SUSE-SU-2024:0577-1

Source
https://www.suse.com/support/update/announcement/2024/suse-su-20240577-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2024:0577-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2024:0577-1
Related
Published
2024-02-21T10:43:49Z
Modified
2024-02-21T10:43:49Z
Summary
Security update for python-aiohttp, python-time-machine
Details

This update for python-aiohttp, python-time-machine fixes the following issues:

python-aiohttp was updated to version 3.9.3:

  • Fixed backwards compatibility breakage (in 3.9.2) of ssl parameter when set outside of ClientSession (e.g. directly in TCPConnector)
  • Improved test suite handling of paths and temp files to consistently use pathlib and pytest fixtures.

From version 3.9.2 (bsc#1219341, CVE-2024-23334, bsc#1219342, CVE-2024-23829):

  • Fixed server-side websocket connection leak.
  • Fixed web.FileResponse doing blocking I/O in the event loop.
  • Fixed double compress when compression enabled and compressed file exists in server file responses.
  • Added runtime type check for ClientSession timeout parameter.
  • Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon.
  • Improved validation of paths for static resources requests to the server.
  • Added support for passing :py:data:True to ssl parameter in ClientSession while deprecating :py:data:None.
  • Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon.
  • Fixed examples of fallback_charset_resolver function in the :doc:client_advanced document.
  • The Sphinx setup was updated to avoid showing the empty changelog draft section in the tagged release documentation builds on Read The Docs.
  • The changelog categorization was made clearer. The contributors can now mark their fragment files more accurately.
  • Updated :ref:contributing/Tests coverage <aiohttp-contributing> section to show how we use codecov.
  • Replaced all tmpdir fixtures with tmp_path in test suite.

  • Disable broken tests with openssl 3.2 and python < 3.11 bsc#1217782

update to 3.9.1:

  • Fixed importing aiohttp under PyPy on Windows.
  • Fixed async concurrency safety in websocket compressor.
  • Fixed ClientResponse.close() releasing the connection instead of closing.
  • Fixed a regression where connection may get closed during upgrade. -- by :user:Dreamsorcerer
  • Fixed messages being reported as upgraded without an Upgrade header in Python parser. -- by :user:Dreamsorcerer

update to 3.9.0: (bsc#1217684, CVE-2023-49081, bsc#1217682, CVE-2023-49082)

  • Introduced AppKey for static typing support of Application storage.
  • Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called.
  • Added handler_cancellation_ parameter to cancel web handler on client disconnection.
  • This (optionally) reintroduces a feature removed in a previous release.
  • Recommended for those looking for an extra level of protection against denial-of-service attacks.
  • Added support for setting response header parameters max_line_size and max_field_size.
  • Added auto_decompress parameter to ClientSession.request to override ClientSession._auto_decompress.
  • Changed raise_for_status to allow a coroutine.
  • Added client brotli compression support (optional with runtime check).
  • Added client_max_size to BaseRequest.clone() to allow overriding the request body size. -- :user:anesabml.
  • Added a middleware type alias aiohttp.typedefs.Middleware.
  • Exported HTTPMove which can be used to catch any redirection request that has a location -- :user:dreamsorcerer.
  • Changed the path parameter in web.run_app() to accept a pathlib.Path object.
  • Performance: Skipped filtering CookieJar when the jar is empty or all cookies have expired.
  • Performance: Only check origin if insecure scheme and there are origins to treat as secure, in CookieJar.filter_cookies().
  • Performance: Used timestamp instead of datetime to achieve faster cookie expiration in CookieJar.
  • Added support for passing a custom server name parameter to HTTPS connection.
  • Added support for using Basic Auth credentials from :file:.netrc file when making HTTP requests with the
  • :py:class:~aiohttp.ClientSession trust_env argument is set to True. -- by :user:yuvipanda.
  • Turned access log into no-op when the logger is disabled.
  • Added typing information to RawResponseMessage. -- by :user:Gobot1234
  • Removed async-timeout for Python 3.11+ (replaced with asyncio.timeout() on newer releases).
  • Added support for brotlicffi as an alternative to brotli (fixing Brotli support on PyPy).
  • Added WebSocketResponse.get_extra_info() to access a protocol transport's extra info.
  • Allow link argument to be set to None/empty in HTTP 451 exception.
  • Fixed client timeout not working when incoming data is always available without waiting. -- by :user:Dreamsorcerer.
  • Fixed readuntil to work with a delimiter of more than one character.
  • Added __repr__ to EmptyStreamReader to avoid AttributeError.
  • Fixed bug when using TCPConnector with ttl_dns_cache=0.
  • Fixed response returned from expect handler being thrown away. -- by :user:Dreamsorcerer
  • Avoided raising UnicodeDecodeError in multipart and in HTTP headers parsing.
  • Changed sock_read timeout to start after writing has finished, avoiding read timeouts caused by an unfinished write. -- by :user:dtrifiro
  • Fixed missing query in tracing method URLs when using yarl 1.9+.
  • Changed max 32-bit timestamp to an aware datetime object, for consistency with the non-32-bit one, and to avoid a DeprecationWarning on Python 3.12.
  • Fixed EmptyStreamReader.iter_chunks() never ending.
  • Fixed a rare RuntimeError: await wasn't used with future exception.
  • Fixed issue with insufficient HTTP method and version validation.
  • Added check to validate that absolute URIs have schemes.
  • Fixed unhandled exception when Python HTTP parser encounters unpaired Unicode surrogates.
  • Updated parser to disallow invalid characters in header field names and stop accepting LF as a request line separator.
  • Fixed Python HTTP parser not treating 204/304/1xx as an empty body.
  • Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3.
  • Fixed an issue when a client request is closed before completing a chunked payload. -- by :user:Dreamsorcerer
  • Edge Case Handling for ResponseParser for missing reason value.
  • Fixed ClientWebSocketResponse.close_code being erroneously set to None when there are concurrent async tasks receiving data and closing the connection.
  • Added HTTP method validation.
  • Fixed arbitrary sequence types being allowed to inject values via version parameter. -- by :user:Dreamsorcerer
  • Performance: Fixed increase in latency with small messages from websocket compression changes.
  • Improved Documentation
  • Fixed the ClientResponse.release's type in the doc. Changed from comethod to method.
  • Added information on behavior of base_url parameter in ClientSession.
  • Completed trust_env parameter description to honor wss_proxy, ws_proxy or no_proxy env.
  • Dropped Python 3.6 support.
  • Dropped Python 3.7 support. -- by :user:Dreamsorcerer
  • Removed support for abandoned tokio event loop.
  • Made print argument in run_app() optional.
  • Improved performance of ceil_timeout in some cases.
  • Changed importing Gunicorn to happen on-demand, decreasing import time by ~53%. -- :user:Dreamsorcerer
  • Improved import time by replacing http.server with http.HTTPStatus.
  • Fixed annotation of ssl parameter to disallow True.

update to 3.8.6 (bsc#1217181, CVE-2023-47627):

  • Security bugfixes
  • https://github.com/aio-libs/aiohttp/security/advisories/GHSA- pjjw-qhg8-p2p9.
  • https://github.com/aio-libs/aiohttp/security/advisories/GHSA- gfw2-4jvh-wgfg.
  • Added fallback_charset_resolver parameter in ClientSession to allow a user-supplied character set detection function. Character set detection will no longer be included in 3.9 as a default. If this feature is needed, please use `fallbackcharsetresolver the client
  • Fixed PermissionError when .netrc is unreadable due to permissions.
  • Fixed output of parsing errors
  • Fixed sorting in filter_cookies to use cookie with longest path.

Release 3.8.0 (2021-10-31) (bsc#1217174, CVE-2023-47641)

References

Affected packages

SUSE:Linux Enterprise Module for Python 3 15 SP5 / python-aiohttp

Package

Name
python-aiohttp
Purl
pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.9.3-150400.10.14.1

Ecosystem specific

{
    "binaries": [
        {
            "python311-aiohttp": "3.9.3-150400.10.14.1"
        }
    ]
}

SUSE:Linux Enterprise High Performance Computing 15 SP4-ESPOS / python-aiohttp

Package

Name
python-aiohttp
Purl
pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.9.3-150400.10.14.1

Ecosystem specific

{
    "binaries": [
        {
            "python311-aiohttp": "3.9.3-150400.10.14.1"
        }
    ]
}

SUSE:Linux Enterprise High Performance Computing 15 SP4-LTSS / python-aiohttp

Package

Name
python-aiohttp
Purl
pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.9.3-150400.10.14.1

Ecosystem specific

{
    "binaries": [
        {
            "python311-aiohttp": "3.9.3-150400.10.14.1"
        }
    ]
}

SUSE:Linux Enterprise Server 15 SP4-LTSS / python-aiohttp

Package

Name
python-aiohttp
Purl
pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.9.3-150400.10.14.1

Ecosystem specific

{
    "binaries": [
        {
            "python311-aiohttp": "3.9.3-150400.10.14.1"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 15 SP4 / python-aiohttp

Package

Name
python-aiohttp
Purl
pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.9.3-150400.10.14.1

Ecosystem specific

{
    "binaries": [
        {
            "python311-aiohttp": "3.9.3-150400.10.14.1"
        }
    ]
}

openSUSE:Leap 15.5 / python-aiohttp

Package

Name
python-aiohttp
Purl
pkg:rpm/opensuse/python-aiohttp&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.9.3-150400.10.14.1

Ecosystem specific

{
    "binaries": [
        {
            "python311-aiohttp": "3.9.3-150400.10.14.1"
        }
    ]
}