Advisories » MGASA-2024-0235

Updated python-aiohttp packages fix security vulnerability

Publication date: 24 Jun 2024
Modification date: 24 Jun 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-27306

Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and
Python. A XSS vulnerability exists on index pages for static file
handling. This vulnerability is fixed in 3.9.4. We have always
recommended using a reverse proxy server (e.g. nginx) for serving static
files. Users following the recommendation are unaffected. Other users
can disable `show_index` if unable to upgrade.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=33174
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27306

SRPMS

9/core

• python-aiohttp-3.8.3-3.1.mga9