python3-aiohttp: fix CVE-2025-53643 and drop CVE-2024-42367 patch

- Fix CVE-2025-53643:
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and
Python. Prior to version 3.12.14, the Python parser is vulnerable to a
request smuggling vulnerability due to not parsing trailer sections of
an HTTP request. If a pure Python version of aiohttp is installed (i.e.
without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled,
then an attacker may be able to execute a request smuggling attack to
bypass certain firewalls or proxy protections. Version 3.12.14 contains
a patch for this issue.

References:
https://nvd.nist.gov/vuln/detail/CVE-2025-53643

- Drop CVE-2024-42367.patch:
According to upstream discussion and advisory [1][2], aiohttp 3.8.6 is
not affected by CVE-2024-42367, and the patch is therefore no longer
needed.

[1] https://github.com/advisories/GHSA-jwhx-xcg6-8xhj
[2] https://github.com/aio-libs/aiohttp/issues/11149

Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>

1 files changed, 0 insertions, 65 deletions

diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-42367.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-42367.patch
deleted file mode 100644
index dadec31f3a..0000000000
--- a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-42367.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From e19cb50fb529bbe75cc4f1b68eeb0a3f631ad0d0 Mon Sep 17 00:00:00 2001
-From: "J. Nick Koston" <nick@koston.org>
-Date: Thu, 8 Aug 2024 11:19:28 -0500
-Subject: [PATCH] Do not follow symlinks for compressed file variants (#8652)
-
-CVE: CVE-2024-42367
-
-Upstream-Status: Backport
-[https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f]
-
-Co-authored-by: Steve Repsher <steverep@users.noreply.github.com>
-Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
----
- CHANGES/8652.bugfix.rst     |  1 +
- aiohttp/web_fileresponse.py | 26 ++++++++++++++++++++++++++
- 2 files changed, 27 insertions(+)
- create mode 100644 CHANGES/8652.bugfix.rst
-
-diff --git a/CHANGES/8652.bugfix.rst b/CHANGES/8652.bugfix.rst
-new file mode 100644
-index 000000000..3a1003e50
---- /dev/null
-+++ b/CHANGES/8652.bugfix.rst
-@@ -0,0 +1 @@
-+Fixed incorrectly following symlinks for compressed file variants -- by :user:`steverep`.
-diff --git a/aiohttp/web_fileresponse.py b/aiohttp/web_fileresponse.py
-index f41ed3fd0..35dbd41e1 100644
---- a/aiohttp/web_fileresponse.py
-+++ b/aiohttp/web_fileresponse.py
-@@ -127,6 +127,32 @@ class FileResponse(StreamResponse):
-         self.content_length = 0
-         return await super().prepare(request)
- 
-+    def _get_file_path_stat_encoding(
-+        self, accept_encoding: str
-+    ) -> Tuple[pathlib.Path, os.stat_result, Optional[str]]:
-+        """Return the file path, stat result, and encoding.
-+
-+        If an uncompressed file is returned, the encoding is set to
-+        :py:data:`None`.
-+
-+        This method should be called from a thread executor
-+        since it calls os.stat which may block.
-+        """
-+        file_path = self._path
-+        for file_extension, file_encoding in ENCODING_EXTENSIONS.items():
-+            if file_encoding not in accept_encoding:
-+                continue
-+
-+            compressed_path = file_path.with_suffix(file_path.suffix + file_extension)
-+            with suppress(OSError):
-+                # Do not follow symlinks and ignore any non-regular files.
-+                st = compressed_path.lstat()
-+                if S_ISREG(st.st_mode):
-+                    return compressed_path, st, file_encoding
-+
-+        # Fallback to the uncompressed file
-+        return file_path, file_path.stat(), None
-+
-     async def prepare(self, request: "BaseRequest") -> Optional[AbstractStreamWriter]:
-         filepath = self._path
- 
--- 
-2.34.1
-