Source: python-aiohttp Version: 3.8.6-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for python-aiohttp. CVE-2023-49082[0]: | aiohttp is an asynchronous HTTP client/server framework for asyncio | and Python. Improper validation makes it possible for an attacker to | modify the HTTP request (e.g. insert a new header) or even create a | new HTTP request if the attacker controls the HTTP method. The | vulnerability occurs only if the attacker can control the HTTP | method (GET, POST etc.) of the request. If the attacker can control | the HTTP version of the request it will be able to modify the | request (request smuggling). This issue has been patched in version | 3.9.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-49082 https://www.cve.org/CVERecord?id=CVE-2023-49082 [1] https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx [2] https://github.com/aio-libs/aiohttp/commit/4075c653fb67a29740bf9ac050bb02d10a57343a Please adjust the affected versions in the BTS as needed. Regards, Salvatore
