Your message dated Sun, 16 Jun 2024 12:05:22 +0000
with message-id <[email protected]>
and subject line Bug#1062709: fixed in python-aiohttp 3.9.5-1
has caused the Debian Bug report #1062709,
regarding python-aiohttp: CVE-2024-23334
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1062709: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1062709
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-aiohttp
Version: 3.9.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-aiohttp.
CVE-2024-23334[0]:
| aiohttp is an asynchronous HTTP client/server framework for asyncio
| and Python. When using aiohttp as a web server and configuring
| static routes, it is necessary to specify the root path for static
| files. Additionally, the option 'follow_symlinks' can be used to
| determine whether to follow symbolic links outside the static root
| directory. When 'follow_symlinks' is set to True, there is no
| validation to check if reading a file is within the root directory.
| This can lead to directory traversal vulnerabilities, resulting in
| unauthorized access to arbitrary files on the system, even when
| symlinks are not present. Disabling follow_symlinks and using a
| reverse proxy are encouraged mitigations. Version 3.9.2 fixes this
| issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-23334
https://www.cve.org/CVERecord?id=CVE-2024-23334
[1] https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f
[2]
https://github.com/aio-libs/aiohttp/commit/9118a5831e8a65b8c839eb7e4ac983e040ff41df
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-aiohttp
Source-Version: 3.9.5-1
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-aiohttp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated python-aiohttp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 16 Jun 2024 12:39:52 +0100
Source: python-aiohttp
Architecture: source
Version: 3.9.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 1062708 1062709 1070364 1070665
Changes:
python-aiohttp (3.9.5-1) unstable; urgency=medium
.
* Team upload.
* Use pybuild-plugin-pyproject.
* New upstream release:
- CVE-2024-23829: Python HTTP parser still overly lenient about
separators (closes: #1062708).
- CVE-2024-23334: aiohttp.web.static(follow_symlinks=True) is vulnerable
to directory traversal (closes: #1062709).
- CVE-2024-30251: DoS when trying to parse malformed POST requests
(closes: #1070364).
- CVE-2024-27306: XSS on index pages for static file handling (closes:
#1070665).
* Standards-Version: 3.7.0 (no changes required).
Checksums-Sha1:
d288a65fa8f8065ecebbc31c9ce616223f97e11e 2559 python-aiohttp_3.9.5-1.dsc
ea93f981c278c7a46157a4aab6088a3d933ce0c8 7504841
python-aiohttp_3.9.5.orig.tar.gz
821c85b6c30ceeca490767c7f7ec2fbd5e755b9c 7740
python-aiohttp_3.9.5-1.debian.tar.xz
07ad80d5996b6a65fda2f8de5a42b304abd8e200 7728
python-aiohttp_3.9.5-1_source.buildinfo
Checksums-Sha256:
764d5b9fb904114fb507e1e31c809c8bb80847ea498ed12873c8e6bde242e79b 2559
python-aiohttp_3.9.5-1.dsc
edea7d15772ceeb29db4aff55e482d4bcfb6ae160ce144f2682de02f6d693551 7504841
python-aiohttp_3.9.5.orig.tar.gz
6e97d2538d6b30e61f823466f89f3923cbd66c6d11c3c00ff838b0e18bd7302f 7740
python-aiohttp_3.9.5-1.debian.tar.xz
f61c6dc5e539511a8ffacf8bf00b40e9eb8384576864ab263708540b7a1222d2 7728
python-aiohttp_3.9.5-1_source.buildinfo
Files:
6727b35aa3877d0ae80e198bd38d8d5a 2559 python optional
python-aiohttp_3.9.5-1.dsc
14829a5ea507c8219e3f679fceeb5585 7504841 python optional
python-aiohttp_3.9.5.orig.tar.gz
b96f47c3d6cc156ded1b9b1827b511dd 7740 python optional
python-aiohttp_3.9.5-1.debian.tar.xz
b103e3474df223de8bf18b866646173f 7728 python optional
python-aiohttp_3.9.5-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmZuz0MACgkQOTWH2X2G
UAtW0A/7BG+9G8KTt0FBxw4uzluILbJZpDMCqvOS6uKrj+880l/kB3/glL/qczVl
pFeb64yo4bc2Ls/QjwZ3V085BzEoPClC+AKKX9Sgo5EDWwwyRiLpGtbDUgrxN71U
NH7tX3Y/J4XyD+yVeqbsi1iVi8njTPsJyUiKAEz0hxaPokyCugA9iKJNFDlYmeh9
XWLfcAig2HyGgxUqBqvG8mXjQC6ZmqdIw6RDEJxUow73F45j2Y6gxMvGwrPAcbUD
yz7S9VPSgrSnmmBbNaLY4MD+ATsg3Jg+ryi18DpYHDn4e1E9Yc6TI/f1AJZyr5v4
/tC+nKEQ5xHM5ZsMELLN1TFeCOVAIqYTJLywO18/dnd4l//Z6xMRfEi6H+irn55q
1j1fJYJr2yQSb0HBUlHJIq46/XXTWbWjizH3Fn8GVDerFkYg2JVLcbMhr97amej7
cnDSZcVafEecWoXKiTBftWRSJfHbTQKget9l1rPwue1qrNezGEAmstPhYI6ZCvqM
KmT6UsS6dzQGSaLqAUsJV3hDkVUoUb8WHYrRUo11gtsFiVXGJqjKLh04Q3lDby8o
//m9jYeCjxAmSeRroWctqDNzLaSv0gPnwVN6lpYXEZFuSojrdJw0tJ/9rBjdxrfT
TlenG8tMJ279wpTkIFdyOhGCxBuboEuBNWr60Oh+iCqeH8v4TJ0=
=t1c8
-----END PGP SIGNATURE-----
pgpstDErR5poa.pgp
Description: PGP signature
--- End Message ---