#1138781 python-aiohttp: CVE-2026-34993

Package:
src:python-aiohttp
Source:
src:python-aiohttp
Submitter:
Salvatore Bonaccorso
Date:
2026-06-04 12:27:03 UTC
Severity:
normal
Tags:
#1138781#5
Date:
2026-06-03 15:57:43 UTC
From:
To:
Hi,

The following vulnerability was published for python-aiohttp.

CVE-2026-34993[0]:
| AIOHTTP is an asynchronous HTTP client/server framework for asyncio
| and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with
| untrusted input may allow arbitrary code execution. Most
| applications using this function will be doing so with the user's
| own data, so this is unlikely to affect many applications. Version
| 3.14.0 patches the issue. If an application does allow attacker
| controlled files to be loaded, a workaround on older releases would
| be to sanitize the files before loading.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-34993
https://www.cve.org/CVERecord?id=CVE-2026-34993
[1] https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jg22-mg44-37j8
[2] https://github.com/aio-libs/aiohttp/commit/dcf40f30637e8752c76781cf6703b5a236749a00

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1138781#8
Date:
2026-06-04 12:05:24 UTC
From:
To:
Hello,

Bug #1138781 in python-aiohttp reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/python-team/packages/python-aiohttp/-/commit/dcc663e4a8d5494fd32493f7bfabd859e7cb8382
------------------------------------------------------------------------
New upstream release.

* New upstream release.
    * Fix CVE-2026-47265 (Closes: #1138780)
    * Fix CVE-2026-34993 (Closes: #1138781)
* Upstream added sphinxcontrib-mermaid, myst-parser and
  pytest-timeout dependencies.
* Rebase patches.
* Skip another test failing during autopkgtest.
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1138781
#1138781#15
Date:
2026-06-04 12:24:46 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
python-aiohttp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1138781@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Edward Betts <edward@4angle.com> (supplier of updated python-aiohttp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 04 Jun 2026 11:24:23 +0100
Source: python-aiohttp
Architecture: source
Version: 3.14.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Edward Betts <edward@4angle.com>
Closes: 1138780 1138781
Changes:
 python-aiohttp (3.14.0-1) unstable; urgency=medium
 .
   * New upstream release.
       * Fix CVE-2026-47265 (Closes: #1138780)
       * Fix CVE-2026-34993 (Closes: #1138781)
   * Upstream added sphinxcontrib-mermaid, myst-parser and
     pytest-timeout dependencies.
   * Rebase patches.
   * Skip another test failing during autopkgtest.
Checksums-Sha1:
 bb6ef991cfaafc85d8d3b31eee88986cacd8ef00 3037 python-aiohttp_3.14.0-1.dsc
 2999e736697208d4c2433b7b4a2a6470a148a17b 7940674 python-aiohttp_3.14.0.orig.tar.gz
 8f8443c13c8080f56167ff6048cd4c682ced48fb 10528 python-aiohttp_3.14.0-1.debian.tar.xz
 4b0e889f226fe274ae5c5cd5d0d92640e18d9a99 11556 python-aiohttp_3.14.0-1_source.buildinfo
Checksums-Sha256:
 3c0307a26ed936234aa502dc01b24d6c4974ef00b46e589c99bfee52f91d1275 3037 python-aiohttp_3.14.0-1.dsc
 2882de819734c715fd1b9c11c97e09fa020d14438203d1d354d8ed1702791c9b 7940674 python-aiohttp_3.14.0.orig.tar.gz
 e440653a36b7b64cf94dc0e13bc0ad4949b3259962e7e021c8195e7103dd6e7a 10528 python-aiohttp_3.14.0-1.debian.tar.xz
 7cbba911a7b59fc274b8d26910e7c73e4512ff4aa75cc11a59f47031c40421dd 11556 python-aiohttp_3.14.0-1_source.buildinfo
Files:
 3ce9c6b5ac98c0fa3caa109a8f3df96c 3037 python optional python-aiohttp_3.14.0-1.dsc
 aa9c0bbc001188ca3659b75655396294 7940674 python optional python-aiohttp_3.14.0.orig.tar.gz
 496f5ab098ed07c11a415aa79593a4d6 10528 python optional python-aiohttp_3.14.0-1.debian.tar.xz
 ab5888afbd80eab105f30112fe3ceb6f 11556 python optional python-aiohttp_3.14.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+4rPp4xyYInDitAmlgWhCYxjuSoFAmohagUACgkQlgWhCYxj
uSol/A//W+/UMkGImauut9YTdeNq5Oj/FFUH56TyMpYGG1zi84sh425pOmiqsRoM
o9DH52jJCFo/C0vINDZdbp5MOkd4IOANOK055GM/ZGyUkIToi+vfSIgbU33CBpCK
6F2Vv+pJIeD2eadMq+Z+xoDeSjfiBhOGf0sgQXNyg9VD4eAZ5nberhdqxvGeE3/6
AiiL8EaQyUkuMiUOBr9W167j1xMlXTLJPaTzKoASfo5BfZZCxz0rQB7+KjJ9yAms
ZxjBKkGoFwoSWmrAyNbgcdoW3Xg/hzs8jJWw2SE+l6VLTmGNGTiVqnnEAg+A1BIs
WGgzn2WOuaqaK8/8iWqv8yufltlMsieTybYP14rsV+l25X/UQdpKlDDmvr4Q3HWO
YDKgc1cQ/CEG8y2R9PMChP0Pb3Uz6X/aYLNwm2tGDJecuOL5xjzq4I/JG89wkuQo
/14J5LeUI8vPW/Iesy0GkgSp3LUYDeMecfiSiZ68MLEuY2kjjG5/xou6DVNf85rS
CdPYYmvNVr3mQATH9PmuxVuFlXzFGR2hZHnpVJBZE7prOhzBlADRcvmepUH9jH5f
XgTN0oks6tm/9nNkF8sojPY5Aji3eFL673RFSwSWUPmX2Ut1woB+x+IM/AYtyLo5
UvPiSPOEudngcOc7Q5yGgVoY1ar9SUfSJailTrEUi2mhqa6kVFE=
=HtWW
-----END PGP SIGNATURE-----