Jochen Sprickerhof pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
94abe6e9 by Jochen Sprickerhof at 2025-02-03T14:39:28+01:00
Reserve DLA-4041-1 for python-aiohttp
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -81981,7 +81981,6 @@ CVE-2024-28076 (The SolarWinds Platform was susceptible
to a Arbitrary Open Redi
CVE-2024-27306 (aiohttp is an asynchronous HTTP client/server framework for
asyncio an ...)
- python-aiohttp 3.9.5-1 (bug #1070665)
[bookworm] - python-aiohttp <ignored> (Minor issue)
- [bullseye] - python-aiohttp <no-dsa> (Minor issue)
[buster] - python-aiohttp <postponed> (Minor issue)
NOTE:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-7gpw-8wmc-pm8g
NOTE: https://github.com/aio-libs/aiohttp/pull/8319
@@ -104737,7 +104736,6 @@ CVE-2023-6780 (An integer overflow was found in the
__vsyslog_internal function
CVE-2024-23829 (aiohttp is an asynchronous HTTP client/server framework for
asyncio an ...)
- python-aiohttp 3.9.5-1 (bug #1062708)
[bookworm] - python-aiohttp <ignored> (Minor issue)
- [bullseye] - python-aiohttp <no-dsa> (Minor issue)
[buster] - python-aiohttp <no-dsa> (Minor issue)
NOTE:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2
NOTE: https://github.com/aio-libs/aiohttp/pull/8074
@@ -104746,7 +104744,6 @@ CVE-2024-23829 (aiohttp is an asynchronous HTTP
client/server framework for asyn
CVE-2024-23334 (aiohttp is an asynchronous HTTP client/server framework for
asyncio an ...)
{DSA-5828-1}
- python-aiohttp 3.9.5-1 (bug #1062709)
- [bullseye] - python-aiohttp <no-dsa> (Minor issue)
[buster] - python-aiohttp <no-dsa> (Minor issue)
NOTE:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f
NOTE: https://github.com/aio-libs/aiohttp/pull/8079
@@ -116777,7 +116774,6 @@ CVE-2023-49087 (xml-security is a library that
implements XML signatures and enc
CVE-2023-49082 (aiohttp is an asynchronous HTTP client/server framework for
asyncio an ...)
{DSA-5828-1}
- python-aiohttp 3.9.1-1 (bug #1057164)
- [bullseye] - python-aiohttp <no-dsa> (Minor issue)
[buster] - python-aiohttp <postponed> (Minor issue, limited request
smuggling)
NOTE:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx
NOTE:
https://github.com/aio-libs/aiohttp/commit/493f06797654c383242f0e8007f6e06b818a1fbc
(master)
@@ -116785,7 +116781,6 @@ CVE-2023-49082 (aiohttp is an asynchronous HTTP
client/server framework for asyn
CVE-2023-49081 (aiohttp is an asynchronous HTTP client/server framework for
asyncio an ...)
{DSA-5828-1}
- python-aiohttp 3.9.1-1 (bug #1057163)
- [bullseye] - python-aiohttp <no-dsa> (Minor issue)
[buster] - python-aiohttp <postponed> (Minor issue, limited request
smuggling)
NOTE:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2
NOTE: https://github.com/aio-libs/aiohttp/pull/7835
@@ -118803,7 +118798,6 @@ CVE-2023-47678 (An improper access control
vulnerability exists in RT-AC87U all
NOT-FOR-US: ASUSTeK
CVE-2023-47641 (aiohttp is an asynchronous HTTP client/server framework for
asyncio an ...)
- python-aiohttp 3.8.1-1
- [bullseye] - python-aiohttp <no-dsa> (Minor issue)
[buster] - python-aiohttp <no-dsa> (Minor issue)
NOTE:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j
NOTE:
https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371
(v3.8.0b0)
@@ -118816,7 +118810,6 @@ CVE-2023-47630 (Kyverno is a policy engine designed
for Kubernetes. An issue was
CVE-2023-47627 (aiohttp is an asynchronous HTTP client/server framework for
asyncio an ...)
{DSA-5828-1}
- python-aiohttp 3.8.6-1
- [bullseye] - python-aiohttp <no-dsa> (Minor issue)
[buster] - python-aiohttp <no-dsa> (Minor issue)
NOTE:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg
NOTE:
https://github.com/aio-libs/aiohttp/commit/d5c12ba890557a575c313bb3017910d7616fce3d
(v3.8.6)
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[03 Feb 2025] DLA-4041-1 python-aiohttp - security update
+ {CVE-2023-47627 CVE-2023-47641 CVE-2023-49081 CVE-2023-49082
CVE-2024-23334 CVE-2024-23829 CVE-2024-27306 CVE-2024-30251 CVE-2024-52304}
+ [bullseye] - python-aiohttp 3.7.4-1+deb11u1
[03 Feb 2025] DLA-4040-1 pam-u2f - security update
{CVE-2025-23013}
[bullseye] - pam-u2f 1.1.0-1.1+deb11u1
=====================================
data/dla-needed.txt
=====================================
@@ -191,14 +191,6 @@ pgagent
php-nesbot-carbon
NOTE: 20250119: Added by Front-Desk (rouca)
--
-python-aiohttp (jspricke)
- NOTE: 20240523: Added by oldstable Security Team (jmm)
- NOTE: 20240815: A bookworm DSA is planned (Beuc/front-desk)
- NOTE: 20241030: Started preparing patches for Bullseye. In version 3.8.0,
http-parser was replaced by llhttp. Thus Bookworm is different from Bullseye.
(dleidert)
- NOTE: 20241030:
<https://github.com/aio-libs/aiohttp/commit/485a5fc49050f8f8bf0d7eec8a85b4d9b450386c>
(dleidert)
- NOTE: 20241030: Maybe it makes sense to upload the Bookworm version to
Bullseye to reduce maintenance and patch both at the same time. (dleidert)
- NOTE: 20241030: Also added autopkgtest test scripts to run test suite.
(dleidert)
---
qemu (santiago)
NOTE: 20240815: Added by Front-Desk (Beuc)
NOTE: 20240815: Follow fixes from bookworm 12.4 (CVE-2023-5088)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94abe6e9f28fba6a655d6badb7497960d49ea962
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94abe6e9f28fba6a655d6badb7497960d49ea962
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
