Summary
The pulpcore 3.49 branch currently pins aiohttp to >=3.8.1,<3.9.6 (as of 3.49.12) or <3.10.12,>=3.9.0 (as of 3.49.49), which leaves it vulnerable to multiple aiohttp CVEs that have been fixed in newer versions.
Affected CVEs
Current State
- pulpcore 3.73.22 already supports
aiohttp<3.14,>=3.9.0 ✅
- pulpcore 3.49.49 is still constrained to
aiohttp<3.10.12,>=3.9.0 ❌
Request
Please backport aiohttp 3.13.x support to the 3.49 branch so downstream consumers (e.g., galaxy_ng stable-2.6) can receive these security fixes.
Impact
Pulpcore's content app uses aiohttp.web to serve content, which is the attack surface for these vulnerabilities. Downstream projects cannot fix this without pulpcore updating its aiohttp constraint.
Thank you!
Summary
The pulpcore 3.49 branch currently pins aiohttp to
>=3.8.1,<3.9.6(as of 3.49.12) or<3.10.12,>=3.9.0(as of 3.49.49), which leaves it vulnerable to multiple aiohttp CVEs that have been fixed in newer versions.Affected CVEs
Current State
aiohttp<3.14,>=3.9.0✅aiohttp<3.10.12,>=3.9.0❌Request
Please backport aiohttp 3.13.x support to the 3.49 branch so downstream consumers (e.g., galaxy_ng stable-2.6) can receive these security fixes.
Impact
Pulpcore's content app uses
aiohttp.webto serve content, which is the attack surface for these vulnerabilities. Downstream projects cannot fix this without pulpcore updating its aiohttp constraint.Thank you!