Описание
Security update for python-aiohttp
This update for python-aiohttp fixes the following issues:
- CVE-2025-53643: Fixed request smuggling due to incorrect parsing of chunked trailer section (bsc#1246517)
Список пакетов
SUSE Linux Enterprise Module for Public Cloud 15 SP4
python311-aiohttp-3.9.3-150400.10.33.1
SUSE Linux Enterprise Module for Python 3 15 SP6
python311-aiohttp-3.9.3-150400.10.33.1
SUSE Linux Enterprise Module for Python 3 15 SP7
python311-aiohttp-3.9.3-150400.10.33.1
openSUSE Leap 15.6
python311-aiohttp-3.9.3-150400.10.33.1
Ссылки
- Link for SUSE-SU-2025:03057-1
- E-Mail link for SUSE-SU-2025:03057-1
- SUSE Security Ratings
- SUSE Bug 1246517
- SUSE CVE CVE-2025-53643 page
Описание
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.
Затронутые продукты
SUSE Linux Enterprise Module for Public Cloud 15 SP4:python311-aiohttp-3.9.3-150400.10.33.1
SUSE Linux Enterprise Module for Python 3 15 SP6:python311-aiohttp-3.9.3-150400.10.33.1
SUSE Linux Enterprise Module for Python 3 15 SP7:python311-aiohttp-3.9.3-150400.10.33.1
openSUSE Leap 15.6:python311-aiohttp-3.9.3-150400.10.33.1
Ссылки
- CVE-2025-53643
- SUSE Bug 1246517