This update for python-aiohttp fixes the following issues
- CVE-2026-22815: insufficient header/trailer handling can cause a denial of service (bsc#1261320).
- CVE-2026-34513: unbounded DNS cache can cause a denial of service (bsc#1261321).
- CVE-2026-34514: content_type parameter manipulation can lead to header Injection (bsc#1261322).
- CVE-2026-34516: excessive multipart headers can cause a denial of service (bsc#1261329).
- CVE-2026-34517: large multipart form fields can cause a denial of service (bsc#1261331).
- CVE-2026-34518: retained Cookie and Proxy-Authorization headers during redirects can lead to information disclosure
(bsc#1261332).
- CVE-2026-34519: reason parameter can be use to perform header injection (bsc#1261334).
- CVE-2026-34520: improper character handling can lead to header injection (bsc#1261335).
- CVE-2026-34525: multiple Host headers can potentially lead to security bypass (bsc#1261343).
- CVE-2026-34993: arbitrary code execution via loading untrusted...
Read the Full Advisory- openSUSE Leap 16.0:
python313-aiohttp-3.11.16-160000.5.1
* bsc#1261320
* bsc#1261321
* bsc#1261322
* bsc#1261329
* bsc#1261331
* bsc#1261332
* bsc#1261334
* bsc#1261335
* bsc#1261343
* bsc#1267471
* bsc#1267561
References:
* https://www.suse.com/security/cve/CVE-2026-22815.html
* https://www.suse.com/security/cve/CVE-2026-34513.html
* https://www.suse.com/security/cve/CVE-2026-34514.html
* https://www.suse.com/security/cve/CVE-2026-34516.html
* https://www.suse.com/security/cve/CVE-2026-34517.html
* https://www.suse.com/security/cve/CVE-2026-34518.html
* https://www.suse.com/security/cve/CVE-2026-34519.html
* https://www.suse.com/security/cve/CVE-2026-34520.html
* https://www.suse.com/security/cve/CVE-2026-34525.html
* https://www.suse.com/security/cve/CVE-2026-34993.html
* https://www.suse.com/security/cve/CVE-2026-47265.html
Get the latest Linux and open source security news straight to your inbox.