mirror of
git://git.openembedded.org/meta-openembedded
synced 2026-01-01 13:58:06 +00:00
59d381adca
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue. References: https://nvd.nist.gov/vuln/detail/CVE-2025-53643 Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
24 lines
685 B
BlitzBasic
24 lines
685 B
BlitzBasic
SUMMARY = "Async http client/server framework"
|
|
DESCRIPTION = "Asynchronous HTTP client/server framework for asyncio and Python"
|
|
HOMEPAGE = "https://github.com/aio-libs/aiohttp"
|
|
LICENSE = "Apache-2.0"
|
|
LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=748073912af33aa59430d3702aa32d41"
|
|
|
|
SRC_URI[sha256sum] = "16f8a2c9538c14a557b4d309ed4d0a7c60f0253e8ed7b6c9a2859a7582f8b1b8"
|
|
|
|
SRC_URI += "file://CVE-2025-53643.patch"
|
|
|
|
inherit python_setuptools_build_meta pypi
|
|
|
|
RDEPENDS:${PN} = "\
|
|
python3-aiohappyeyeballs \
|
|
python3-aiosignal \
|
|
python3-async-timeout \
|
|
python3-attrs \
|
|
python3-frozenlist \
|
|
python3-misc \
|
|
python3-multidict \
|
|
python3-yarl \
|
|
python3-aiodns \
|
|
"
|