python3-aiohttp: fix CVE-2025-53643

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue. References: https://nvd.nist.gov/vuln/detail/CVE-2025-53643 Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Jiaying Song <jiaying.song.cn@windriver.com> 2025-07-16 17:22:22 +0800
committer: Armin Kuster <akuster808@gmail.com> 2025-07-27 14:35:10 -0400
commit: 59d381adcaf70ccae5e78a8a21e2afbc59a52165 (patch)
tree: 0aae5dd5ebf1f7d313738095fd86c38a4d720d52 /meta-python/recipes-devtools/python/python3-aiohttp_3.11.16.bb
parent: 0883565b5dc963318111b04fd0c5dbf1d1b5fa2d (diff)
download: meta-openembedded-59d381adcaf70ccae5e78a8a21e2afbc59a52165.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.11.16.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.11.16.bb
index 960272e9a3..5267ad800b 100644
--- a/meta-python/recipes-devtools/python/python3-aiohttp_3.11.16.bb
+++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.11.16.bb
@@ -6,6 +6,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=748073912af33aa59430d3702aa32d41"
 SRC_URI[sha256sum] = "16f8a2c9538c14a557b4d309ed4d0a7c60f0253e8ed7b6c9a2859a7582f8b1b8"
+SRC_URI += "file://CVE-2025-53643.patch"
 inherit python_setuptools_build_meta pypi
 RDEPENDS:${PN} = "\
author	Jiaying Song <jiaying.song.cn@windriver.com>	2025-07-16 17:22:22 +0800
committer	Armin Kuster <akuster808@gmail.com>	2025-07-27 14:35:10 -0400
commit	59d381adcaf70ccae5e78a8a21e2afbc59a52165 (patch)
tree	0aae5dd5ebf1f7d313738095fd86c38a4d720d52 /meta-python/recipes-devtools/python/python3-aiohttp_3.11.16.bb
parent	0883565b5dc963318111b04fd0c5dbf1d1b5fa2d (diff)
download	meta-openembedded-59d381adcaf70ccae5e78a8a21e2afbc59a52165.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.11.16.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.11.16.bb index 960272e9a3..5267ad800b 100644 --- a/meta-python/recipes-devtools/python/python3-aiohttp_3.11.16.bb +++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.11.16.bb
@@ -6,6 +6,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=748073912af33aa59430d3702aa32d41"
6		6
7	SRC_URI[sha256sum] = "16f8a2c9538c14a557b4d309ed4d0a7c60f0253e8ed7b6c9a2859a7582f8b1b8"	7	SRC_URI[sha256sum] = "16f8a2c9538c14a557b4d309ed4d0a7c60f0253e8ed7b6c9a2859a7582f8b1b8"
8		8
		9	SRC_URI += "file://CVE-2025-53643.patch"
		10
9	inherit python_setuptools_build_meta pypi	11	inherit python_setuptools_build_meta pypi
10		12
11	RDEPENDS:${PN} = "\	13	RDEPENDS:${PN} = "\