# Security update for python-aiohttp, python-time-machine

Announcement ID: SUSE-SU-2024:0577-1  
Rating: important  
References:

  * bsc#1217174
  * bsc#1217181
  * bsc#1217782
  * bsc#1219341
  * bsc#1219342

  
Cross-References:

  * CVE-2023-47627
  * CVE-2023-47641
  * CVE-2024-23334
  * CVE-2024-23829

  
CVSS scores:

  * CVE-2023-47627 ( SUSE ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  * CVE-2023-47627 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  * CVE-2023-47641 ( SUSE ):  5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
  * CVE-2023-47641 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
  * CVE-2024-23334 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  * CVE-2024-23334 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  * CVE-2024-23829 ( SUSE ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  * CVE-2024-23829 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

  
Affected Products:

  * openSUSE Leap 15.4
  * openSUSE Leap 15.5
  * Python 3 Module 15-SP5
  * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
  * SUSE Linux Enterprise Desktop 15 SP5
  * SUSE Linux Enterprise High Performance Computing 15 SP4
  * SUSE Linux Enterprise High Performance Computing 15 SP5
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
  * SUSE Linux Enterprise Server 15 SP4
  * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
  * SUSE Linux Enterprise Server 15 SP5
  * SUSE Linux Enterprise Server for SAP Applications 15 SP4
  * SUSE Linux Enterprise Server for SAP Applications 15 SP5

  
  
An update that solves four vulnerabilities and has one security fix can now be
installed.

## Description:

This update for python-aiohttp, python-time-machine fixes the following issues:

python-aiohttp was updated to version 3.9.3:

  * Fixed backwards compatibility breakage (in 3.9.2) of `ssl` parameter when
    set outside of `ClientSession` (e.g. directly in `TCPConnector`)
  * Improved test suite handling of paths and temp files to consistently use
    pathlib and pytest fixtures.

From version 3.9.2 (bsc#1219341, CVE-2024-23334, bsc#1219342, CVE-2024-23829):

  * Fixed server-side websocket connection leak.
  * Fixed `web.FileResponse` doing blocking I/O in the event loop.
  * Fixed double compress when compression enabled and compressed file exists in
    server file responses.
  * Added runtime type check for `ClientSession` `timeout` parameter.
  * Fixed an unhandled exception in the Python HTTP parser on header lines
    starting with a colon.
  * Improved validation of paths for static resources requests to the server.
  * Added support for passing :py:data:`True` to `ssl` parameter in
    `ClientSession` while deprecating :py:data:`None`.
  * Fixed an unhandled exception in the Python HTTP parser on header lines
    starting with a colon.
  * Fixed examples of `fallback_charset_resolver` function in the
    :doc:`client_advanced` document.
  * The Sphinx setup was updated to avoid showing the empty changelog draft
    section in the tagged release documentation builds on Read The Docs.
  * The changelog categorization was made clearer. The contributors can now mark
    their fragment files more accurately.
  * Updated :ref:`contributing/Tests coverage <aiohttp-contributing>`
    section to show how we use `codecov`.
  * Replaced all `tmpdir` fixtures with `tmp_path` in test suite.

  * Disable broken tests with openssl 3.2 and python < 3.11 bsc#1217782

update to 3.9.1:

  * Fixed importing aiohttp under PyPy on Windows.
  * Fixed async concurrency safety in websocket compressor.
  * Fixed `ClientResponse.close()` releasing the connection instead of closing.
  * Fixed a regression where connection may get closed during upgrade. -- by
    :user:`Dreamsorcerer`
  * Fixed messages being reported as upgraded without an Upgrade header in
    Python parser. -- by :user:`Dreamsorcerer`

update to 3.9.0: (bsc#1217684, CVE-2023-49081, bsc#1217682, CVE-2023-49082)

  * Introduced `AppKey` for static typing support of `Application` storage.
  * Added a graceful shutdown period which allows pending tasks to complete
    before the application's cleanup is called.
  * Added `handler_cancellation`_ parameter to cancel web handler on client
    disconnection.
  * This (optionally) reintroduces a feature removed in a previous release.
  * Recommended for those looking for an extra level of protection against
    denial-of-service attacks.
  * Added support for setting response header parameters `max_line_size` and
    `max_field_size`.
  * Added `auto_decompress` parameter to `ClientSession.request` to override
    `ClientSession._auto_decompress`.
  * Changed `raise_for_status` to allow a coroutine.
  * Added client brotli compression support (optional with runtime check).
  * Added `client_max_size` to `BaseRequest.clone()` to allow overriding the
    request body size. -- :user:`anesabml`.
  * Added a middleware type alias `aiohttp.typedefs.Middleware`.
  * Exported `HTTPMove` which can be used to catch any redirection request that
    has a location -- :user:`dreamsorcerer`.
  * Changed the `path` parameter in `web.run_app()` to accept a `pathlib.Path`
    object.
  * Performance: Skipped filtering `CookieJar` when the jar is empty or all
    cookies have expired.
  * Performance: Only check origin if insecure scheme and there are origins to
    treat as secure, in `CookieJar.filter_cookies()`.
  * Performance: Used timestamp instead of `datetime` to achieve faster cookie
    expiration in `CookieJar`.
  * Added support for passing a custom server name parameter to HTTPS
    connection.
  * Added support for using Basic Auth credentials from :file:`.netrc` file when
    making HTTP requests with the
  * :py:class:`~aiohttp.ClientSession` `trust_env` argument is set to `True`. --
    by :user:`yuvipanda`.
  * Turned access log into no-op when the logger is disabled.
  * Added typing information to `RawResponseMessage`. -- by :user:`Gobot1234`
  * Removed `async-timeout` for Python 3.11+ (replaced with `asyncio.timeout()`
    on newer releases).
  * Added support for `brotlicffi` as an alternative to `brotli` (fixing Brotli
    support on PyPy).
  * Added `WebSocketResponse.get_extra_info()` to access a protocol transport's
    extra info.
  * Allow `link` argument to be set to None/empty in HTTP 451 exception.
  * Fixed client timeout not working when incoming data is always available
    without waiting. -- by :user:`Dreamsorcerer`.
  * Fixed `readuntil` to work with a delimiter of more than one character.
  * Added `__repr__` to `EmptyStreamReader` to avoid `AttributeError`.
  * Fixed bug when using `TCPConnector` with `ttl_dns_cache=0`.
  * Fixed response returned from expect handler being thrown away. -- by
    :user:`Dreamsorcerer`
  * Avoided raising `UnicodeDecodeError` in multipart and in HTTP headers
    parsing.
  * Changed `sock_read` timeout to start after writing has finished, avoiding
    read timeouts caused by an unfinished write. -- by :user:`dtrifiro`
  * Fixed missing query in tracing method URLs when using `yarl` 1.9+.
  * Changed max 32-bit timestamp to an aware datetime object, for consistency
    with the non-32-bit one, and to avoid a `DeprecationWarning` on Python 3.12.
  * Fixed `EmptyStreamReader.iter_chunks()` never ending.
  * Fixed a rare `RuntimeError: await wasn't used with future` exception.
  * Fixed issue with insufficient HTTP method and version validation.
  * Added check to validate that absolute URIs have schemes.
  * Fixed unhandled exception when Python HTTP parser encounters unpaired
    Unicode surrogates.
  * Updated parser to disallow invalid characters in header field names and stop
    accepting LF as a request line separator.
  * Fixed Python HTTP parser not treating 204/304/1xx as an empty body.
  * Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3.
  * Fixed an issue when a client request is closed before completing a chunked
    payload. -- by :user:`Dreamsorcerer`
  * Edge Case Handling for ResponseParser for missing reason value.
  * Fixed `ClientWebSocketResponse.close_code` being erroneously set to `None`
    when there are concurrent async tasks receiving data and closing the
    connection.
  * Added HTTP method validation.
  * Fixed arbitrary sequence types being allowed to inject values via version
    parameter. -- by :user:`Dreamsorcerer`
  * Performance: Fixed increase in latency with small messages from websocket
    compression changes.
  * Improved Documentation
  * Fixed the `ClientResponse.release`'s type in the doc. Changed from
    `comethod` to `method`.
  * Added information on behavior of base_url parameter in `ClientSession`.
  * Completed `trust_env` parameter description to honor `wss_proxy`, `ws_proxy`
    or `no_proxy` env.
  * Dropped Python 3.6 support.
  * Dropped Python 3.7 support. -- by :user:`Dreamsorcerer`
  * Removed support for abandoned `tokio` event loop.
  * Made `print` argument in `run_app()` optional.
  * Improved performance of `ceil_timeout` in some cases.
  * Changed importing Gunicorn to happen on-demand, decreasing import time by
    ~53%. -- :user:`Dreamsorcerer`
  * Improved import time by replacing `http.server` with `http.HTTPStatus`.
  * Fixed annotation of `ssl` parameter to disallow `True`.

update to 3.8.6 (bsc#1217181, CVE-2023-47627):

  * Security bugfixes
  * https://github.com/aio-libs/aiohttp/security/advisories/GHSA- pjjw-
    qhg8-p2p9.
  * https://github.com/aio-libs/aiohttp/security/advisories/GHSA- gfw2-4jvh-
    wgfg.
  * Added `fallback_charset_resolver` parameter in `ClientSession` to allow a
    user-supplied character set detection function. Character set detection will
    no longer be included in 3.9 as a default. If this feature is needed, please
    use `fallback_charset_resolver the client
  * Fixed `PermissionError` when `.netrc` is unreadable due to permissions.
  * Fixed output of parsing errors
  * Fixed sorting in `filter_cookies` to use cookie with longest path.

Release 3.8.0 (2021-10-31) (bsc#1217174, CVE-2023-47641)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * openSUSE Leap 15.4  
    zypper in -t patch SUSE-2024-577=1

  * openSUSE Leap 15.5  
    zypper in -t patch openSUSE-SLE-15.5-2024-577=1

  * Python 3 Module 15-SP5  
    zypper in -t patch SUSE-SLE-Module-Python3-15-SP5-2024-577=1

  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-577=1

  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-577=1

  * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4  
    zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-577=1

  * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-577=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP4  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-577=1

## Package List:

  * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
    * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
    * python-aiohttp-debugsource-3.9.3-150400.10.14.1
    * python311-aiohttp-3.9.3-150400.10.14.1
    * python-time-machine-debugsource-2.13.0-150400.9.3.1
    * python311-time-machine-debuginfo-2.13.0-150400.9.3.1
    * python311-time-machine-2.13.0-150400.9.3.1
  * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
    * python-aiohttp-debugsource-3.9.3-150400.10.14.1
    * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
    * python311-aiohttp-3.9.3-150400.10.14.1
  * Python 3 Module 15-SP5 (aarch64 ppc64le s390x x86_64)
    * python-aiohttp-debugsource-3.9.3-150400.10.14.1
    * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
    * python311-aiohttp-3.9.3-150400.10.14.1
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
    x86_64)
    * python-aiohttp-debugsource-3.9.3-150400.10.14.1
    * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
    * python311-aiohttp-3.9.3-150400.10.14.1
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
    x86_64)
    * python-aiohttp-debugsource-3.9.3-150400.10.14.1
    * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
    * python311-aiohttp-3.9.3-150400.10.14.1
  * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (x86_64)
    * python-aiohttp-debugsource-3.9.3-150400.10.14.1
    * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
    * python311-aiohttp-3.9.3-150400.10.14.1
  * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (aarch64 ppc64le s390x
    x86_64)
    * python-aiohttp-debugsource-3.9.3-150400.10.14.1
    * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
    * python311-aiohttp-3.9.3-150400.10.14.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
    * python-aiohttp-debugsource-3.9.3-150400.10.14.1
    * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
    * python311-aiohttp-3.9.3-150400.10.14.1

## References:

  * https://www.suse.com/security/cve/CVE-2023-47627.html
  * https://www.suse.com/security/cve/CVE-2023-47641.html
  * https://www.suse.com/security/cve/CVE-2024-23334.html
  * https://www.suse.com/security/cve/CVE-2024-23829.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1217174
  * https://bugzilla.suse.com/show_bug.cgi?id=1217181
  * https://bugzilla.suse.com/show_bug.cgi?id=1217782
  * https://bugzilla.suse.com/show_bug.cgi?id=1219341
  * https://bugzilla.suse.com/show_bug.cgi?id=1219342

SUSE: 2024:0577-1 important: python-aiohttp, python-time-machine

February 21, 2024
* bsc#1217174 * bsc#1217181 * bsc#1217782 * bsc#1219341 * bsc#1219342

Summary

## This update for python-aiohttp, python-time-machine fixes the following issues: python-aiohttp was updated to version 3.9.3: * Fixed backwards compatibility breakage (in 3.9.2) of `ssl` parameter when set outside of `ClientSession` (e.g. directly in `TCPConnector`) * Improved test suite handling of paths and temp files to consistently use pathlib and pytest fixtures. From version 3.9.2 (bsc#1219341, CVE-2024-23334, bsc#1219342, CVE-2024-23829): * Fixed server-side websocket connection leak. * Fixed `web.FileResponse` doing blocking I/O in the event loop. * Fixed double compress when compression enabled and compressed file exists in server file responses. * Added runtime type check for `ClientSession` `timeout` parameter. * Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon. * Improved validation of paths for static resources requests to the server. * Added support for passing :py:data:`True` to `ssl` parameter in `ClientSession` while deprecating :py:data:`None`. * Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon. * Fixed examples of `fallback_charset_resolver` function in the :doc:`client_advanced` document. * The Sphinx setup was updated to avoid showing the empty changelog draft section in the tagged release documentation builds on Read The Docs. * The changelog categorization was made clearer. The contributors can now mark their fragment files more accurately. * Updated :ref:`contributing/Tests coverage <aiohttp-contributing>` section to show how we use `codecov`. * Replaced all `tmpdir` fixtures with `tmp_path` in test suite. * Disable broken tests with openssl 3.2 and python < 3.11 bsc#1217782 update to 3.9.1: * Fixed importing aiohttp under PyPy on Windows. * Fixed async concurrency safety in websocket compressor. * Fixed `ClientResponse.close()` releasing the connection instead of closing. * Fixed a regression where connection may get closed during upgrade. -- by :user:`Dreamsorcerer` * Fixed messages being reported as upgraded without an Upgrade header in Python parser. -- by :user:`Dreamsorcerer` update to 3.9.0: (bsc#1217684, CVE-2023-49081, bsc#1217682, CVE-2023-49082) * Introduced `AppKey` for static typing support of `Application` storage. * Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called. * Added `handler_cancellation`_ parameter to cancel web handler on client disconnection. * This (optionally) reintroduces a feature removed in a previous release. * Recommended for those looking for an extra level of protection against denial-of-service attacks. * Added support for setting response header parameters `max_line_size` and `max_field_size`. * Added `auto_decompress` parameter to `ClientSession.request` to override `ClientSession._auto_decompress`. * Changed `raise_for_status` to allow a coroutine. * Added client brotli compression support (optional with runtime check). * Added `client_max_size` to `BaseRequest.clone()` to allow overriding the request body size. -- :user:`anesabml`. * Added a middleware type alias `aiohttp.typedefs.Middleware`. * Exported `HTTPMove` which can be used to catch any redirection request that has a location -- :user:`dreamsorcerer`. * Changed the `path` parameter in `web.run_app()` to accept a `pathlib.Path` object. * Performance: Skipped filtering `CookieJar` when the jar is empty or all cookies have expired. * Performance: Only check origin if insecure scheme and there are origins to treat as secure, in `CookieJar.filter_cookies()`. * Performance: Used timestamp instead of `datetime` to achieve faster cookie expiration in `CookieJar`. * Added support for passing a custom server name parameter to HTTPS connection. * Added support for using Basic Auth credentials from :file:`.netrc` file when making HTTP requests with the * :py:class:`~aiohttp.ClientSession` `trust_env` argument is set to `True`. -- by :user:`yuvipanda`. * Turned access log into no-op when the logger is disabled. * Added typing information to `RawResponseMessage`. -- by :user:`Gobot1234` * Removed `async-timeout` for Python 3.11+ (replaced with `asyncio.timeout()` on newer releases). * Added support for `brotlicffi` as an alternative to `brotli` (fixing Brotli support on PyPy). * Added `WebSocketResponse.get_extra_info()` to access a protocol transport's extra info. * Allow `link` argument to be set to None/empty in HTTP 451 exception. * Fixed client timeout not working when incoming data is always available without waiting. -- by :user:`Dreamsorcerer`. * Fixed `readuntil` to work with a delimiter of more than one character. * Added `__repr__` to `EmptyStreamReader` to avoid `AttributeError`. * Fixed bug when using `TCPConnector` with `ttl_dns_cache=0`. * Fixed response returned from expect handler being thrown away. -- by :user:`Dreamsorcerer` * Avoided raising `UnicodeDecodeError` in multipart and in HTTP headers parsing. * Changed `sock_read` timeout to start after writing has finished, avoiding read timeouts caused by an unfinished write. -- by :user:`dtrifiro` * Fixed missing query in tracing method URLs when using `yarl` 1.9+. * Changed max 32-bit timestamp to an aware datetime object, for consistency with the non-32-bit one, and to avoid a `DeprecationWarning` on Python 3.12. * Fixed `EmptyStreamReader.iter_chunks()` never ending. * Fixed a rare `RuntimeError: await wasn't used with future` exception. * Fixed issue with insufficient HTTP method and version validation. * Added check to validate that absolute URIs have schemes. * Fixed unhandled exception when Python HTTP parser encounters unpaired Unicode surrogates. * Updated parser to disallow invalid characters in header field names and stop accepting LF as a request line separator. * Fixed Python HTTP parser not treating 204/304/1xx as an empty body. * Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3. * Fixed an issue when a client request is closed before completing a chunked payload. -- by :user:`Dreamsorcerer` * Edge Case Handling for ResponseParser for missing reason value. * Fixed `ClientWebSocketResponse.close_code` being erroneously set to `None` when there are concurrent async tasks receiving data and closing the connection. * Added HTTP method validation. * Fixed arbitrary sequence types being allowed to inject values via version parameter. -- by :user:`Dreamsorcerer` * Performance: Fixed increase in latency with small messages from websocket compression changes. * Improved Documentation * Fixed the `ClientResponse.release`'s type in the doc. Changed from `comethod` to `method`. * Added information on behavior of base_url parameter in `ClientSession`. * Completed `trust_env` parameter description to honor `wss_proxy`, `ws_proxy` or `no_proxy` env. * Dropped Python 3.6 support. * Dropped Python 3.7 support. -- by :user:`Dreamsorcerer` * Removed support for abandoned `tokio` event loop. * Made `print` argument in `run_app()` optional. * Improved performance of `ceil_timeout` in some cases. * Changed importing Gunicorn to happen on-demand, decreasing import time by ~53%. -- :user:`Dreamsorcerer` * Improved import time by replacing `http.server` with `http.HTTPStatus`. * Fixed annotation of `ssl` parameter to disallow `True`. update to 3.8.6 (bsc#1217181, CVE-2023-47627): * Security bugfixes * https://github.com/aio-libs/aiohttp/security/advisories/GHSA- pjjw- qhg8-p2p9. * https://github.com/aio-libs/aiohttp/security/advisories/GHSA- gfw2-4jvh- wgfg. * Added `fallback_charset_resolver` parameter in `ClientSession` to allow a user-supplied character set detection function. Character set detection will no longer be included in 3.9 as a default. If this feature is needed, please use `fallback_charset_resolver the client * Fixed `PermissionError` when `.netrc` is unreadable due to permissions. * Fixed output of parsing errors * Fixed sorting in `filter_cookies` to use cookie with longest path. Release 3.8.0 (2021-10-31) (bsc#1217174, CVE-2023-47641) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch SUSE-2024-577=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-577=1 * Python 3 Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Python3-15-SP5-2024-577=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-577=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-577=1 * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-577=1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-577=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-577=1 ## Package List: * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586) * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1 * python-time-machine-debugsource-2.13.0-150400.9.3.1 * python311-time-machine-debuginfo-2.13.0-150400.9.3.1 * python311-time-machine-2.13.0-150400.9.3.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1 * Python 3 Module 15-SP5 (aarch64 ppc64le s390x x86_64) * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64) * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64) * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1 * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (x86_64) * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (aarch64 ppc64le s390x x86_64) * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64) * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1

References

* bsc#1217174

* bsc#1217181

* bsc#1217782

* bsc#1219341

* bsc#1219342

Cross-

* CVE-2023-47627

* CVE-2023-47641

* CVE-2024-23334

* CVE-2024-23829

CVSS scores:

* CVE-2023-47627 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

* CVE-2023-47627 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

* CVE-2023-47641 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

* CVE-2023-47641 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

* CVE-2024-23334 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

* CVE-2024-23334 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

* CVE-2024-23829 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

* CVE-2024-23829 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Affected Products:

* openSUSE Leap 15.4

* openSUSE Leap 15.5

* Python 3 Module 15-SP5

* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4

* SUSE Linux Enterprise Desktop 15 SP5

* SUSE Linux Enterprise High Performance Computing 15 SP4

* SUSE Linux Enterprise High Performance Computing 15 SP5

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4

* SUSE Linux Enterprise Server 15 SP4

* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4

* SUSE Linux Enterprise Server 15 SP5

* SUSE Linux Enterprise Server for SAP Applications 15 SP4

* SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves four vulnerabilities and has one security fix can now be

installed.

##

* https://www.suse.com/security/cve/CVE-2023-47627.html

* https://www.suse.com/security/cve/CVE-2023-47641.html

* https://www.suse.com/security/cve/CVE-2024-23334.html

* https://www.suse.com/security/cve/CVE-2024-23829.html

* https://bugzilla.suse.com/show_bug.cgi?id=1217174

* https://bugzilla.suse.com/show_bug.cgi?id=1217181

* https://bugzilla.suse.com/show_bug.cgi?id=1217782

* https://bugzilla.suse.com/show_bug.cgi?id=1219341

* https://bugzilla.suse.com/show_bug.cgi?id=1219342

Severity
Announcement ID: SUSE-SU-2024:0577-1
Rating: important

Related News