SUSE: 2024:0577-1 important: python-aiohttp, python-time-machine
Summary
## This update for python-aiohttp, python-time-machine fixes the following issues: python-aiohttp was updated to version 3.9.3: * Fixed backwards compatibility breakage (in 3.9.2) of `ssl` parameter when set outside of `ClientSession` (e.g. directly in `TCPConnector`) * Improved test suite handling of paths and temp files to consistently use pathlib and pytest fixtures. From version 3.9.2 (bsc#1219341, CVE-2024-23334, bsc#1219342, CVE-2024-23829): * Fixed server-side websocket connection leak. * Fixed `web.FileResponse` doing blocking I/O in the event loop. * Fixed double compress when compression enabled and compressed file exists in server file responses. * Added runtime type check for `ClientSession` `timeout` parameter. * Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon. * Improved validation of paths for static resources requests to the server. * Added support for passing :py:data:`True` to `ssl` parameter in `ClientSession` while deprecating :py:data:`None`. * Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon. * Fixed examples of `fallback_charset_resolver` function in the :doc:`client_advanced` document. * The Sphinx setup was updated to avoid showing the empty changelog draft section in the tagged release documentation builds on Read The Docs. * The changelog categorization was made clearer. The contributors can now mark their fragment files more accurately. * Updated :ref:`contributing/Tests coverage <aiohttp-contributing>` section to show how we use `codecov`. * Replaced all `tmpdir` fixtures with `tmp_path` in test suite. * Disable broken tests with openssl 3.2 and python < 3.11 bsc#1217782 update to 3.9.1: * Fixed importing aiohttp under PyPy on Windows. * Fixed async concurrency safety in websocket compressor. * Fixed `ClientResponse.close()` releasing the connection instead of closing. * Fixed a regression where connection may get closed during upgrade. -- by :user:`Dreamsorcerer` * Fixed messages being reported as upgraded without an Upgrade header in Python parser. -- by :user:`Dreamsorcerer` update to 3.9.0: (bsc#1217684, CVE-2023-49081, bsc#1217682, CVE-2023-49082) * Introduced `AppKey` for static typing support of `Application` storage. * Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called. * Added `handler_cancellation`_ parameter to cancel web handler on client disconnection. * This (optionally) reintroduces a feature removed in a previous release. * Recommended for those looking for an extra level of protection against denial-of-service attacks. * Added support for setting response header parameters `max_line_size` and `max_field_size`. * Added `auto_decompress` parameter to `ClientSession.request` to override `ClientSession._auto_decompress`. * Changed `raise_for_status` to allow a coroutine. * Added client brotli compression support (optional with runtime check). * Added `client_max_size` to `BaseRequest.clone()` to allow overriding the request body size. -- :user:`anesabml`. * Added a middleware type alias `aiohttp.typedefs.Middleware`. * Exported `HTTPMove` which can be used to catch any redirection request that has a location -- :user:`dreamsorcerer`. * Changed the `path` parameter in `web.run_app()` to accept a `pathlib.Path` object. * Performance: Skipped filtering `CookieJar` when the jar is empty or all cookies have expired. * Performance: Only check origin if insecure scheme and there are origins to treat as secure, in `CookieJar.filter_cookies()`. * Performance: Used timestamp instead of `datetime` to achieve faster cookie expiration in `CookieJar`. * Added support for passing a custom server name parameter to HTTPS connection. * Added support for using Basic Auth credentials from :file:`.netrc` file when making HTTP requests with the * :py:class:`~aiohttp.ClientSession` `trust_env` argument is set to `True`. -- by :user:`yuvipanda`. * Turned access log into no-op when the logger is disabled. * Added typing information to `RawResponseMessage`. -- by :user:`Gobot1234` * Removed `async-timeout` for Python 3.11+ (replaced with `asyncio.timeout()` on newer releases). * Added support for `brotlicffi` as an alternative to `brotli` (fixing Brotli support on PyPy). * Added `WebSocketResponse.get_extra_info()` to access a protocol transport's extra info. * Allow `link` argument to be set to None/empty in HTTP 451 exception. * Fixed client timeout not working when incoming data is always available without waiting. -- by :user:`Dreamsorcerer`. * Fixed `readuntil` to work with a delimiter of more than one character. * Added `__repr__` to `EmptyStreamReader` to avoid `AttributeError`. * Fixed bug when using `TCPConnector` with `ttl_dns_cache=0`. * Fixed response returned from expect handler being thrown away. -- by :user:`Dreamsorcerer` * Avoided raising `UnicodeDecodeError` in multipart and in HTTP headers parsing. * Changed `sock_read` timeout to start after writing has finished, avoiding read timeouts caused by an unfinished write. -- by :user:`dtrifiro` * Fixed missing query in tracing method URLs when using `yarl` 1.9+. * Changed max 32-bit timestamp to an aware datetime object, for consistency with the non-32-bit one, and to avoid a `DeprecationWarning` on Python 3.12. * Fixed `EmptyStreamReader.iter_chunks()` never ending. * Fixed a rare `RuntimeError: await wasn't used with future` exception. * Fixed issue with insufficient HTTP method and version validation. * Added check to validate that absolute URIs have schemes. * Fixed unhandled exception when Python HTTP parser encounters unpaired Unicode surrogates. * Updated parser to disallow invalid characters in header field names and stop accepting LF as a request line separator. * Fixed Python HTTP parser not treating 204/304/1xx as an empty body. * Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3. * Fixed an issue when a client request is closed before completing a chunked payload. -- by :user:`Dreamsorcerer` * Edge Case Handling for ResponseParser for missing reason value. * Fixed `ClientWebSocketResponse.close_code` being erroneously set to `None` when there are concurrent async tasks receiving data and closing the connection. * Added HTTP method validation. * Fixed arbitrary sequence types being allowed to inject values via version parameter. -- by :user:`Dreamsorcerer` * Performance: Fixed increase in latency with small messages from websocket compression changes. * Improved Documentation * Fixed the `ClientResponse.release`'s type in the doc. Changed from `comethod` to `method`. * Added information on behavior of base_url parameter in `ClientSession`. * Completed `trust_env` parameter description to honor `wss_proxy`, `ws_proxy` or `no_proxy` env. * Dropped Python 3.6 support. * Dropped Python 3.7 support. -- by :user:`Dreamsorcerer` * Removed support for abandoned `tokio` event loop. * Made `print` argument in `run_app()` optional. * Improved performance of `ceil_timeout` in some cases. * Changed importing Gunicorn to happen on-demand, decreasing import time by ~53%. -- :user:`Dreamsorcerer` * Improved import time by replacing `http.server` with `http.HTTPStatus`. * Fixed annotation of `ssl` parameter to disallow `True`. update to 3.8.6 (bsc#1217181, CVE-2023-47627): * Security bugfixes * https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9 * https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg * Added `fallback_charset_resolver` parameter in `ClientSession` to allow a user-supplied character set detection function. Character set detection will no longer be included in 3.9 as a default. If this feature is needed, please use `fallback_charset_resolver the client * Fixed `PermissionError` when `.netrc` is unreadable due to permissions. * Fixed output of parsing errors * Fixed sorting in `filter_cookies` to use cookie with longest path. Release 3.8.0 (2021-10-31) (bsc#1217174, CVE-2023-47641) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch SUSE-2024-577=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-577=1 * Python 3 Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Python3-15-SP5-2024-577=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-577=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-577=1 * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-577=1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-577=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-577=1 ## Package List: * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586) * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1 * python-time-machine-debugsource-2.13.0-150400.9.3.1 * python311-time-machine-debuginfo-2.13.0-150400.9.3.1 * python311-time-machine-2.13.0-150400.9.3.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1 * Python 3 Module 15-SP5 (aarch64 ppc64le s390x x86_64) * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64) * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64) * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1 * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (x86_64) * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (aarch64 ppc64le s390x x86_64) * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64) * python-aiohttp-debugsource-3.9.3-150400.10.14.1 * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1 * python311-aiohttp-3.9.3-150400.10.14.1
References
* bsc#1217174
* bsc#1217181
* bsc#1217782
* bsc#1219341
* bsc#1219342
Cross-
* CVE-2023-47627
* CVE-2023-47641
* CVE-2024-23334
* CVE-2024-23829
CVSS scores:
* CVE-2023-47627 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
* CVE-2023-47627 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2023-47641 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
* CVE-2023-47641 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2024-23334 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-23334 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-23829 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
* CVE-2024-23829 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Affected Products:
* openSUSE Leap 15.4
* openSUSE Leap 15.5
* Python 3 Module 15-SP5
* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
An update that solves four vulnerabilities and has one security fix can now be
installed.
##
* https://www.suse.com/security/cve/CVE-2023-47627.html
* https://www.suse.com/security/cve/CVE-2023-47641.html
* https://www.suse.com/security/cve/CVE-2024-23334.html
* https://www.suse.com/security/cve/CVE-2024-23829.html
* https://bugzilla.suse.com/show_bug.cgi?id=1217174
* https://bugzilla.suse.com/show_bug.cgi?id=1217181
* https://bugzilla.suse.com/show_bug.cgi?id=1217782
* https://bugzilla.suse.com/show_bug.cgi?id=1219341
* https://bugzilla.suse.com/show_bug.cgi?id=1219342