)
[bullseye] - python-aiohttp <not-affected> (Vulnerable code not present)
NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g3cq-j2xw-wf74
NOTE: Fixed by: https://github.com/aio-libs/aiohttp/commit/4f7480e474cccc6a8cc2c92ad3f17a31dedf8232 (v3.14.1)
- NOTE: Introduced by: https://github.com/aio-libs/aiohttp/commit/b502ae655c8788b469dcc832923a85d661719699 (v3.14.0)
+ NOTE: Major rewrite in: https://github.com/aio-libs/aiohttp/commit/b502ae655c8788b469dcc832923a85d661719699 (v3.14.0)
CVE-2026-54277 (AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...)
- python-aiohttp 3.14.1-1
NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hw-fmq6-xxg2
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52e1df11b5287e35ad35b88c44131cd3dbb05cbe
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52e1df11b5287e35ad35b88c44131cd3dbb05cbe
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260630/0b0e528c/attachment.htm>
More information about the debian-security-tracker-commits
mailing list