summaryrefslogtreecommitdiffstats
path: root/meta-python/recipes-devtools/python
diff options
context:
space:
mode:
authorGyorgy Sarvari <skandigraun@gmail.com>2026-02-07 11:33:52 +0100
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-02-12 13:38:12 +0530
commitba968dda37d8cb1d60771fddeb0fcfb0a3a8dfb4 (patch)
tree799703f32371c609dfa40147fa4f28480994a951 /meta-python/recipes-devtools/python
parentcd71a1e57c96bcfaaba7ed00f9fbd7be83cf09e8 (diff)
downloadmeta-openembedded-ba968dda37d8cb1d60771fddeb0fcfb0a3a8dfb4.tar.gz
python3-aiohttp: patch CVE-2025-69228
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69228 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-python/recipes-devtools/python')
-rw-r--r--meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69228.patch48
-rw-r--r--meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb1
2 files changed, 49 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69228.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69228.patch
new file mode 100644
index 0000000000..9a473b1328
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69228.patch
@@ -0,0 +1,48 @@
1From dd79eafcc7ad5429bb769de5fd5c0178e6064be7 Mon Sep 17 00:00:00 2001
2From: Gyorgy Sarvari <skandigraun@gmail.com>
3Date: Sat, 3 Jan 2026 02:48:45 +0000
4Subject: [PATCH] Enforce client_max_size over entire multipart form (#11889)
5 (#11908)
6
7From: Sam Bull <git@sambull.org>
8
9(cherry picked from commit ed90718fab5d34c127a283e10385f19440df7dd0)
10
11CVE: CVE-2025-69228
12Upstream-Status: Backport [https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60]
13Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
14---
15 aiohttp/web_request.py | 2 +-
16 tests/test_web_functional.py | 4 ++--
17 2 files changed, 3 insertions(+), 3 deletions(-)
18
19diff --git a/aiohttp/web_request.py b/aiohttp/web_request.py
20index d565557..b3d6141 100644
21--- a/aiohttp/web_request.py
22+++ b/aiohttp/web_request.py
23@@ -712,9 +712,9 @@ class BaseRequest(MutableMapping[str, Any], HeadersMixin):
24 multipart = await self.multipart()
25 max_size = self._client_max_size
26
27+ size = 0
28 field = await multipart.next()
29 while field is not None:
30- size = 0
31 field_ct = field.headers.get(hdrs.CONTENT_TYPE)
32
33 if isinstance(field, BodyPartReader):
34diff --git a/tests/test_web_functional.py b/tests/test_web_functional.py
35index ee61537..96dcd1c 100644
36--- a/tests/test_web_functional.py
37+++ b/tests/test_web_functional.py
38@@ -1641,8 +1641,8 @@ async def test_app_max_client_size(aiohttp_client) -> None:
39 await resp.release()
40
41
42-async def test_app_max_client_size_adjusted(aiohttp_client) -> None:
43- async def handler(request):
44+async def test_app_max_client_size_adjusted(aiohttp_client: AiohttpClient) -> None:
45+ async def handler(request: web.Request) -> web.Response:
46 await request.post()
47 return web.Response(body=b"ok")
48
diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb
index f2332065ea..84a9f2e668 100644
--- a/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb
+++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb
@@ -10,6 +10,7 @@ SRC_URI += "file://CVE-2024-52304.patch \
10 file://CVE-2025-53643.patch \ 10 file://CVE-2025-53643.patch \
11 file://CVE-2025-69225.patch \ 11 file://CVE-2025-69225.patch \
12 file://CVE-2025-69226.patch \ 12 file://CVE-2025-69226.patch \
13 file://CVE-2025-69228.patch \
13 " 14 "
14 15
15PYPI_PACKAGE = "aiohttp" 16PYPI_PACKAGE = "aiohttp"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-05-09 03:10:30 +0000