python-aiohttp (3.0.1-1ubuntu0.1~esm6) bionic-security; urgency=medium

  * SECURITY UPDATE: Request smuggling attack with non-ASCII character
    - debian/patches/CVE-2025-69225.patch: Reject non-ascii digits in Range
      header
    - CVE-2025-69225

  * SECURITY UPDATE: Inifinite loop causing denial of service
    - debian/patches/CVE-2025-69228.patch: Enforce client_max_size over
      entire multipart form
    - CVE-2025-69228

 -- Shishir Subedi <shishir.subedi@canonical.com>  Thu, 12 Feb 2026 09:10:34 +0545

python-aiohttp (3.0.1-1ubuntu0.1~esm5) bionic-security; urgency=medium

  * SECURITY UPDATE: Cross-Site Scripting (XSS)
    - debian/patches/CVE-2024-27306.patch: Escape filenames and paths in
      HTML when generating index pages
    - CVE-2024-27306
  * SECURITY UPDATE: Request Smuggling
    - debian/patches/CVE-2024-52304.patch: Fix incorrect parsing of chunk
      extensions with the pure Python parser
    - debian/patches/CVE-2023-49081.patch: Disallow arbitrary sequence
      types in version
    - debian/patches/CVE-2023-49082.patch: Stop accepting `\x80-\xff` in
      header names and stop accepting `\n` as separating whitespace in
      status-lines
    - CVE-2024-52304
    - CVE-2023-49081
    - CVE-2023-49082

 -- Bruce Cable <bruce.cable@canonical.com>  Mon, 14 Jul 2025 14:10:16 +1000

python-aiohttp (3.0.1-1ubuntu0.1~esm4) bionic-security; urgency=medium

  * SECURITY UPDATE: When 'follow_symlinks' is enabled, file paths
    are not properly validated, allowing unauthorized access to
    files on the system.
    - debian/patches/CVE-2024-23334.patch: Validate static paths.
    - CVE-2024-23334

 -- Chris Kim <chris.kim@canonical.com>  Fri, 30 Aug 2024 18:26:47 -0700

python-aiohttp (3.0.1-1ubuntu0.1~esm1) bionic-security; urgency=medium

  * SECURITY UPDATE: open redirect in middleware component
    - debian/patches/CVE-2021-21330.patch: replace all double
      slashes by one slash of the URL path in
      aiohttp/web_middlewares.py
    - CVE-2021-21330

 -- David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>  Thu, 21 Apr 2022 13:05:57 +0200

python-aiohttp (3.0.1-1) unstable; urgency=medium

  [ Ondřej Nový ]
  * d/control: Set Vcs-* to salsa.debian.org

  [ Piotr Ożarowski ]
  * New upstream release
    - minimum required Python 3 version bumped to 3.5.3
  * bundle idna_ssl module until Python 3.7 is the one supported in Debian

 -- Piotr Ożarowski <piotr@debian.org>  Wed, 14 Feb 2018 12:59:09 +0100

python-aiohttp (2.3.6-1) unstable; urgency=medium

  * New upstream release
  * Standards-Version bumped to 4.1.2 (d/copyright format URL switch to HTTPS)

 -- Piotr Ożarowski <piotr@debian.org>  Wed, 20 Dec 2017 12:01:51 +0100

python-aiohttp (2.2.3-2) unstable; urgency=medium

  * Team upload.
  * d/rules: clean generated C files. Closes: #880352.
  * d/control: bump Standards-Version to 4.1.1.
  * d/watch: switch to HTTPS.

 -- Vincent Bernat <bernat@debian.org>  Sun, 26 Nov 2017 19:06:47 +0100

python-aiohttp (2.2.3-1) unstable; urgency=medium

  * New upstream release

 -- Piotr Ożarowski <piotr@debian.org>  Sun, 09 Jul 2017 22:53:16 +0200

python-aiohttp (2.2.0-1) unstable; urgency=medium

  * New upstream release
  * Standards-Version bumped to 4.0.0 (no changes needed)

 -- Piotr Ożarowski <piotr@debian.org>  Fri, 23 Jun 2017 19:50:46 +0200

python-aiohttp (1.2.0-1) unstable; urgency=medium

  * New upstream release
  * debian/compat changed to 10 (this change also closes: 845178 thanks to
    dh_autoreconf)

 -- Piotr Ożarowski <piotr@debian.org>  Wed, 21 Dec 2016 13:30:27 +0100

python-aiohttp (1.1.5-1) unstable; urgency=medium

  * New upstream release

 -- Piotr Ożarowski <piotr@debian.org>  Fri, 18 Nov 2016 19:58:04 +0100

python-aiohttp (1.1.2-1) unstable; urgency=medium

  * New upstream release
    - works with new multidict (closes: 835299)
    - decompresses HTTP bodies (closes: 833254)
  * tests disabled for now (see comment in debian/rules)
    closes: 830567, 839478

 -- Piotr Ożarowski <piotr@debian.org>  Tue, 08 Nov 2016 22:58:56 +0100

python-aiohttp (0.22.4-1) unstable; urgency=medium

  [ Ondřej Nový ]
  * Fixed VCS URL (https)

  [ Piotr Ożarowski ]
  * New upstream release
    - Add dependency on python3-multidict
  * Backport changes in test/test_connector.py from upstream master branch
  * Standards-Version bumped to 3.9.8 (no changes needed)

 -- Piotr Ożarowski <piotr@debian.org>  Thu, 28 Jul 2016 23:32:19 +0200

python-aiohttp (0.20.2-1) unstable; urgency=medium

  * New upstream release.
  * Replace python3-nose with python3-pytest in Build-Depends
    and remove override_dh_auto_test from debian/rules;
    remove no longer needed override_dh_auto_test in debian/rules
  * Remove .cache directory in clean target

 -- Piotr Ożarowski <piotr@debian.org>  Thu, 28 Jan 2016 21:42:23 +0100

python-aiohttp (0.17.4-1) unstable; urgency=medium

  * New upstream release

 -- Piotr Ożarowski <piotr@debian.org>  Tue, 29 Sep 2015 23:12:42 +0200

python-aiohttp (0.17.2-1) unstable; urgency=medium

  * Team upload.
  * New upstream release.
  * d/patches/no-gunicorn.patch: Deleted; we have python3-gunicorn now.
  * d/control: Add python3-gunicorn to Build-Depends.
  * d/rules: override_dh_auto_test until pybuild bug #749506 is fixed.

 -- Barry Warsaw <barry@debian.org>  Thu, 13 Aug 2015 16:12:29 -0400

python-aiohttp (0.15.3-1) unstable; urgency=medium

  * Update to 0.15.3 upstream release.

 -- Tianon Gravi <admwiggin@gmail.com>  Sun, 03 May 2015 06:44:18 +0000

python-aiohttp (0.15.1-1) unstable; urgency=medium

  * Initial release.

 -- Tianon Gravi <admwiggin@gmail.com>  Sat, 04 Apr 2015 09:07:00 -0600
