Overview

File _patchinfo of Package patchinfo.32620

<patchinfo incident="32620">
  <issue tracker="bnc" id="1219341">VUL-0: CVE-2024-23334: python-aiohttp: directory traversal vulnerability when 'follow_sysmlinks' is True and static routes are configured</issue>
  <issue tracker="bnc" id="1217782">Python packages fail to build with OpenSSL 3.2.0</issue>
  <issue tracker="bnc" id="1219342">VUL-0: CVE-2024-23829: python-aiohttp: HTTP parser still overly lenient about separators</issue>
  <issue tracker="bnc" id="1217181">VUL-0: CVE-2023-47627: python-aiohttp: numerous problems with header parsing which could lead to request smuggling</issue>
  <issue tracker="bnc" id="1217174">VUL-0: CVE-2023-47641: python-aiohttp: inconsistent interpretation of the http protocol</issue>
  <issue tracker="cve" id="2024-23334"/>
  <issue tracker="cve" id="2024-23829"/>
  <issue tracker="cve" id="2023-47641"/>
  <issue tracker="cve" id="2023-47627"/>
  <packager>glaubitz</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for python-aiohttp, python-time-machine</summary>
  <description>This update for python-aiohttp, python-time-machine fixes the following issues:

python-aiohttp was updated to version 3.9.3:

* Fixed backwards compatibility breakage (in 3.9.2) of ``ssl`` parameter
  when set outside of ``ClientSession`` (e.g. directly in ``TCPConnector``)
* Improved test suite handling of paths and temp files to consistently
  use pathlib and pytest fixtures.

From version 3.9.2 (bsc#1219341, CVE-2024-23334, bsc#1219342, CVE-2024-23829):

* Fixed server-side websocket connection leak.
* Fixed ``web.FileResponse`` doing blocking I/O in the event loop.
* Fixed double compress when compression enabled and compressed file
  exists in server file responses.
* Added runtime type check for ``ClientSession`` ``timeout`` parameter.
* Fixed an unhandled exception in the Python HTTP parser on header lines
  starting with a colon.
* Improved validation of paths for static resources requests to the server.
* Added support for passing :py:data:`True` to ``ssl`` parameter in
  ``ClientSession`` while deprecating :py:data:`None`.
* Fixed an unhandled exception in the Python HTTP parser on header lines
  starting with a colon.
* Fixed examples of ``fallback_charset_resolver`` function in the
  :doc:`client_advanced` document.
* The Sphinx setup was updated to avoid showing the empty
  changelog draft section in the tagged release documentation
  builds on Read The Docs.
* The changelog categorization was made clearer. The contributors can
  now mark their fragment files more accurately.
* Updated :ref:`contributing/Tests coverage &lt;aiohttp-contributing&gt;`
  section to show how we use ``codecov``.
* Replaced all ``tmpdir`` fixtures with ``tmp_path`` in test suite.

- Disable broken tests with openssl 3.2 and python &lt; 3.11 bsc#1217782

update to 3.9.1:

* Fixed importing aiohttp under PyPy on Windows.
* Fixed async concurrency safety in websocket compressor.
* Fixed ``ClientResponse.close()`` releasing the connection
  instead of closing.
* Fixed a regression where connection may get closed during
  upgrade. -- by :user:`Dreamsorcerer`
* Fixed messages being reported as upgraded without an Upgrade
  header in Python parser. -- by :user:`Dreamsorcerer`

update to 3.9.0: (bsc#1217684, CVE-2023-49081, bsc#1217682, CVE-2023-49082)

* Introduced ``AppKey`` for static typing support of
  ``Application`` storage.
* Added a graceful shutdown period which allows pending tasks
  to complete before the application's cleanup is called.
* Added `handler_cancellation`_ parameter to cancel web handler on
  client disconnection.
* This (optionally) reintroduces a feature removed in a
  previous release.
* Recommended for those looking for an extra level of
  protection against denial-of-service attacks.
* Added support for setting response header parameters
  ``max_line_size`` and ``max_field_size``.
* Added ``auto_decompress`` parameter to
  ``ClientSession.request`` to override
  ``ClientSession._auto_decompress``.
* Changed ``raise_for_status`` to allow a coroutine.
* Added client brotli compression support (optional with
  runtime check).
* Added ``client_max_size`` to ``BaseRequest.clone()`` to allow
  overriding the request body size. -- :user:`anesabml`.
* Added a middleware type alias
  ``aiohttp.typedefs.Middleware``.
* Exported ``HTTPMove`` which can be used to catch any
  redirection request that has a location -- :user:`dreamsorcerer`.
* Changed the ``path`` parameter in ``web.run_app()`` to accept
  a ``pathlib.Path`` object.
* Performance: Skipped filtering ``CookieJar`` when the jar is
  empty or all cookies have expired.
* Performance: Only check origin if insecure scheme and there
  are origins to treat as secure, in
  ``CookieJar.filter_cookies()``.
* Performance: Used timestamp instead of ``datetime`` to
  achieve faster cookie expiration in ``CookieJar``.
* Added support for passing a custom server name parameter to
  HTTPS connection.
* Added support for using Basic Auth credentials from
  :file:`.netrc` file when making HTTP requests with the
* :py:class:`~aiohttp.ClientSession` ``trust_env`` argument is
  set to ``True``. -- by :user:`yuvipanda`.
* Turned access log into no-op when the logger is disabled.
* Added typing information to ``RawResponseMessage``. -- by
  :user:`Gobot1234`
* Removed ``async-timeout`` for Python 3.11+ (replaced with
  ``asyncio.timeout()`` on newer releases).
* Added support for ``brotlicffi`` as an alternative to
  ``brotli`` (fixing Brotli support on PyPy).
* Added ``WebSocketResponse.get_extra_info()`` to access a
  protocol transport's extra info.
* Allow ``link`` argument to be set to None/empty in HTTP 451
  exception.
* Fixed client timeout not working when incoming data is always
  available without waiting. -- by :user:`Dreamsorcerer`.
* Fixed ``readuntil`` to work with a delimiter of more than one
  character.
* Added ``__repr__`` to ``EmptyStreamReader`` to avoid
  ``AttributeError``.
* Fixed bug when using ``TCPConnector`` with
  ``ttl_dns_cache=0``.
* Fixed response returned from expect handler being thrown
  away. -- by :user:`Dreamsorcerer`
* Avoided raising ``UnicodeDecodeError`` in multipart and in
  HTTP headers parsing.
* Changed ``sock_read`` timeout to start after writing has
  finished, avoiding read timeouts caused by an unfinished
  write. -- by :user:`dtrifiro`
* Fixed missing query in tracing method URLs when using
  ``yarl`` 1.9+.
* Changed max 32-bit timestamp to an aware datetime object, for
  consistency with the non-32-bit one, and to avoid a
  ``DeprecationWarning`` on Python 3.12.
* Fixed ``EmptyStreamReader.iter_chunks()`` never ending.
* Fixed a rare ``RuntimeError: await wasn't used with future``
  exception.
* Fixed issue with insufficient HTTP method and version
  validation.
* Added check to validate that absolute URIs have schemes.
* Fixed unhandled exception when Python HTTP parser encounters
  unpaired Unicode surrogates.
* Updated parser to disallow invalid characters in header field
  names and stop accepting LF as a request line separator.
* Fixed Python HTTP parser not treating 204/304/1xx as an empty
  body.
* Ensure empty body response for 1xx/204/304 per RFC 9112 sec
  6.3.
* Fixed an issue when a client request is closed before
  completing a chunked payload. -- by :user:`Dreamsorcerer`
* Edge Case Handling for ResponseParser for missing reason
  value.
* Fixed ``ClientWebSocketResponse.close_code`` being
  erroneously set to ``None`` when there are concurrent async
  tasks receiving data and closing the connection.
* Added HTTP method validation.
* Fixed arbitrary sequence types being allowed to inject values
  via version parameter. -- by :user:`Dreamsorcerer`
* Performance: Fixed increase in latency with small messages
  from websocket compression changes.
* Improved Documentation
* Fixed the `ClientResponse.release`'s type in the doc. Changed
  from `comethod` to `method`.
* Added information on behavior of base_url parameter in
  `ClientSession`.
* Completed ``trust_env`` parameter description to honor
  ``wss_proxy``, ``ws_proxy`` or ``no_proxy`` env.
* Dropped Python 3.6 support.
* Dropped Python 3.7 support. -- by :user:`Dreamsorcerer`
* Removed support for abandoned ``tokio`` event loop.
* Made ``print`` argument in ``run_app()`` optional.
* Improved performance of ``ceil_timeout`` in some cases.
* Changed importing Gunicorn to happen on-demand, decreasing
  import time by ~53%. -- :user:`Dreamsorcerer`
* Improved import time by replacing ``http.server`` with
  ``http.HTTPStatus``.
* Fixed annotation of ``ssl`` parameter to disallow ``True``.

update to 3.8.6 (bsc#1217181, CVE-2023-47627):

* Security bugfixes
* https://github.com/aio-libs/aiohttp/security/advisories/GHSA-
  pjjw-qhg8-p2p9.
* https://github.com/aio-libs/aiohttp/security/advisories/GHSA-
  gfw2-4jvh-wgfg.
* Added ``fallback_charset_resolver`` parameter in
  ``ClientSession`` to allow a user-supplied
  character set detection function.
  Character set detection will no longer be included in 3.9 as
  a default. If this feature is needed,
  please use `fallback_charset_resolver
  the client
* Fixed ``PermissionError`` when ``.netrc`` is unreadable due
  to permissions.
* Fixed output of parsing errors
* Fixed sorting in ``filter_cookies`` to use cookie with
  longest path.

Release 3.8.0 (2021-10-31) (bsc#1217174, CVE-2023-47641)
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places