==========================================================================
Ubuntu Security Notice USN-7642-1
July 17, 2025

python-aiohttp vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in AIOHTTP.

Software Description:
- python-aiohttp: Asynchronous HTTP client/server Python framework

Details:

Ben Kallus discovered that AIOHTTP did not correctly parse HTTP
headers. A remote attacker could possibly use this issue to perform
request smuggling. This issue only affected Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2023-47627)

Ivan Novikov discovered that AIOHTTP did not properly validate certain
inputs. A remote attacker could possibly use this issue to perform request
smuggling. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2023-49081, CVE-2023-49082)

Paul J. Dorn discovered that AIOHTTP did not properly validate certain
inputs. A remote attacker could possibly use this issue to perform request
smuggling. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and
Ubuntu 24.04 LTS. (CVE-2024-23829)

Takeshi Kaneko discovered that AIOHTTP did not properly sanitize certain
inputs. A remote attacker could possibly use this issue to perform a
cross-site scripting (XSS) attack. (CVE-2024-27306)

It was discovered that AIOHTTP did not correctly handle certain POST
requests. A remote attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2024-30251)

Jeppe Bonde Weikop discovered that AIOHTTP did not correctly handle
parsing newlines in certain inputs. A remote attacker could possibly use
this issue to perform request smuggling. (CVE-2024-52304)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  python3-aiohttp                 3.9.1-1ubuntu0.1+esm1
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  python3-aiohttp                 3.8.1-4ubuntu0.2+esm1
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS
  python3-aiohttp                 3.6.2-1ubuntu1+esm4
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  python3-aiohttp                 3.0.1-1ubuntu0.1~esm5
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7642-1
  CVE-2023-47627, CVE-2023-49081, CVE-2023-49082, CVE-2024-23829,
  CVE-2024-27306, CVE-2024-30251, CVE-2024-52304