Accepted python-aiohttp 3.7.4-1+deb11u2 (source) into oldoldstable-security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 01 Jun 2026 03:04:17 +0200
Source: python-aiohttp
Architecture: source
Version: 3.7.4-1+deb11u2
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Daniel Leidert <dleidert@debian.org>
Changes:
 python-aiohttp (3.7.4-1+deb11u2) bullseye-security; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS Team.
   * d/patches/CVE-2025-53643.patch: Add patch to fix CVE-2025-53643.
     - Fix a request smuggling vulnerability due to not parsing trailer sections
       of an HTTP request.
   * d/patches/CVE-2025-69224.patch: Add patch to fix CVE-2025-69224.
     - Fix a possible request smuggling attack in the HTTP parser with the
       presence of non-ASCII characters.
   * d/patches/CVE-2025-69225.patch: Add patch to fix CVE-2025-69225.
     - Fix a parser logic which allows non-ASCII decimals to be present in the
       Range header.
   * d/patches/CVE-2025-69226.patch: Add patch to fix CVE-2025-69226.
     - Fix a path traversal vulnerability that allows an attacker to ascertain
       the existence of path components.
   * 0020-Handle-403-and-404-issues-in-FileResponse-class.patch: Add patch
     necessary after applying CVE-2025-69226 to fix handling of 403 and 404
     errors in FileResponse class.
     - d/patches/CVE-2025-69226.patch is built on top of this patch. Without it,
       the behavior changes.
   * d/patches/CVE-2025-69227.patch: Add patch to fix CVE-2025-69227.
     - Fix a possible DoS attack. When processing a POST body, an infinite loop
       can occur when assert statements are bypassed.
   * d/patches/CVE-2025-69228.patch: Add patch to fix CVE-2025-69228.
     - Fix a possible DoS attack that can freeze the server by exhausting the
       memory using Request.post().
   * d/patches/CVE-2025-69229-1.patch, d/patches/CVE-2025-69229-2.patch: Add
     patches to fix CVE-2025-69229.
     - Fix the handling of chunked messages that can result in an excessive
       blocking of CPU usage when receiving a large number of chunks.
   * d/patches/CVE-2026-22815.patch: Add patch to fix CVE-2026-22815.
     - Fix an uncapped memory usage due to insufficient restrictions in header
       and trailer handling.
   * d/patches/CVE-2026-34513.patch: Add patch to fix CVE-2026-34513.
     - Fix an excessive memory usage possibly resulting in a DoS due to an an
       unbounded DNS cache.
   * d/patches/CVE-2026-34514.patch: Add patch to fix CVE-2026-34514.
     - Fix a header injection.
   * d/patches/CVE-2026-34516.patch: Add patch to fix CVE-2026-34516.
     - Fix a potential DoS vulnerability caused by a response with an excessive
       number of multipart headers.
   * d/patches/CVE-2026-34517.patch: Add patch to fix CVE-2026-34517.
     - Fix a possible excessive memory usage caused by some multipart form
       fields due to reading the entiry field into memory before checking
       client_max_size.
   * d/patches/CVE-2026-34518.patch: Add patch to fix CVE-2026-34518.
     - Fix leaking sensitive information by dropping the Cookie and the
       Proxy-Authorization headers When following redirects to a different
       origin.
   * d/patches/CVE-2026-34519.patch: Add patch to fix CVE-2026-34519.
     - Fix a header injection via the reason parameter.
   * d/patches/CVE-2026-34520.patch: Add patch to fix CVE-2026-34520.
     - Fix a possible security bypass by checking header values for control
       characters accordingly to RFC 9110.
   * d/patches/CVE-2026-34525-1.patch, d/patches/CVE-2026-34525-2.patch: Add
     patches to fix CVE-2026-34525.
     - Disallow duplicate headers, like host headers, except for in lax mode.
Checksums-Sha1:
 25d6665a3bfe8addb7d37127eb7a1a7ae3090984 2735 python-aiohttp_3.7.4-1+deb11u2.dsc
 06852c931a948aec395b76f9b1ebb0147aa79e89 1114533 python-aiohttp_3.7.4.orig.tar.gz
 b3a296dcb62f67d006f5deee7b52aabb33d3b011 48312 python-aiohttp_3.7.4-1+deb11u2.debian.tar.xz
 c19cfbb7c9ae1b3ca81c4c6a807a7a5a3849f696 10331 python-aiohttp_3.7.4-1+deb11u2_amd64.buildinfo
Checksums-Sha256:
 4b8cf2164f5172aabd5ce7a5f86fcdd35d72cdb66292a9182caee850c9f196a4 2735 python-aiohttp_3.7.4-1+deb11u2.dsc
 5d84ecc73141d0a0d61ece0742bb7ff5751b0657dab8405f899d3ceb104cc7de 1114533 python-aiohttp_3.7.4.orig.tar.gz
 7a4ef1e9d65955408a3dd3ecb5ba31c962bb6c377eb609f305b059e0bffed3bc 48312 python-aiohttp_3.7.4-1+deb11u2.debian.tar.xz
 4fab18dcc469331cd35fcbcaf69febeeb9a2e1fa0eb3dd1247e34d90eb4659d6 10331 python-aiohttp_3.7.4-1+deb11u2_amd64.buildinfo
Files:
 f61a23b7dbb3b2e02f3d9d7e8b13d0ce 2735 python optional python-aiohttp_3.7.4-1+deb11u2.dsc
 586eb4e4dcb1e41242ede0c5bcfd4014 1114533 python optional python-aiohttp_3.7.4.orig.tar.gz
 581125dbd1e8e5bb8ae6412fc65fdbdf 48312 python optional python-aiohttp_3.7.4-1+deb11u2.debian.tar.xz
 624a4e19bbd9034ac1fc214aaf5ca80c 10331 python optional python-aiohttp_3.7.4-1+deb11u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmodDUAACgkQS80FZ8KW
0F2Z2A//XzUZE2FPnuBnfNgDK48ig3qIHeVq64XyE9FH4WDbKOZbzPN2b65Lw2/F
pAeD6hGu7i8ZY+2vvnPmSae4e7YRroQbg1psC+wv+18+naz5LSAX943g1nhz0pyh
PcVDR9QuMXG07z3EZ+8SJWazFtq3hfliViQDSwe0E9Oh7nV3eCY0u/HdZMaHojeG
mdkWmxnCOLekznlObNnBzeg5AH4zy7l+fBxw0FV8obMRDJhwU+HzxxNeZneoPbyL
gAlsN7+EkYUZUqTK2jREDVjXCogGsoOAavC6ZET8tXHp1dIscBcWGXwHzAUHEL/q
N91Hy1iX4zFHpSV81aB0KJwlEev/AHtbxYICTGIi21Y9EPXJSsD90fqKNDvpEFyK
0phZX6wgFfr+4XmXLn42XvdLEg3vDQ4lL/h41N7+ksT18TrgI3749O28LrXmq7jO
Sz0kuxbuaND/rPyK43yxT3OJA5eUOuUSb5EUVxdb+bFyIl2UKzwhCOoPH3lEYEQd
jhq9X4yoCEVs7cyuR/JNCLBWidO2p5ZDvCfpLs6Ehhr4cnzsrqcmM5lXA3bvodmM
cIWWhEyA/YAqbJLShWEUoI4vCQDftjwN73dMThyV26PJ5ATSyExceRYt4IHIhccz
VgN8PZDpq4HhQv+CVLRUMMBraQawz0Sve843zmjiv1CwXiNBvuc=
=9xmh
-----END PGP SIGNATURE-----