[ubuntu/questing-security] python-aiohttp 3.11.16-1ubuntu0.1 (Accepted)
Shishir Subedi
shishirsub10 at gmail.com
Mon Feb 16 02:47:42 UTC 2026
python-aiohttp (3.11.16-1ubuntu0.1) questing-security; urgency=medium
* SECURITY UPDATE: Request smuggling attack with non-ASCII character
- debian/patches/CVE-2025-69224.patch: Reject non-ascii characters
in some headers
- debian/patches/CVE-2025-69225.patch: Reject non-ascii digits in Range
header
- CVE-2025-69224
- CVE-2025-69225
* SECURITY UPDATE: Path traversal vulnerability
- debian/patches/CVE-2025-69226.patch: Reject static URLs that traverse
outside static root
- CVE-2025-69226
* SECURITY UPDATE: Inifinite loop causing denial of service
- debian/patches/CVE-2025-69228.patch: Enforce client_max_size over
entire multipart form
- CVE-2025-69228
* SECURITY UPDATE: Limited denial of service
- debian/patches/CVE-2025-69229-1.patch: Use collections.deque for
chunk splits
- debian/patches/CVE-2025-69229-2.patch: Limit number of chunks before
pausing reading
- CVE-2025-69229
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2025-69227.patch: Replace asserts with
exceptions
- debian/patches/CVE-2025-69223.patch: Use decompressor max_length
parameter
- CVE-2025-69227
- CVE-2025-69223
Date: 2026-02-12 04:36:11.412565+00:00
Changed-By: Shishir Subedi <shishirsub10 at gmail.com>
https://launchpad.net/ubuntu/+source/python-aiohttp/3.11.16-1ubuntu0.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the Questing-changes
mailing list