Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in python-aiohttp und python-time-machine
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in python-aiohttp und python-time-machine
ID: SUSE-SU-2024:0577-1
Distribution: SUSE
Plattformen: SUSE Linux Enterprise High Performance Computing 15 SP4, SUSE Linux Enterprise Server 15 SP4, SUSE Linux Enterprise Server for SAP Applications 15 SP4, SUSE Linux Enterprise Server for SAP Applications 15 SP5, SUSE Linux Enterprise Server 15 SP5, SUSE Linux Enterprise High Performance Computing 15 SP5, SUSE Linux Enterprise Desktop 15 SP5, SUSE openSUSE Leap 15.5, SUSE openSUSE Leap 15.4, SUSE Python 3 Module 15-SP5, SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4, SUSE Linux Enterprise High Performance Computing LTSS 15 SP4, SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4, SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
Datum: Mi, 21. Februar 2024, 23:47
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23334
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23829
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47641
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47627
Applikationen: python-aiohttp, python-time-machine

Originalnachricht

--===============5249274303798436105==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit



# Security update for python-aiohttp, python-time-machine

Announcement ID: SUSE-SU-2024:0577-1
Rating: important
References:

* bsc#1217174
* bsc#1217181
* bsc#1217782
* bsc#1219341
* bsc#1219342


Cross-References:

* CVE-2023-47627
* CVE-2023-47641
* CVE-2024-23334
* CVE-2024-23829


CVSS scores:

* CVE-2023-47627 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
* CVE-2023-47627 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2023-47641 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
* CVE-2023-47641 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2024-23334 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-23334 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-23829 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
* CVE-2024-23829 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L


Affected Products:

* openSUSE Leap 15.4
* openSUSE Leap 15.5
* Python 3 Module 15-SP5
* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5



An update that solves four vulnerabilities and has one security fix can now be
installed.

## Description:

This update for python-aiohttp, python-time-machine fixes the following issues:

python-aiohttp was updated to version 3.9.3:

* Fixed backwards compatibility breakage (in 3.9.2) of `ssl` parameter when
set outside of `ClientSession` (e.g. directly in `TCPConnector`)
* Improved test suite handling of paths and temp files to consistently use
pathlib and pytest fixtures.

From version 3.9.2 (bsc#1219341, CVE-2024-23334, bsc#1219342, CVE-2024-23829):

* Fixed server-side websocket connection leak.
* Fixed `web.FileResponse` doing blocking I/O in the event loop.
* Fixed double compress when compression enabled and compressed file exists
in
server file responses.
* Added runtime type check for `ClientSession` `timeout` parameter.
* Fixed an unhandled exception in the Python HTTP parser on header lines
starting with a colon.
* Improved validation of paths for static resources requests to the server.
* Added support for passing :py:data:`True` to `ssl` parameter in
`ClientSession` while deprecating :py:data:`None`.
* Fixed an unhandled exception in the Python HTTP parser on header lines
starting with a colon.
* Fixed examples of `fallback_charset_resolver` function in the
:doc:`client_advanced` document.
* The Sphinx setup was updated to avoid showing the empty changelog draft
section in the tagged release documentation builds on Read The Docs.
* The changelog categorization was made clearer. The contributors can now
mark
their fragment files more accurately.
* Updated :ref:`contributing/Tests coverage
<aiohttp-contributing>`
section to show how we use `codecov`.
* Replaced all `tmpdir` fixtures with `tmp_path` in test suite.

* Disable broken tests with openssl 3.2 and python < 3.11 bsc#1217782

update to 3.9.1:

* Fixed importing aiohttp under PyPy on Windows.
* Fixed async concurrency safety in websocket compressor.
* Fixed `ClientResponse.close()` releasing the connection instead of closing.
* Fixed a regression where connection may get closed during upgrade. -- by
:user:`Dreamsorcerer`
* Fixed messages being reported as upgraded without an Upgrade header in
Python parser. -- by :user:`Dreamsorcerer`

update to 3.9.0: (bsc#1217684, CVE-2023-49081, bsc#1217682, CVE-2023-49082)

* Introduced `AppKey` for static typing support of `Application` storage.
* Added a graceful shutdown period which allows pending tasks to complete
before the application's cleanup is called.
* Added `handler_cancellation`_ parameter to cancel web handler on client
disconnection.
* This (optionally) reintroduces a feature removed in a previous release.
* Recommended for those looking for an extra level of protection against
denial-of-service attacks.
* Added support for setting response header parameters `max_line_size` and
`max_field_size`.
* Added `auto_decompress` parameter to `ClientSession.request` to override
`ClientSession._auto_decompress`.
* Changed `raise_for_status` to allow a coroutine.
* Added client brotli compression support (optional with runtime check).
* Added `client_max_size` to `BaseRequest.clone()` to allow overriding the
request body size. -- :user:`anesabml`.
* Added a middleware type alias `aiohttp.typedefs.Middleware`.
* Exported `HTTPMove` which can be used to catch any redirection request that
has a location -- :user:`dreamsorcerer`.
* Changed the `path` parameter in `web.run_app()` to accept a `pathlib.Path`
object.
* Performance: Skipped filtering `CookieJar` when the jar is empty or all
cookies have expired.
* Performance: Only check origin if insecure scheme and there are origins to
treat as secure, in `CookieJar.filter_cookies()`.
* Performance: Used timestamp instead of `datetime` to achieve faster cookie
expiration in `CookieJar`.
* Added support for passing a custom server name parameter to HTTPS
connection.
* Added support for using Basic Auth credentials from :file:`.netrc` file
when
making HTTP requests with the
* :py:class:`~aiohttp.ClientSession` `trust_env` argument is set to `True`.
--
by :user:`yuvipanda`.
* Turned access log into no-op when the logger is disabled.
* Added typing information to `RawResponseMessage`. -- by :user:`Gobot1234`
* Removed `async-timeout` for Python 3.11+ (replaced with `asyncio.timeout()`
on newer releases).
* Added support for `brotlicffi` as an alternative to `brotli` (fixing Brotli
support on PyPy).
* Added `WebSocketResponse.get_extra_info()` to access a protocol
transport's
extra info.
* Allow `link` argument to be set to None/empty in HTTP 451 exception.
* Fixed client timeout not working when incoming data is always available
without waiting. -- by :user:`Dreamsorcerer`.
* Fixed `readuntil` to work with a delimiter of more than one character.
* Added `__repr__` to `EmptyStreamReader` to avoid `AttributeError`.
* Fixed bug when using `TCPConnector` with `ttl_dns_cache=0`.
* Fixed response returned from expect handler being thrown away. -- by
:user:`Dreamsorcerer`
* Avoided raising `UnicodeDecodeError` in multipart and in HTTP headers
parsing.
* Changed `sock_read` timeout to start after writing has finished, avoiding
read timeouts caused by an unfinished write. -- by :user:`dtrifiro`
* Fixed missing query in tracing method URLs when using `yarl` 1.9+.
* Changed max 32-bit timestamp to an aware datetime object, for consistency
with the non-32-bit one, and to avoid a `DeprecationWarning` on Python
3.12.
* Fixed `EmptyStreamReader.iter_chunks()` never ending.
* Fixed a rare `RuntimeError: await wasn&#x27;t used with future`
exception.
* Fixed issue with insufficient HTTP method and version validation.
* Added check to validate that absolute URIs have schemes.
* Fixed unhandled exception when Python HTTP parser encounters unpaired
Unicode surrogates.
* Updated parser to disallow invalid characters in header field names and
stop
accepting LF as a request line separator.
* Fixed Python HTTP parser not treating 204/304/1xx as an empty body.
* Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3.
* Fixed an issue when a client request is closed before completing a chunked
payload. -- by :user:`Dreamsorcerer`
* Edge Case Handling for ResponseParser for missing reason value.
* Fixed `ClientWebSocketResponse.close_code` being erroneously set to `None`
when there are concurrent async tasks receiving data and closing the
connection.
* Added HTTP method validation.
* Fixed arbitrary sequence types being allowed to inject values via version
parameter. -- by :user:`Dreamsorcerer`
* Performance: Fixed increase in latency with small messages from websocket
compression changes.
* Improved Documentation
* Fixed the `ClientResponse.release`'s type in the doc. Changed from
`comethod` to `method`.
* Added information on behavior of base_url parameter in `ClientSession`.
* Completed `trust_env` parameter description to honor `wss_proxy`,
`ws_proxy`
or `no_proxy` env.
* Dropped Python 3.6 support.
* Dropped Python 3.7 support. -- by :user:`Dreamsorcerer`
* Removed support for abandoned `tokio` event loop.
* Made `print` argument in `run_app()` optional.
* Improved performance of `ceil_timeout` in some cases.
* Changed importing Gunicorn to happen on-demand, decreasing import time by
~53%. -- :user:`Dreamsorcerer`
* Improved import time by replacing `http.server` with `http.HTTPStatus`.
* Fixed annotation of `ssl` parameter to disallow `True`.

update to 3.8.6 (bsc#1217181, CVE-2023-47627):

* Security bugfixes
* https://github.com/aio-libs/aiohttp/security/advisories/GHSA- pjjw-
qhg8-p2p9.
* https://github.com/aio-libs/aiohttp/security/advisories/GHSA- gfw2-4jvh-
wgfg.
* Added `fallback_charset_resolver` parameter in `ClientSession` to allow a
user-supplied character set detection function. Character set detection
will
no longer be included in 3.9 as a default. If this feature is needed,
please
use `fallback_charset_resolver the client
* Fixed `PermissionError` when `.netrc` is unreadable due to permissions.
* Fixed output of parsing errors
* Fixed sorting in `filter_cookies` to use cookie with longest path.

Release 3.8.0 (2021-10-31) (bsc#1217174, CVE-2023-47641)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.4
zypper in -t patch SUSE-2024-577=1

* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-577=1

* Python 3 Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Python3-15-SP5-2024-577=1

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-577=1

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-577=1

* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-577=1

* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-577=1

* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-577=1

## Package List:

* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
* python-aiohttp-debugsource-3.9.3-150400.10.14.1
* python311-aiohttp-3.9.3-150400.10.14.1
* python-time-machine-debugsource-2.13.0-150400.9.3.1
* python311-time-machine-debuginfo-2.13.0-150400.9.3.1
* python311-time-machine-2.13.0-150400.9.3.1
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* python-aiohttp-debugsource-3.9.3-150400.10.14.1
* python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
* python311-aiohttp-3.9.3-150400.10.14.1
* Python 3 Module 15-SP5 (aarch64 ppc64le s390x x86_64)
* python-aiohttp-debugsource-3.9.3-150400.10.14.1
* python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
* python311-aiohttp-3.9.3-150400.10.14.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* python-aiohttp-debugsource-3.9.3-150400.10.14.1
* python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
* python311-aiohttp-3.9.3-150400.10.14.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
x86_64)
* python-aiohttp-debugsource-3.9.3-150400.10.14.1
* python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
* python311-aiohttp-3.9.3-150400.10.14.1
* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (x86_64)
* python-aiohttp-debugsource-3.9.3-150400.10.14.1
* python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
* python311-aiohttp-3.9.3-150400.10.14.1
* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (aarch64 ppc64le s390x
x86_64)
* python-aiohttp-debugsource-3.9.3-150400.10.14.1
* python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
* python311-aiohttp-3.9.3-150400.10.14.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
* python-aiohttp-debugsource-3.9.3-150400.10.14.1
* python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
* python311-aiohttp-3.9.3-150400.10.14.1

## References:

* https://www.suse.com/security/cve/CVE-2023-47627.html
* https://www.suse.com/security/cve/CVE-2023-47641.html
* https://www.suse.com/security/cve/CVE-2024-23334.html
* https://www.suse.com/security/cve/CVE-2024-23829.html
* https://bugzilla.suse.com/show_bug.cgi?id=1217174
* https://bugzilla.suse.com/show_bug.cgi?id=1217181
* https://bugzilla.suse.com/show_bug.cgi?id=1217782
* https://bugzilla.suse.com/show_bug.cgi?id=1219341
* https://bugzilla.suse.com/show_bug.cgi?id=1219342


--===============5249274303798436105==
Content-Type: text/html; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit




<div class="container">
<h1>Security update for python-aiohttp,
python-time-machine</h1>

<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2024:0577-1</td>
</tr>

<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>

<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217174">bsc#1217174</a>
</li>

<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217181">bsc#1217181</a>
</li>

<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217782">bsc#1217782</a>
</li>

<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219341">bsc#1219341</a>
</li>

<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219342">bsc#1219342</a>
</li>


</ul>
</td>
</tr>

<tr>
<th>
Cross-References:
</th>
<td>
<ul>

<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-47627.html">CVE-2023-47627</a>
</li>

<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-47641.html">CVE-2023-47641</a>
</li>

<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-23334.html">CVE-2024-23334</a>
</li>

<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-23829.html">CVE-2024-23829</a>
</li>

</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">

<li class="list-group-item">
<span
class="cvss-reference">CVE-2023-47627</span>
<span class="cvss-source">
(

SUSE

):
</span>
<span
class="cvss-score">5.3</span>
<span
class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N</span>
</li>

<li class="list-group-item">
<span
class="cvss-reference">CVE-2023-47627</span>
<span class="cvss-source">
(

NVD

):
</span>
<span
class="cvss-score">7.5</span>
<span
class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N</span>
</li>

<li class="list-group-item">
<span
class="cvss-reference">CVE-2023-47641</span>
<span class="cvss-source">
(

SUSE

):
</span>
<span
class="cvss-score">5.4</span>
<span
class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N</span>
</li>

<li class="list-group-item">
<span
class="cvss-reference">CVE-2023-47641</span>
<span class="cvss-source">
(

NVD

):
</span>
<span
class="cvss-score">6.5</span>
<span
class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N</span>
</li>

<li class="list-group-item">
<span
class="cvss-reference">CVE-2024-23334</span>
<span class="cvss-source">
(

SUSE

):
</span>
<span
class="cvss-score">7.5</span>
<span
class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</span>
</li>

<li class="list-group-item">
<span
class="cvss-reference">CVE-2024-23334</span>
<span class="cvss-source">
(

NVD

):
</span>
<span
class="cvss-score">7.5</span>
<span
class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</span>
</li>

<li class="list-group-item">
<span
class="cvss-reference">CVE-2024-23829</span>
<span class="cvss-source">
(

SUSE

):
</span>
<span
class="cvss-score">5.3</span>
<span
class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N</span>
</li>

<li class="list-group-item">
<span
class="cvss-reference">CVE-2024-23829</span>
<span class="cvss-source">
(

NVD

):
</span>
<span
class="cvss-score">6.5</span>
<span
class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L</span>
</li>

</ul>
</td>
</tr>

<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">

<li class="list-group-item">openSUSE Leap
15.4</li>

<li class="list-group-item">openSUSE Leap
15.5</li>

<li class="list-group-item">Python 3
Module 15-SP5</li>

<li class="list-group-item">SUSE Linux
Enterprise Desktop 15 SP4 LTSS 15-SP4</li>

<li class="list-group-item">SUSE Linux
Enterprise Desktop 15 SP5</li>

<li class="list-group-item">SUSE Linux
Enterprise High Performance Computing 15 SP4</li>

<li class="list-group-item">SUSE Linux
Enterprise High Performance Computing 15 SP5</li>

<li class="list-group-item">SUSE Linux
Enterprise High Performance Computing ESPOS 15 SP4</li>

<li class="list-group-item">SUSE Linux
Enterprise High Performance Computing LTSS 15 SP4</li>

<li class="list-group-item">SUSE Linux
Enterprise Server 15 SP4</li>

<li class="list-group-item">SUSE Linux
Enterprise Server 15 SP4 LTSS 15-SP4</li>

<li class="list-group-item">SUSE Linux
Enterprise Server 15 SP5</li>

<li class="list-group-item">SUSE Linux
Enterprise Server for SAP Applications 15 SP4</li>

<li class="list-group-item">SUSE Linux
Enterprise Server for SAP Applications 15 SP5</li>

</ul>
</td>
</tr>
</tbody>
</table>

<p>An update that solves four vulnerabilities and has one security
fix can now be installed.</p>





<h2>Description:</h2>

<p>This update for python-aiohttp, python-time-machine fixes the
following issues:</p>
<p>python-aiohttp was updated to version 3.9.3:</p>
<ul>
<li>Fixed backwards compatibility breakage (in 3.9.2) of
<code>ssl</code> parameter
when set outside of <code>ClientSession</code> (e.g. directly in
<code>TCPConnector</code>)</li>
<li>Improved test suite handling of paths and temp files to consistently
use pathlib and pytest fixtures.</li>
</ul>
<p>From version 3.9.2 (bsc#1219341, CVE-2024-23334, bsc#1219342,
CVE-2024-23829):</p>
<ul>
<li>Fixed server-side websocket connection leak.</li>
<li>Fixed <code>web.FileResponse</code> doing blocking I/O in
the event loop.</li>
<li>Fixed double compress when compression enabled and compressed file
exists in server file responses.</li>
<li>Added runtime type check for <code>ClientSession</code>
<code>timeout</code> parameter.</li>
<li>Fixed an unhandled exception in the Python HTTP parser on header
lines
starting with a colon.</li>
<li>Improved validation of paths for static resources requests to the
server.</li>
<li>Added support for passing :py:data:<code>True</code> to
<code>ssl</code> parameter in
<code>ClientSession</code> while deprecating
:py:data:<code>None</code>.</li>
<li>Fixed an unhandled exception in the Python HTTP parser on header
lines
starting with a colon.</li>
<li>Fixed examples of <code>fallback_charset_resolver</code>
function in the
:doc:<code>client_advanced</code> document.</li>
<li>The Sphinx setup was updated to avoid showing the empty
changelog draft section in the tagged release documentation
builds on Read The Docs.</li>
<li>The changelog categorization was made clearer. The contributors can
now mark their fragment files more accurately.</li>
<li>Updated :ref:<code>contributing/Tests coverage
&amp;lt;aiohttp-contributing&amp;gt;</code>
section to show how we use <code>codecov</code>.</li>
<li>
<p>Replaced all <code>tmpdir</code> fixtures with
<code>tmp_path</code> in test suite.</p>
</li>
<li>
<p>Disable broken tests with openssl 3.2 and python &lt; 3.11
bsc#1217782</p>
</li>
</ul>
<p>update to 3.9.1:</p>
<ul>
<li>Fixed importing aiohttp under PyPy on Windows.</li>
<li>Fixed async concurrency safety in websocket compressor.</li>
<li>Fixed <code>ClientResponse.close()</code> releasing the
connection
instead of closing.</li>
<li>Fixed a regression where connection may get closed during
upgrade. -- by :user:<code>Dreamsorcerer</code></li>
<li>Fixed messages being reported as upgraded without an Upgrade
header in Python parser. -- by
:user:<code>Dreamsorcerer</code></li>
</ul>
<p>update to 3.9.0: (bsc#1217684, CVE-2023-49081, bsc#1217682,
CVE-2023-49082)</p>
<ul>
<li>Introduced <code>AppKey</code> for static typing support
of
<code>Application</code> storage.</li>
<li>Added a graceful shutdown period which allows pending tasks
to complete before the application&#x27;s cleanup is called.</li>
<li>Added <code>handler_cancellation</code>_ parameter to
cancel web handler on
client disconnection.</li>
<li>This (optionally) reintroduces a feature removed in a
previous release.</li>
<li>Recommended for those looking for an extra level of
protection against denial-of-service attacks.</li>
<li>Added support for setting response header parameters
<code>max_line_size</code> and
<code>max_field_size</code>.</li>
<li>Added <code>auto_decompress</code> parameter to
<code>ClientSession.request</code> to override
<code>ClientSession._auto_decompress</code>.</li>
<li>Changed <code>raise_for_status</code> to allow a
coroutine.</li>
<li>Added client brotli compression support (optional with
runtime check).</li>
<li>Added <code>client_max_size</code> to
<code>BaseRequest.clone()</code> to allow
overriding the request body size. --
:user:<code>anesabml</code>.</li>
<li>Added a middleware type alias
<code>aiohttp.typedefs.Middleware</code>.</li>
<li>Exported <code>HTTPMove</code> which can be used to catch
any
redirection request that has a location --
:user:<code>dreamsorcerer</code>.</li>
<li>Changed the <code>path</code> parameter in
<code>web.run_app()</code> to accept
a <code>pathlib.Path</code> object.</li>
<li>Performance: Skipped filtering <code>CookieJar</code>
when the jar is
empty or all cookies have expired.</li>
<li>Performance: Only check origin if insecure scheme and there
are origins to treat as secure, in
<code>CookieJar.filter_cookies()</code>.</li>
<li>Performance: Used timestamp instead of
<code>datetime</code> to
achieve faster cookie expiration in
<code>CookieJar</code>.</li>
<li>Added support for passing a custom server name parameter to
HTTPS connection.</li>
<li>Added support for using Basic Auth credentials from
:file:<code>.netrc</code> file when making HTTP requests with
the</li>
<li>:py:class:<code>~aiohttp.ClientSession</code>
<code>trust_env</code> argument is
set to <code>True</code>. -- by
:user:<code>yuvipanda</code>.</li>
<li>Turned access log into no-op when the logger is disabled.</li>
<li>Added typing information to
<code>RawResponseMessage</code>. -- by
:user:<code>Gobot1234</code></li>
<li>Removed <code>async-timeout</code> for Python 3.11+
(replaced with
<code>asyncio.timeout()</code> on newer releases).</li>
<li>Added support for <code>brotlicffi</code> as an
alternative to
<code>brotli</code> (fixing Brotli support on PyPy).</li>
<li>Added <code>WebSocketResponse.get_extra_info()</code> to
access a
protocol transport&#x27;s extra info.</li>
<li>Allow <code>link</code> argument to be set to None/empty
in HTTP 451
exception.</li>
<li>Fixed client timeout not working when incoming data is always
available without waiting. -- by
:user:<code>Dreamsorcerer</code>.</li>
<li>Fixed <code>readuntil</code> to work with a delimiter of
more than one
character.</li>
<li>Added <code>__repr__</code> to
<code>EmptyStreamReader</code> to avoid
<code>AttributeError</code>.</li>
<li>Fixed bug when using <code>TCPConnector</code> with
<code>ttl_dns_cache=0</code>.</li>
<li>Fixed response returned from expect handler being thrown
away. -- by :user:<code>Dreamsorcerer</code></li>
<li>Avoided raising <code>UnicodeDecodeError</code> in
multipart and in
HTTP headers parsing.</li>
<li>Changed <code>sock_read</code> timeout to start after
writing has
finished, avoiding read timeouts caused by an unfinished
write. -- by :user:<code>dtrifiro</code></li>
<li>Fixed missing query in tracing method URLs when using
<code>yarl</code> 1.9+.</li>
<li>Changed max 32-bit timestamp to an aware datetime object, for
consistency with the non-32-bit one, and to avoid a
<code>DeprecationWarning</code> on Python 3.12.</li>
<li>Fixed <code>EmptyStreamReader.iter_chunks()</code> never
ending.</li>
<li>Fixed a rare <code>RuntimeError: await wasn&amp;#x27;t used
with future</code>
exception.</li>
<li>Fixed issue with insufficient HTTP method and version
validation.</li>
<li>Added check to validate that absolute URIs have schemes.</li>
<li>Fixed unhandled exception when Python HTTP parser encounters
unpaired Unicode surrogates.</li>
<li>Updated parser to disallow invalid characters in header field
names and stop accepting LF as a request line separator.</li>
<li>Fixed Python HTTP parser not treating 204/304/1xx as an empty
body.</li>
<li>Ensure empty body response for 1xx/204/304 per RFC 9112 sec
6.3.</li>
<li>Fixed an issue when a client request is closed before
completing a chunked payload. -- by
:user:<code>Dreamsorcerer</code></li>
<li>Edge Case Handling for ResponseParser for missing reason
value.</li>
<li>Fixed <code>ClientWebSocketResponse.close_code</code>
being
erroneously set to <code>None</code> when there are concurrent
async
tasks receiving data and closing the connection.</li>
<li>Added HTTP method validation.</li>
<li>Fixed arbitrary sequence types being allowed to inject values
via version parameter. -- by
:user:<code>Dreamsorcerer</code></li>
<li>Performance: Fixed increase in latency with small messages
from websocket compression changes.</li>
<li>Improved Documentation</li>
<li>Fixed the <code>ClientResponse.release</code>&#x27;s
type in the doc. Changed
from <code>comethod</code> to
<code>method</code>.</li>
<li>Added information on behavior of base_url parameter in
<code>ClientSession</code>.</li>
<li>Completed <code>trust_env</code> parameter description to
honor
<code>wss_proxy</code>, <code>ws_proxy</code> or
<code>no_proxy</code> env.</li>
<li>Dropped Python 3.6 support.</li>
<li>Dropped Python 3.7 support. -- by
:user:<code>Dreamsorcerer</code></li>
<li>Removed support for abandoned <code>tokio</code> event
loop.</li>
<li>Made <code>print</code> argument in
<code>run_app()</code> optional.</li>
<li>Improved performance of <code>ceil_timeout</code> in some
cases.</li>
<li>Changed importing Gunicorn to happen on-demand, decreasing
import time by ~53%. --
:user:<code>Dreamsorcerer</code></li>
<li>Improved import time by replacing
<code>http.server</code> with
<code>http.HTTPStatus</code>.</li>
<li>Fixed annotation of <code>ssl</code> parameter to
disallow <code>True</code>.</li>
</ul>
<p>update to 3.8.6 (bsc#1217181, CVE-2023-47627):</p>
<ul>
<li>Security bugfixes</li>
<li>https://github.com/aio-libs/aiohttp/security/advisories/GHSA-
pjjw-qhg8-p2p9.</li>
<li>https://github.com/aio-libs/aiohttp/security/advisories/GHSA-
gfw2-4jvh-wgfg.</li>
<li>Added <code>fallback_charset_resolver</code> parameter in
<code>ClientSession</code> to allow a user-supplied
character set detection function.
Character set detection will no longer be included in 3.9 as
a default. If this feature is needed,
please use `fallback_charset_resolver
the client</li>
<li>Fixed <code>PermissionError</code> when
<code>.netrc</code> is unreadable due
to permissions.</li>
<li>Fixed output of parsing errors</li>
<li>Fixed sorting in <code>filter_cookies</code> to use
cookie with
longest path.</li>
</ul>
<p>Release 3.8.0 (2021-10-31) (bsc#1217174, CVE-2023-47641)</p>





<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper
patch".<br/>

Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">

<li class="list-group-item">
openSUSE Leap 15.4


<br/>
<code>zypper in -t patch
SUSE-2024-577=1</code>



</li>

<li class="list-group-item">
openSUSE Leap 15.5


<br/>
<code>zypper in -t patch
openSUSE-SLE-15.5-2024-577=1</code>



</li>

<li class="list-group-item">
Python 3 Module 15-SP5


<br/>
<code>zypper in -t patch
SUSE-SLE-Module-Python3-15-SP5-2024-577=1</code>



</li>

<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4


<br/>
<code>zypper in -t patch
SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-577=1</code>



</li>

<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4


<br/>
<code>zypper in -t patch
SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-577=1</code>



</li>

<li class="list-group-item">
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4


<br/>
<code>zypper in -t patch
SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-577=1</code>



</li>

<li class="list-group-item">
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4


<br/>
<code>zypper in -t patch
SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-577=1</code>



</li>

<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 15 SP4


<br/>
<code>zypper in -t patch
SUSE-SLE-Product-SLES_SAP-15-SP4-2024-577=1</code>



</li>

</ul>

<h2>Package List:</h2>
<ul>


<li>
openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
<ul>


<li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li>


<li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li>


<li>python311-aiohttp-3.9.3-150400.10.14.1</li>


<li>python-time-machine-debugsource-2.13.0-150400.9.3.1</li>


<li>python311-time-machine-debuginfo-2.13.0-150400.9.3.1</li>


<li>python311-time-machine-2.13.0-150400.9.3.1</li>

</ul>
</li>



<li>
openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
<ul>


<li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li>


<li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li>


<li>python311-aiohttp-3.9.3-150400.10.14.1</li>

</ul>
</li>



<li>
Python 3 Module 15-SP5 (aarch64 ppc64le s390x x86_64)
<ul>


<li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li>


<li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li>


<li>python311-aiohttp-3.9.3-150400.10.14.1</li>

</ul>
</li>



<li>
SUSE Linux Enterprise High Performance Computing ESPOS 15
SP4 (aarch64 x86_64)
<ul>


<li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li>


<li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li>


<li>python311-aiohttp-3.9.3-150400.10.14.1</li>

</ul>
</li>



<li>
SUSE Linux Enterprise High Performance Computing LTSS 15
SP4 (aarch64 x86_64)
<ul>


<li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li>


<li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li>


<li>python311-aiohttp-3.9.3-150400.10.14.1</li>

</ul>
</li>



<li>
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (x86_64)
<ul>


<li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li>


<li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li>


<li>python311-aiohttp-3.9.3-150400.10.14.1</li>

</ul>
</li>



<li>
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (aarch64
ppc64le s390x x86_64)
<ul>


<li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li>


<li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li>


<li>python311-aiohttp-3.9.3-150400.10.14.1</li>

</ul>
</li>



<li>
SUSE Linux Enterprise Server for SAP Applications 15 SP4
(ppc64le x86_64)
<ul>


<li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li>


<li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li>


<li>python311-aiohttp-3.9.3-150400.10.14.1</li>

</ul>
</li>


</ul>


<h2>References:</h2>
<ul>


<li>
<a href="https://www.suse.com/security/cve/CVE-2023-47627.html">https://www.suse.com/security/cve/CVE-2023-47627.html</a>
</li>



<li>
<a href="https://www.suse.com/security/cve/CVE-2023-47641.html">https://www.suse.com/security/cve/CVE-2023-47641.html</a>
</li>



<li>
<a href="https://www.suse.com/security/cve/CVE-2024-23334.html">https://www.suse.com/security/cve/CVE-2024-23334.html</a>
</li>



<li>
<a href="https://www.suse.com/security/cve/CVE-2024-23829.html">https://www.suse.com/security/cve/CVE-2024-23829.html</a>
</li>



<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217174">https://bugzilla.suse.com/show_bug.cgi?id=1217174</a>
</li>



<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217181">https://bugzilla.suse.com/show_bug.cgi?id=1217181</a>
</li>



<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217782">https://bugzilla.suse.com/show_bug.cgi?id=1217782</a>
</li>



<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219341">https://bugzilla.suse.com/show_bug.cgi?id=1219341</a>
</li>



<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219342">https://bugzilla.suse.com/show_bug.cgi?id=1219342</a>
</li>


</ul>

</div>

--===============5249274303798436105==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung