aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. An attacker can stop the application from serving requests after sending a single request. This issue has been addressed in version 3.9.4. Users are advised to upgrade. Users unable to upgrade may manually apply a patch to their systems. Please see the linked GHSA for instructions. http://www.openwall.com/lists/oss-security/2024/05/02/4 https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597 https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19 https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5m98-qgg9-wh84
Created python-aiohttp tracking bugs for this issue: Affects: epel-8 [bug 2278724] Affects: fedora-38 [bug 2278714] Affects: fedora-39 [bug 2278725] Affects: fedora-40 [bug 2278726] Created python-gcsfs tracking bugs for this issue: Affects: fedora-38 [bug 2278717] Affects: fedora-39 [bug 2278720] Affects: fedora-40 [bug 2278722] Created python-idna-ssl tracking bugs for this issue: Affects: epel-8 [bug 2278716] Affects: fedora-38 [bug 2278718] Affects: fedora-39 [bug 2278721] Affects: fedora-40 [bug 2278723] Created python-pytelegrambotapi tracking bugs for this issue: Affects: fedora-38 [bug 2278719]
It would be great if someone or something could check these CVE bugs against the version number in the advisory, where applicable. The text here clearly states “This issue has been addressed in version 3.9.4.” All Fedora releases have 3.9.5. Furthermore, I can’t figure out the rationale for filing bugs against the other packages: python-gcsfs, python-idna-ssl, and python-pytelegrambotapi. These packages simply depend on aiohttp and have no indication of bundling. But there are many other packages that depend on aiohttp and did not have bugs filed (and it doesn’t make sense to file bugs for dependent packages anyway – what are they supposed to do?) so it still doesn’t make sense. It seems like the scripts for filing these bugs are flawed, and nobody is double-checking them. Between bugs filed against unaffected versions and bugs filed for packages that merely depend on aiohttp, I count eleven totally spurious bugs that could have been avoided by a better bug-filing process, but now have to be individually looked at and closed by maintainers. Only bug 2278724 for aiohttp in EPEL8 is legitimate. Mass-filing poorly-targeted bugs for every new CVE without the most rudimentary checking risks training maintainers to simply ignore these bugs, which is a shame, because they *can* be a useful service.
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2024:3781 https://access.redhat.com/errata/RHSA-2024:3781
This issue has been addressed in the following products: RHUI 4 for RHEL 8 Via RHSA-2025:1335 https://access.redhat.com/errata/RHSA-2025:1335