UbuntuUpdates.org

Package "python-aiohttp"

Name: python-aiohttp

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • documentation of python3-aiohttp
  • http client/server for asyncio
Latest version: 3.11.16-1ubuntu0.1
Release: questing (25.10)
Level: security
Repository: universe

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "python-aiohttp" in Questing

Repository Area Version
base universe 3.11.16-1
updates universe 3.11.16-1ubuntu0.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 3.11.16-1ubuntu0.1 2026-02-16 04:08:34 UTC

  python-aiohttp (3.11.16-1ubuntu0.1) questing-security; urgency=medium

  * SECURITY UPDATE: Request smuggling attack with non-ASCII character
    - debian/patches/CVE-2025-69224.patch: Reject non-ascii characters
      in some headers
    - debian/patches/CVE-2025-69225.patch: Reject non-ascii digits in Range
      header
    - CVE-2025-69224
    - CVE-2025-69225
  * SECURITY UPDATE: Path traversal vulnerability
    - debian/patches/CVE-2025-69226.patch: Reject static URLs that traverse
      outside static root
    - CVE-2025-69226
  * SECURITY UPDATE: Inifinite loop causing denial of service
    - debian/patches/CVE-2025-69228.patch: Enforce client_max_size over
      entire multipart form
    - CVE-2025-69228
  * SECURITY UPDATE: Limited denial of service
    - debian/patches/CVE-2025-69229-1.patch: Use collections.deque for
      chunk splits
    - debian/patches/CVE-2025-69229-2.patch: Limit number of chunks before
      pausing reading
    - CVE-2025-69229
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2025-69227.patch: Replace asserts with
      exceptions
    - debian/patches/CVE-2025-69223.patch: Use decompressor max_length
      parameter
    - CVE-2025-69227
    - CVE-2025-69223

 -- Shishir Subedi <email address hidden> Thu, 12 Feb 2026 09:17:02 +0545
CVE-2025-69224 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a reque
CVE-2025-69225 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII
CVE-2025-69226 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existen
CVE-2025-69228 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way
CVE-2025-69229 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result
CVE-2025-69227 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when as
CVE-2025-69223 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a Do


About   -   Send Feedback to @ubuntu_updates