python3-aiohttp: patch CVE-2025-69230

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69230 Backport the patch referenced by the NVD advisory. The tests were only partially backported, as the original patch touched some tests that don't exist in this version. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2026-02-04 17:29:22 +0100
committer: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-02-05 06:59:42 +0530
commit: 9bc066079faf9c4d96a1aa95ea7fcad18ca8d9fa (patch)
tree: 10d7e8df82cda7f1679fff9d006cdfd1259eb31f /meta-python/recipes-devtools/python
parent: 4814f0631c59a645e6d637e83fe52a9a498293fc (diff)
download: meta-openembedded-9bc066079faf9c4d96a1aa95ea7fcad18ca8d9fa.tar.gz
2 files changed, 86 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69230.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69230.patch
new file mode 100644
index 0000000000..46f91b70ab
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69230.patch
@@ -0,0 +1,85 @@
+From 811f8df8521b0850f5c79931e2e8c17113dda421 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Sat, 3 Jan 2026 02:53:03 +0000
+Subject: [PATCH] Log once per cookie header (#11909)
+From: patchback[bot] <45432694+patchback[bot]@users.noreply.github.com>
+**This is a backport of PR #11890 as merged into master
+(384a173022c9d057110c1418c5c4ff83a321900f).**
+Co-authored-by: Sam Bull <git@sambull.org>
+CVE: CVE-2025-69230
+Upstream-Status: Backport [https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ aiohttp/_cookie_helpers.py   |  8 +++++++-
+ tests/test_cookie_helpers.py |  8 ++++++--
+ tests/test_web_request.py    | 17 +++++++++++++++++
+ 3 files changed, 30 insertions(+), 3 deletions(-)
+diff --git a/aiohttp/_cookie_helpers.py b/aiohttp/_cookie_helpers.py
+index 4e9fc96..4edaa31 100644
+--- a/aiohttp/_cookie_helpers.py
+++ b/aiohttp/_cookie_helpers.py
+@@ -181,6 +181,7 @@ def parse_cookie_header(header: str) -> List[Tuple[str, Morsel[str]]]:
+     i = 0
+     n = len(header)
+ 
+    invalid_names = []
+     while i < n:
+         # Use the same pattern as parse_set_cookie_headers to find cookies
+         match = _COOKIE_PATTERN.match(header, i)
+@@ -193,7 +194,7 @@ def parse_cookie_header(header: str) -> List[Tuple[str, Morsel[str]]]:
+ 
+         # Validate the name
+         if not key or not _COOKIE_NAME_RE.match(key):
+-            internal_logger.warning("Can not load cookie: Illegal cookie name %r", key)
+            invalid_names.append(key)
+             continue
+ 
+         # Create new morsel
+@@ -209,6 +210,11 @@ def parse_cookie_header(header: str) -> List[Tuple[str, Morsel[str]]]:
+ 
+         cookies.append((key, morsel))
+ 
+    if invalid_names:
+        internal_logger.debug(
+            "Cannot load cookie. Illegal cookie names: %r", invalid_names
+        )
+
+     return cookies
+ 
+ 
+diff --git a/tests/test_cookie_helpers.py b/tests/test_cookie_helpers.py
+index 6deef65..28addb2 100644
+--- a/tests/test_cookie_helpers.py
+++ b/tests/test_cookie_helpers.py
+@@ -1,5 +1,7 @@
+ """Tests for internal cookie helper functions."""
+ 
+import logging
+
+ from http.cookies import (
+     CookieError,
+     Morsel,
+@@ -1374,14 +1376,16 @@ def test_parse_cookie_header_illegal_names(caplog: pytest.LogCaptureFixture) ->
+     """Test parse_cookie_header warns about illegal cookie names."""
+     # Cookie name with comma (not allowed in _COOKIE_NAME_RE)
+     header = "good=value; invalid,cookie=bad; another=test"
+-    result = parse_cookie_header(header)
+    with caplog.at_level(logging.DEBUG):
+        result = parse_cookie_header(header)
+     # Should skip the invalid cookie but continue parsing
+     assert len(result) == 2
+     assert result[0][0] == "good"
+     assert result[0][1].value == "value"
+     assert result[1][0] == "another"
+     assert result[1][1].value == "test"
+-    assert "Can not load cookie: Illegal cookie name 'invalid,cookie'" in caplog.text
+    assert "Cannot load cookie. Illegal cookie name" in caplog.text
+    assert "'invalid,cookie'" in caplog.text
+ 
+ 
+ @pytest.mark.parametrize(
diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb
index 84dd369753..6dc7acfbd5 100644
--- a/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb
+++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb
@@ -11,6 +11,7 @@ SRC_URI += "file://CVE-2025-69224.patch \
            file://CVE-2025-69228.patch \
            file://CVE-2025-69229-1.patch \
            file://CVE-2025-69229-2.patch \
+            file://CVE-2025-69230.patch \
 "
 SRC_URI[sha256sum] = "4fc61385e9c98d72fcdf47e6dd81833f47b2f77c114c29cd64a361be57a763a2"
author	Gyorgy Sarvari <skandigraun@gmail.com>	2026-02-04 17:29:22 +0100
committer	Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-05 06:59:42 +0530
commit	9bc066079faf9c4d96a1aa95ea7fcad18ca8d9fa (patch)
tree	10d7e8df82cda7f1679fff9d006cdfd1259eb31f /meta-python/recipes-devtools/python
parent	4814f0631c59a645e6d637e83fe52a9a498293fc (diff)
download	meta-openembedded-9bc066079faf9c4d96a1aa95ea7fcad18ca8d9fa.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69230.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69230.patch new file mode 100644 index 0000000000..46f91b70ab --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69230.patch
@@ -0,0 +1,85 @@
		1	From 811f8df8521b0850f5c79931e2e8c17113dda421 Mon Sep 17 00:00:00 2001
		2	From: Gyorgy Sarvari <skandigraun@gmail.com>
		3	Date: Sat, 3 Jan 2026 02:53:03 +0000
		4	Subject: [PATCH] Log once per cookie header (#11909)
		5
		6	From: patchback[bot] <45432694+patchback[bot]@users.noreply.github.com>
		7
		8	**This is a backport of PR #11890 as merged into master
		9	(384a173022c9d057110c1418c5c4ff83a321900f).**
		10
		11	Co-authored-by: Sam Bull <git@sambull.org>
		12
		13	CVE: CVE-2025-69230
		14	Upstream-Status: Backport [https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326]
		15	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		16	---
		17	aiohttp/_cookie_helpers.py \| 8 +++++++-
		18	tests/test_cookie_helpers.py \| 8 ++++++--
		19	tests/test_web_request.py \| 17 +++++++++++++++++
		20	3 files changed, 30 insertions(+), 3 deletions(-)
		21
		22	diff --git a/aiohttp/_cookie_helpers.py b/aiohttp/_cookie_helpers.py
		23	index 4e9fc96..4edaa31 100644
		24	--- a/aiohttp/_cookie_helpers.py
		25	+++ b/aiohttp/_cookie_helpers.py
		26	@@ -181,6 +181,7 @@ def parse_cookie_header(header: str) -> List[Tuple[str, Morsel[str]]]:
		27	i = 0
		28	n = len(header)
		29
		30	+ invalid_names = []
		31	while i < n:
		32	# Use the same pattern as parse_set_cookie_headers to find cookies
		33	match = _COOKIE_PATTERN.match(header, i)
		34	@@ -193,7 +194,7 @@ def parse_cookie_header(header: str) -> List[Tuple[str, Morsel[str]]]:
		35
		36	# Validate the name
		37	if not key or not _COOKIE_NAME_RE.match(key):
		38	- internal_logger.warning("Can not load cookie: Illegal cookie name %r", key)
		39	+ invalid_names.append(key)
		40	continue
		41
		42	# Create new morsel
		43	@@ -209,6 +210,11 @@ def parse_cookie_header(header: str) -> List[Tuple[str, Morsel[str]]]:
		44
		45	cookies.append((key, morsel))
		46
		47	+ if invalid_names:
		48	+ internal_logger.debug(
		49	+ "Cannot load cookie. Illegal cookie names: %r", invalid_names
		50	+ )
		51	+
		52	return cookies
		53
		54
		55	diff --git a/tests/test_cookie_helpers.py b/tests/test_cookie_helpers.py
		56	index 6deef65..28addb2 100644
		57	--- a/tests/test_cookie_helpers.py
		58	+++ b/tests/test_cookie_helpers.py
		59	@@ -1,5 +1,7 @@
		60	"""Tests for internal cookie helper functions."""
		61
		62	+import logging
		63	+
		64	from http.cookies import (
		65	CookieError,
		66	Morsel,
		67	@@ -1374,14 +1376,16 @@ def test_parse_cookie_header_illegal_names(caplog: pytest.LogCaptureFixture) ->
		68	"""Test parse_cookie_header warns about illegal cookie names."""
		69	# Cookie name with comma (not allowed in _COOKIE_NAME_RE)
		70	header = "good=value; invalid,cookie=bad; another=test"
		71	- result = parse_cookie_header(header)
		72	+ with caplog.at_level(logging.DEBUG):
		73	+ result = parse_cookie_header(header)
		74	# Should skip the invalid cookie but continue parsing
		75	assert len(result) == 2
		76	assert result[0][0] == "good"
		77	assert result[0][1].value == "value"
		78	assert result[1][0] == "another"
		79	assert result[1][1].value == "test"
		80	- assert "Can not load cookie: Illegal cookie name 'invalid,cookie'" in caplog.text
		81	+ assert "Cannot load cookie. Illegal cookie name" in caplog.text
		82	+ assert "'invalid,cookie'" in caplog.text
		83
		84
		85	@pytest.mark.parametrize(


diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb index 84dd369753..6dc7acfbd5 100644 --- a/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb +++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb
@@ -11,6 +11,7 @@ SRC_URI += "file://CVE-2025-69224.patch \
11	file://CVE-2025-69228.patch \	11	file://CVE-2025-69228.patch \
12	file://CVE-2025-69229-1.patch \	12	file://CVE-2025-69229-1.patch \
13	file://CVE-2025-69229-2.patch \	13	file://CVE-2025-69229-2.patch \
		14	file://CVE-2025-69230.patch \
14	"	15	"
15	SRC_URI[sha256sum] = "4fc61385e9c98d72fcdf47e6dd81833f47b2f77c114c29cd64a361be57a763a2"	16	SRC_URI[sha256sum] = "4fc61385e9c98d72fcdf47e6dd81833f47b2f77c114c29cd64a361be57a763a2"
16		17