Описание
Security update for python-aiohttp
This update for python-aiohttp fixes the following issues:
- CVE-2025-53643: request smuggling vulnerability due to incorrect parsing trailer sections of an HTTP request (bsc#1246517).
Список пакетов
SUSE Linux Enterprise Module for Public Cloud 15 SP3
python3-aiohttp-3.6.0-150100.3.27.1
SUSE Linux Enterprise Module for Public Cloud 15 SP4
python3-aiohttp-3.6.0-150100.3.27.1
SUSE Linux Enterprise Module for Public Cloud 15 SP5
python3-aiohttp-3.6.0-150100.3.27.1
SUSE Linux Enterprise Module for Public Cloud 15 SP6
python3-aiohttp-3.6.0-150100.3.27.1
SUSE Linux Enterprise Module for Public Cloud 15 SP7
python3-aiohttp-3.6.0-150100.3.27.1
Ссылки
- Link for SUSE-SU-2025:03201-1
- E-Mail link for SUSE-SU-2025:03201-1
- SUSE Security Ratings
- SUSE Bug 1246517
- SUSE CVE CVE-2025-53643 page
Описание
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.
Затронутые продукты
SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-aiohttp-3.6.0-150100.3.27.1
SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-aiohttp-3.6.0-150100.3.27.1
SUSE Linux Enterprise Module for Public Cloud 15 SP5:python3-aiohttp-3.6.0-150100.3.27.1
SUSE Linux Enterprise Module for Public Cloud 15 SP6:python3-aiohttp-3.6.0-150100.3.27.1
Ссылки
- CVE-2025-53643
- SUSE Bug 1246517