drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in python-aiohttp und python-time-machine
Name: |
Mehrere Probleme in python-aiohttp und python-time-machine |
|
ID: |
SUSE-SU-2024:0577-1 |
|
Distribution: |
SUSE |
|
Plattformen: |
SUSE Linux Enterprise High Performance Computing 15 SP4, SUSE Linux Enterprise Server 15 SP4, SUSE Linux Enterprise Server for SAP Applications 15 SP4, SUSE Linux Enterprise Server for SAP Applications 15 SP5, SUSE Linux Enterprise Server 15 SP5, SUSE Linux Enterprise High Performance Computing 15 SP5, SUSE Linux Enterprise Desktop 15 SP5, SUSE openSUSE Leap 15.5, SUSE openSUSE Leap 15.4, SUSE Python 3 Module 15-SP5, SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4, SUSE Linux Enterprise High Performance Computing LTSS 15 SP4, SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4, SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 |
|
Datum: |
Mi, 21. Februar 2024, 23:47 |
|
Referenzen: |
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23334
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23829
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47641
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47627 |
|
Applikationen: |
python-aiohttp, python-time-machine |
|
Originalnachricht |
--===============5249274303798436105== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit
# Security update for python-aiohttp, python-time-machine
Announcement ID: SUSE-SU-2024:0577-1 Rating: important References:
* bsc#1217174 * bsc#1217181 * bsc#1217782 * bsc#1219341 * bsc#1219342
Cross-References:
* CVE-2023-47627 * CVE-2023-47641 * CVE-2024-23334 * CVE-2024-23829
CVSS scores:
* CVE-2023-47627 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2023-47627 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2023-47641 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N * CVE-2023-47641 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2024-23334 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2024-23334 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2024-23829 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2024-23829 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Affected Products:
* openSUSE Leap 15.4 * openSUSE Leap 15.5 * Python 3 Module 15-SP5 * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5
An update that solves four vulnerabilities and has one security fix can now be installed.
## Description:
This update for python-aiohttp, python-time-machine fixes the following issues:
python-aiohttp was updated to version 3.9.3:
* Fixed backwards compatibility breakage (in 3.9.2) of `ssl` parameter when set outside of `ClientSession` (e.g. directly in `TCPConnector`) * Improved test suite handling of paths and temp files to consistently use pathlib and pytest fixtures.
From version 3.9.2 (bsc#1219341, CVE-2024-23334, bsc#1219342, CVE-2024-23829):
* Fixed server-side websocket connection leak. * Fixed `web.FileResponse` doing blocking I/O in the event loop. * Fixed double compress when compression enabled and compressed file exists in server file responses. * Added runtime type check for `ClientSession` `timeout` parameter. * Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon. * Improved validation of paths for static resources requests to the server. * Added support for passing :py:data:`True` to `ssl` parameter in `ClientSession` while deprecating :py:data:`None`. * Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon. * Fixed examples of `fallback_charset_resolver` function in the :doc:`client_advanced` document. * The Sphinx setup was updated to avoid showing the empty changelog draft section in the tagged release documentation builds on Read The Docs. * The changelog categorization was made clearer. The contributors can now mark their fragment files more accurately. * Updated :ref:`contributing/Tests coverage <aiohttp-contributing>` section to show how we use `codecov`. * Replaced all `tmpdir` fixtures with `tmp_path` in test suite.
* Disable broken tests with openssl 3.2 and python < 3.11 bsc#1217782
update to 3.9.1:
* Fixed importing aiohttp under PyPy on Windows. * Fixed async concurrency safety in websocket compressor. * Fixed `ClientResponse.close()` releasing the connection instead of closing. * Fixed a regression where connection may get closed during upgrade. -- by :user:`Dreamsorcerer` * Fixed messages being reported as upgraded without an Upgrade header in Python parser. -- by :user:`Dreamsorcerer`
update to 3.9.0: (bsc#1217684, CVE-2023-49081, bsc#1217682, CVE-2023-49082)
* Introduced `AppKey` for static typing support of `Application` storage. * Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called. * Added `handler_cancellation`_ parameter to cancel web handler on client disconnection. * This (optionally) reintroduces a feature removed in a previous release. * Recommended for those looking for an extra level of protection against denial-of-service attacks. * Added support for setting response header parameters `max_line_size` and `max_field_size`. * Added `auto_decompress` parameter to `ClientSession.request` to override `ClientSession._auto_decompress`. * Changed `raise_for_status` to allow a coroutine. * Added client brotli compression support (optional with runtime check). * Added `client_max_size` to `BaseRequest.clone()` to allow overriding the request body size. -- :user:`anesabml`. * Added a middleware type alias `aiohttp.typedefs.Middleware`. * Exported `HTTPMove` which can be used to catch any redirection request that has a location -- :user:`dreamsorcerer`. * Changed the `path` parameter in `web.run_app()` to accept a `pathlib.Path` object. * Performance: Skipped filtering `CookieJar` when the jar is empty or all cookies have expired. * Performance: Only check origin if insecure scheme and there are origins to treat as secure, in `CookieJar.filter_cookies()`. * Performance: Used timestamp instead of `datetime` to achieve faster cookie expiration in `CookieJar`. * Added support for passing a custom server name parameter to HTTPS connection. * Added support for using Basic Auth credentials from :file:`.netrc` file when making HTTP requests with the * :py:class:`~aiohttp.ClientSession` `trust_env` argument is set to `True`. -- by :user:`yuvipanda`. * Turned access log into no-op when the logger is disabled. * Added typing information to `RawResponseMessage`. -- by :user:`Gobot1234` * Removed `async-timeout` for Python 3.11+ (replaced with `asyncio.timeout()` on newer releases). * Added support for `brotlicffi` as an alternative to `brotli` (fixing Brotli support on PyPy). * Added `WebSocketResponse.get_extra_info()` to access a protocol transport's extra info. * Allow `link` argument to be set to None/empty in HTTP 451 exception. * Fixed client timeout not working when incoming data is always available without waiting. -- by :user:`Dreamsorcerer`. * Fixed `readuntil` to work with a delimiter of more than one character. * Added `__repr__` to `EmptyStreamReader` to avoid `AttributeError`. * Fixed bug when using `TCPConnector` with `ttl_dns_cache=0`. * Fixed response returned from expect handler being thrown away. -- by :user:`Dreamsorcerer` * Avoided raising `UnicodeDecodeError` in multipart and in HTTP headers parsing. * Changed `sock_read` timeout to start after writing has finished, avoiding read timeouts caused by an unfinished write. -- by :user:`dtrifiro` * Fixed missing query in tracing method URLs when using `yarl` 1.9+. * Changed max 32-bit timestamp to an aware datetime object, for consistency with the non-32-bit one, and to avoid a `DeprecationWarning` on Python 3.12. * Fixed `EmptyStreamReader.iter_chunks()` never ending. * Fixed a rare `RuntimeError: await wasn't used with future` exception. * Fixed issue with insufficient HTTP method and version validation. * Added check to validate that absolute URIs have schemes. * Fixed unhandled exception when Python HTTP parser encounters unpaired Unicode surrogates. * Updated parser to disallow invalid characters in header field names and stop accepting LF as a request line separator. * Fixed Python HTTP parser not treating 204/304/1xx as an empty body. * Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3. * Fixed an issue when a client request is closed before completing a chunked payload. -- by :user:`Dreamsorcerer` * Edge Case Handling for ResponseParser for missing reason value. * Fixed `ClientWebSocketResponse.close_code` being erroneously set to `None` when there are concurrent async tasks receiving data and closing the connection. * Added HTTP method validation. * Fixed arbitrary sequence types being allowed to inject values via version parameter. -- by :user:`Dreamsorcerer` * Performance: Fixed increase in latency with small messages from websocket compression changes. * Improved Documentation * Fixed the `ClientResponse.release`'s type in the doc. Changed from `comethod` to `method`. * Added information on behavior of base_url parameter in `ClientSession`. * Completed `trust_env` parameter description to honor `wss_proxy`, `ws_proxy` or `no_proxy` env. * Dropped Python 3.6 support. * Dropped Python 3.7 support. -- by :user:`Dreamsorcerer` * Removed support for abandoned `tokio` event loop. * Made `print` argument in `run_app()` optional. * Improved performance of `ceil_timeout` in some cases. * Changed importing Gunicorn to happen on-demand, decreasing import time by ~53%. -- :user:`Dreamsorcerer` * Improved import time by replacing `http.server` with `http.HTTPStatus`. * Fixed annotation of `ssl` parameter to disallow `True`.
update to 3.8.6 (bsc#1217181, CVE-2023-47627):
* Security bugfixes * https://github.com/aio-libs/aiohttp/security/advisories/GHSA- pjjw- qhg8-p2p9. * https://github.com/aio-libs/aiohttp/security/advisories/GHSA- gfw2-4jvh- wgfg. * Added `fallback_charset_resolver` parameter in `ClientSession` to allow a user-supplied character set detection function. Character set detection will no longer be included in 3.9 as a default. If this feature is needed, please use `fallback_charset_resolver the client * Fixed `PermissionError` when `.netrc` is unreadable due to permissions. * Fixed output of parsing errors * Fixed sorting in `filter_cookies` to use cookie with longest path.
Release 3.8.0 (2021-10-31) (bsc#1217174, CVE-2023-47641)
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product:
* openSUSE Leap 15.4 zypper in -t patch SUSE-2024-577=1
* openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-577=1
* Python 3 Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Python3-15-SP5-2024-577=1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-577=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-577=1
* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-577=1
* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-577=1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-577=1
## Package List:
* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586) * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1 * python-time-machine-debugsource-2.13.0-150400.9.3.1 * python311-time-machine-debuginfo-2.13.0-150400.9.3.1 * python311-time-machine-2.13.0-150400.9.3.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1 * Python 3 Module 15-SP5 (aarch64 ppc64le s390x x86_64) * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64) * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64) * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1 * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (x86_64) * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (aarch64 ppc64le s390x x86_64) * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64) * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1
## References:
* https://www.suse.com/security/cve/CVE-2023-47627.html * https://www.suse.com/security/cve/CVE-2023-47641.html * https://www.suse.com/security/cve/CVE-2024-23334.html * https://www.suse.com/security/cve/CVE-2024-23829.html * https://bugzilla.suse.com/show_bug.cgi?id=1217174 * https://bugzilla.suse.com/show_bug.cgi?id=1217181 * https://bugzilla.suse.com/show_bug.cgi?id=1217782 * https://bugzilla.suse.com/show_bug.cgi?id=1219341 * https://bugzilla.suse.com/show_bug.cgi?id=1219342
--===============5249274303798436105== Content-Type: text/html; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit
<div class="container"> <h1>Security update for python-aiohttp, python-time-machine</h1>
<table class="table table-striped table-bordered"> <tbody> <tr> <th>Announcement ID:</th> <td>SUSE-SU-2024:0577-1</td> </tr> <tr> <th>Rating:</th> <td>important</td> </tr> <tr> <th>References:</th> <td> <ul> <li style="display: inline;"> <a href="https://bugzilla.suse.com/show_bug.cgi?id=1217174">bsc#1217174</a> </li> <li style="display: inline;"> <a href="https://bugzilla.suse.com/show_bug.cgi?id=1217181">bsc#1217181</a> </li> <li style="display: inline;"> <a href="https://bugzilla.suse.com/show_bug.cgi?id=1217782">bsc#1217782</a> </li> <li style="display: inline;"> <a href="https://bugzilla.suse.com/show_bug.cgi?id=1219341">bsc#1219341</a> </li> <li style="display: inline;"> <a href="https://bugzilla.suse.com/show_bug.cgi?id=1219342">bsc#1219342</a> </li> </ul> </td> </tr> <tr> <th> Cross-References: </th> <td> <ul> <li style="display: inline;"> <a href="https://www.suse.com/security/cve/CVE-2023-47627.html">CVE-2023-47627</a> </li> <li style="display: inline;"> <a href="https://www.suse.com/security/cve/CVE-2023-47641.html">CVE-2023-47641</a> </li> <li style="display: inline;"> <a href="https://www.suse.com/security/cve/CVE-2024-23334.html">CVE-2024-23334</a> </li> <li style="display: inline;"> <a href="https://www.suse.com/security/cve/CVE-2024-23829.html">CVE-2024-23829</a> </li> </ul> </td> </tr> <tr> <th>CVSS scores:</th> <td> <ul class="list-group"> <li class="list-group-item"> <span class="cvss-reference">CVE-2023-47627</span> <span class="cvss-source"> ( SUSE ): </span> <span class="cvss-score">5.3</span> <span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N</span> </li> <li class="list-group-item"> <span class="cvss-reference">CVE-2023-47627</span> <span class="cvss-source"> ( NVD ): </span> <span class="cvss-score">7.5</span> <span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N</span> </li> <li class="list-group-item"> <span class="cvss-reference">CVE-2023-47641</span> <span class="cvss-source"> ( SUSE ): </span> <span class="cvss-score">5.4</span> <span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N</span> </li> <li class="list-group-item"> <span class="cvss-reference">CVE-2023-47641</span> <span class="cvss-source"> ( NVD ): </span> <span class="cvss-score">6.5</span> <span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N</span> </li> <li class="list-group-item"> <span class="cvss-reference">CVE-2024-23334</span> <span class="cvss-source"> ( SUSE ): </span> <span class="cvss-score">7.5</span> <span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</span> </li> <li class="list-group-item"> <span class="cvss-reference">CVE-2024-23334</span> <span class="cvss-source"> ( NVD ): </span> <span class="cvss-score">7.5</span> <span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</span> </li> <li class="list-group-item"> <span class="cvss-reference">CVE-2024-23829</span> <span class="cvss-source"> ( SUSE ): </span> <span class="cvss-score">5.3</span> <span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N</span> </li> <li class="list-group-item"> <span class="cvss-reference">CVE-2024-23829</span> <span class="cvss-source"> ( NVD ): </span> <span class="cvss-score">6.5</span> <span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L</span> </li> </ul> </td> </tr> <tr> <th>Affected Products:</th> <td> <ul class="list-group"> <li class="list-group-item">openSUSE Leap 15.4</li> <li class="list-group-item">openSUSE Leap 15.5</li> <li class="list-group-item">Python 3 Module 15-SP5</li> <li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4</li> <li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP5</li> <li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP4</li> <li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP5</li> <li class="list-group-item">SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4</li> <li class="list-group-item">SUSE Linux Enterprise High Performance Computing LTSS 15 SP4</li> <li class="list-group-item">SUSE Linux Enterprise Server 15 SP4</li> <li class="list-group-item">SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4</li> <li class="list-group-item">SUSE Linux Enterprise Server 15 SP5</li> <li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP4</li> <li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP5</li> </ul> </td> </tr> </tbody> </table>
<p>An update that solves four vulnerabilities and has one security fix can now be installed.</p>
<h2>Description:</h2> <p>This update for python-aiohttp, python-time-machine fixes the following issues:</p> <p>python-aiohttp was updated to version 3.9.3:</p> <ul> <li>Fixed backwards compatibility breakage (in 3.9.2) of <code>ssl</code> parameter when set outside of <code>ClientSession</code> (e.g. directly in <code>TCPConnector</code>)</li> <li>Improved test suite handling of paths and temp files to consistently use pathlib and pytest fixtures.</li> </ul> <p>From version 3.9.2 (bsc#1219341, CVE-2024-23334, bsc#1219342, CVE-2024-23829):</p> <ul> <li>Fixed server-side websocket connection leak.</li> <li>Fixed <code>web.FileResponse</code> doing blocking I/O in the event loop.</li> <li>Fixed double compress when compression enabled and compressed file exists in server file responses.</li> <li>Added runtime type check for <code>ClientSession</code> <code>timeout</code> parameter.</li> <li>Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon.</li> <li>Improved validation of paths for static resources requests to the server.</li> <li>Added support for passing :py:data:<code>True</code> to <code>ssl</code> parameter in <code>ClientSession</code> while deprecating :py:data:<code>None</code>.</li> <li>Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon.</li> <li>Fixed examples of <code>fallback_charset_resolver</code> function in the :doc:<code>client_advanced</code> document.</li> <li>The Sphinx setup was updated to avoid showing the empty changelog draft section in the tagged release documentation builds on Read The Docs.</li> <li>The changelog categorization was made clearer. The contributors can now mark their fragment files more accurately.</li> <li>Updated :ref:<code>contributing/Tests coverage &lt;aiohttp-contributing&gt;</code> section to show how we use <code>codecov</code>.</li> <li> <p>Replaced all <code>tmpdir</code> fixtures with <code>tmp_path</code> in test suite.</p> </li> <li> <p>Disable broken tests with openssl 3.2 and python < 3.11 bsc#1217782</p> </li> </ul> <p>update to 3.9.1:</p> <ul> <li>Fixed importing aiohttp under PyPy on Windows.</li> <li>Fixed async concurrency safety in websocket compressor.</li> <li>Fixed <code>ClientResponse.close()</code> releasing the connection instead of closing.</li> <li>Fixed a regression where connection may get closed during upgrade. -- by :user:<code>Dreamsorcerer</code></li> <li>Fixed messages being reported as upgraded without an Upgrade header in Python parser. -- by :user:<code>Dreamsorcerer</code></li> </ul> <p>update to 3.9.0: (bsc#1217684, CVE-2023-49081, bsc#1217682, CVE-2023-49082)</p> <ul> <li>Introduced <code>AppKey</code> for static typing support of <code>Application</code> storage.</li> <li>Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called.</li> <li>Added <code>handler_cancellation</code>_ parameter to cancel web handler on client disconnection.</li> <li>This (optionally) reintroduces a feature removed in a previous release.</li> <li>Recommended for those looking for an extra level of protection against denial-of-service attacks.</li> <li>Added support for setting response header parameters <code>max_line_size</code> and <code>max_field_size</code>.</li> <li>Added <code>auto_decompress</code> parameter to <code>ClientSession.request</code> to override <code>ClientSession._auto_decompress</code>.</li> <li>Changed <code>raise_for_status</code> to allow a coroutine.</li> <li>Added client brotli compression support (optional with runtime check).</li> <li>Added <code>client_max_size</code> to <code>BaseRequest.clone()</code> to allow overriding the request body size. -- :user:<code>anesabml</code>.</li> <li>Added a middleware type alias <code>aiohttp.typedefs.Middleware</code>.</li> <li>Exported <code>HTTPMove</code> which can be used to catch any redirection request that has a location -- :user:<code>dreamsorcerer</code>.</li> <li>Changed the <code>path</code> parameter in <code>web.run_app()</code> to accept a <code>pathlib.Path</code> object.</li> <li>Performance: Skipped filtering <code>CookieJar</code> when the jar is empty or all cookies have expired.</li> <li>Performance: Only check origin if insecure scheme and there are origins to treat as secure, in <code>CookieJar.filter_cookies()</code>.</li> <li>Performance: Used timestamp instead of <code>datetime</code> to achieve faster cookie expiration in <code>CookieJar</code>.</li> <li>Added support for passing a custom server name parameter to HTTPS connection.</li> <li>Added support for using Basic Auth credentials from :file:<code>.netrc</code> file when making HTTP requests with the</li> <li>:py:class:<code>~aiohttp.ClientSession</code> <code>trust_env</code> argument is set to <code>True</code>. -- by :user:<code>yuvipanda</code>.</li> <li>Turned access log into no-op when the logger is disabled.</li> <li>Added typing information to <code>RawResponseMessage</code>. -- by :user:<code>Gobot1234</code></li> <li>Removed <code>async-timeout</code> for Python 3.11+ (replaced with <code>asyncio.timeout()</code> on newer releases).</li> <li>Added support for <code>brotlicffi</code> as an alternative to <code>brotli</code> (fixing Brotli support on PyPy).</li> <li>Added <code>WebSocketResponse.get_extra_info()</code> to access a protocol transport's extra info.</li> <li>Allow <code>link</code> argument to be set to None/empty in HTTP 451 exception.</li> <li>Fixed client timeout not working when incoming data is always available without waiting. -- by :user:<code>Dreamsorcerer</code>.</li> <li>Fixed <code>readuntil</code> to work with a delimiter of more than one character.</li> <li>Added <code>__repr__</code> to <code>EmptyStreamReader</code> to avoid <code>AttributeError</code>.</li> <li>Fixed bug when using <code>TCPConnector</code> with <code>ttl_dns_cache=0</code>.</li> <li>Fixed response returned from expect handler being thrown away. -- by :user:<code>Dreamsorcerer</code></li> <li>Avoided raising <code>UnicodeDecodeError</code> in multipart and in HTTP headers parsing.</li> <li>Changed <code>sock_read</code> timeout to start after writing has finished, avoiding read timeouts caused by an unfinished write. -- by :user:<code>dtrifiro</code></li> <li>Fixed missing query in tracing method URLs when using <code>yarl</code> 1.9+.</li> <li>Changed max 32-bit timestamp to an aware datetime object, for consistency with the non-32-bit one, and to avoid a <code>DeprecationWarning</code> on Python 3.12.</li> <li>Fixed <code>EmptyStreamReader.iter_chunks()</code> never ending.</li> <li>Fixed a rare <code>RuntimeError: await wasn&#x27;t used with future</code> exception.</li> <li>Fixed issue with insufficient HTTP method and version validation.</li> <li>Added check to validate that absolute URIs have schemes.</li> <li>Fixed unhandled exception when Python HTTP parser encounters unpaired Unicode surrogates.</li> <li>Updated parser to disallow invalid characters in header field names and stop accepting LF as a request line separator.</li> <li>Fixed Python HTTP parser not treating 204/304/1xx as an empty body.</li> <li>Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3.</li> <li>Fixed an issue when a client request is closed before completing a chunked payload. -- by :user:<code>Dreamsorcerer</code></li> <li>Edge Case Handling for ResponseParser for missing reason value.</li> <li>Fixed <code>ClientWebSocketResponse.close_code</code> being erroneously set to <code>None</code> when there are concurrent async tasks receiving data and closing the connection.</li> <li>Added HTTP method validation.</li> <li>Fixed arbitrary sequence types being allowed to inject values via version parameter. -- by :user:<code>Dreamsorcerer</code></li> <li>Performance: Fixed increase in latency with small messages from websocket compression changes.</li> <li>Improved Documentation</li> <li>Fixed the <code>ClientResponse.release</code>'s type in the doc. Changed from <code>comethod</code> to <code>method</code>.</li> <li>Added information on behavior of base_url parameter in <code>ClientSession</code>.</li> <li>Completed <code>trust_env</code> parameter description to honor <code>wss_proxy</code>, <code>ws_proxy</code> or <code>no_proxy</code> env.</li> <li>Dropped Python 3.6 support.</li> <li>Dropped Python 3.7 support. -- by :user:<code>Dreamsorcerer</code></li> <li>Removed support for abandoned <code>tokio</code> event loop.</li> <li>Made <code>print</code> argument in <code>run_app()</code> optional.</li> <li>Improved performance of <code>ceil_timeout</code> in some cases.</li> <li>Changed importing Gunicorn to happen on-demand, decreasing import time by ~53%. -- :user:<code>Dreamsorcerer</code></li> <li>Improved import time by replacing <code>http.server</code> with <code>http.HTTPStatus</code>.</li> <li>Fixed annotation of <code>ssl</code> parameter to disallow <code>True</code>.</li> </ul> <p>update to 3.8.6 (bsc#1217181, CVE-2023-47627):</p> <ul> <li>Security bugfixes</li> <li>https://github.com/aio-libs/aiohttp/security/advisories/GHSA- pjjw-qhg8-p2p9.</li> <li>https://github.com/aio-libs/aiohttp/security/advisories/GHSA- gfw2-4jvh-wgfg.</li> <li>Added <code>fallback_charset_resolver</code> parameter in <code>ClientSession</code> to allow a user-supplied character set detection function. Character set detection will no longer be included in 3.9 as a default. If this feature is needed, please use `fallback_charset_resolver the client</li> <li>Fixed <code>PermissionError</code> when <code>.netrc</code> is unreadable due to permissions.</li> <li>Fixed output of parsing errors</li> <li>Fixed sorting in <code>filter_cookies</code> to use cookie with longest path.</li> </ul> <p>Release 3.8.0 (2021-10-31) (bsc#1217174, CVE-2023-47641)</p>
<h2>Patch Instructions:</h2> <p> To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product: </p> <ul class="list-group"> <li class="list-group-item"> openSUSE Leap 15.4 <br/> <code>zypper in -t patch SUSE-2024-577=1</code> </li> <li class="list-group-item"> openSUSE Leap 15.5 <br/> <code>zypper in -t patch openSUSE-SLE-15.5-2024-577=1</code> </li> <li class="list-group-item"> Python 3 Module 15-SP5 <br/> <code>zypper in -t patch SUSE-SLE-Module-Python3-15-SP5-2024-577=1</code> </li> <li class="list-group-item"> SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 <br/> <code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-577=1</code> </li> <li class="list-group-item"> SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 <br/> <code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-577=1</code> </li> <li class="list-group-item"> SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 <br/> <code>zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-577=1</code> </li> <li class="list-group-item"> SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 <br/> <code>zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-577=1</code> </li> <li class="list-group-item"> SUSE Linux Enterprise Server for SAP Applications 15 SP4 <br/> <code>zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-577=1</code> </li> </ul>
<h2>Package List:</h2> <ul> <li> openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586) <ul> <li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li> <li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li> <li>python311-aiohttp-3.9.3-150400.10.14.1</li> <li>python-time-machine-debugsource-2.13.0-150400.9.3.1</li> <li>python311-time-machine-debuginfo-2.13.0-150400.9.3.1</li> <li>python311-time-machine-2.13.0-150400.9.3.1</li> </ul> </li> <li> openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) <ul> <li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li> <li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li> <li>python311-aiohttp-3.9.3-150400.10.14.1</li> </ul> </li> <li> Python 3 Module 15-SP5 (aarch64 ppc64le s390x x86_64) <ul> <li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li> <li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li> <li>python311-aiohttp-3.9.3-150400.10.14.1</li> </ul> </li> <li> SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64) <ul> <li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li> <li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li> <li>python311-aiohttp-3.9.3-150400.10.14.1</li> </ul> </li> <li> SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64) <ul> <li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li> <li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li> <li>python311-aiohttp-3.9.3-150400.10.14.1</li> </ul> </li> <li> SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (x86_64) <ul> <li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li> <li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li> <li>python311-aiohttp-3.9.3-150400.10.14.1</li> </ul> </li> <li> SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (aarch64 ppc64le s390x x86_64) <ul> <li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li> <li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li> <li>python311-aiohttp-3.9.3-150400.10.14.1</li> </ul> </li> <li> SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64) <ul> <li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li> <li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li> <li>python311-aiohttp-3.9.3-150400.10.14.1</li> </ul> </li> </ul>
<h2>References:</h2> <ul> <li> <a href="https://www.suse.com/security/cve/CVE-2023-47627.html">https://www.suse.com/security/cve/CVE-2023-47627.html</a> </li> <li> <a href="https://www.suse.com/security/cve/CVE-2023-47641.html">https://www.suse.com/security/cve/CVE-2023-47641.html</a> </li> <li> <a href="https://www.suse.com/security/cve/CVE-2024-23334.html">https://www.suse.com/security/cve/CVE-2024-23334.html</a> </li> <li> <a href="https://www.suse.com/security/cve/CVE-2024-23829.html">https://www.suse.com/security/cve/CVE-2024-23829.html</a> </li> <li> <a href="https://bugzilla.suse.com/show_bug.cgi?id=1217174">https://bugzilla.suse.com/show_bug.cgi?id=1217174</a> </li> <li> <a href="https://bugzilla.suse.com/show_bug.cgi?id=1217181">https://bugzilla.suse.com/show_bug.cgi?id=1217181</a> </li> <li> <a href="https://bugzilla.suse.com/show_bug.cgi?id=1217782">https://bugzilla.suse.com/show_bug.cgi?id=1217782</a> </li> <li> <a href="https://bugzilla.suse.com/show_bug.cgi?id=1219341">https://bugzilla.suse.com/show_bug.cgi?id=1219341</a> </li> <li> <a href="https://bugzilla.suse.com/show_bug.cgi?id=1219342">https://bugzilla.suse.com/show_bug.cgi?id=1219342</a> </li> </ul> </div>
--===============5249274303798436105==--
|
|
|
|