SUSE-SU-2024:0577-1: important: Security update for python-aiohttp, python-time-machine
SLE-SECURITY-UPDATES
null at suse.de
Wed Feb 21 12:30:13 UTC 2024
# Security update for python-aiohttp, python-time-machine
Announcement ID: SUSE-SU-2024:0577-1
Rating: important
References:
* bsc#1217174
* bsc#1217181
* bsc#1217782
* bsc#1219341
* bsc#1219342
Cross-References:
* CVE-2023-47627
* CVE-2023-47641
* CVE-2024-23334
* CVE-2024-23829
CVSS scores:
* CVE-2023-47627 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
* CVE-2023-47627 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2023-47641 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
* CVE-2023-47641 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2024-23334 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-23334 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-23829 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
* CVE-2024-23829 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Affected Products:
* openSUSE Leap 15.4
* openSUSE Leap 15.5
* Python 3 Module 15-SP5
* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
An update that solves four vulnerabilities and has one security fix can now be
installed.
## Description:
This update for python-aiohttp, python-time-machine fixes the following issues:
python-aiohttp was updated to version 3.9.3:
* Fixed backwards compatibility breakage (in 3.9.2) of `ssl` parameter when
set outside of `ClientSession` (e.g. directly in `TCPConnector`)
* Improved test suite handling of paths and temp files to consistently use
pathlib and pytest fixtures.
>From version 3.9.2 (bsc#1219341, CVE-2024-23334, bsc#1219342, CVE-2024-23829):
* Fixed server-side websocket connection leak.
* Fixed `web.FileResponse` doing blocking I/O in the event loop.
* Fixed double compress when compression enabled and compressed file exists in
server file responses.
* Added runtime type check for `ClientSession` `timeout` parameter.
* Fixed an unhandled exception in the Python HTTP parser on header lines
starting with a colon.
* Improved validation of paths for static resources requests to the server.
* Added support for passing :py:data:`True` to `ssl` parameter in
`ClientSession` while deprecating :py:data:`None`.
* Fixed an unhandled exception in the Python HTTP parser on header lines
starting with a colon.
* Fixed examples of `fallback_charset_resolver` function in the
:doc:`client_advanced` document.
* The Sphinx setup was updated to avoid showing the empty changelog draft
section in the tagged release documentation builds on Read The Docs.
* The changelog categorization was made clearer. The contributors can now mark
their fragment files more accurately.
* Updated :ref:`contributing/Tests coverage <aiohttp-contributing>`
section to show how we use `codecov`.
* Replaced all `tmpdir` fixtures with `tmp_path` in test suite.
* Disable broken tests with openssl 3.2 and python < 3.11 bsc#1217782
update to 3.9.1:
* Fixed importing aiohttp under PyPy on Windows.
* Fixed async concurrency safety in websocket compressor.
* Fixed `ClientResponse.close()` releasing the connection instead of closing.
* Fixed a regression where connection may get closed during upgrade. -- by
:user:`Dreamsorcerer`
* Fixed messages being reported as upgraded without an Upgrade header in
Python parser. -- by :user:`Dreamsorcerer`
update to 3.9.0: (bsc#1217684, CVE-2023-49081, bsc#1217682, CVE-2023-49082)
* Introduced `AppKey` for static typing support of `Application` storage.
* Added a graceful shutdown period which allows pending tasks to complete
before the application's cleanup is called.
* Added `handler_cancellation`_ parameter to cancel web handler on client
disconnection.
* This (optionally) reintroduces a feature removed in a previous release.
* Recommended for those looking for an extra level of protection against
denial-of-service attacks.
* Added support for setting response header parameters `max_line_size` and
`max_field_size`.
* Added `auto_decompress` parameter to `ClientSession.request` to override
`ClientSession._auto_decompress`.
* Changed `raise_for_status` to allow a coroutine.
* Added client brotli compression support (optional with runtime check).
* Added `client_max_size` to `BaseRequest.clone()` to allow overriding the
request body size. -- :user:`anesabml`.
* Added a middleware type alias `aiohttp.typedefs.Middleware`.
* Exported `HTTPMove` which can be used to catch any redirection request that
has a location -- :user:`dreamsorcerer`.
* Changed the `path` parameter in `web.run_app()` to accept a `pathlib.Path`
object.
* Performance: Skipped filtering `CookieJar` when the jar is empty or all
cookies have expired.
* Performance: Only check origin if insecure scheme and there are origins to
treat as secure, in `CookieJar.filter_cookies()`.
* Performance: Used timestamp instead of `datetime` to achieve faster cookie
expiration in `CookieJar`.
* Added support for passing a custom server name parameter to HTTPS
connection.
* Added support for using Basic Auth credentials from :file:`.netrc` file when
making HTTP requests with the
* :py:class:`~aiohttp.ClientSession` `trust_env` argument is set to `True`. --
by :user:`yuvipanda`.
* Turned access log into no-op when the logger is disabled.
* Added typing information to `RawResponseMessage`. -- by :user:`Gobot1234`
* Removed `async-timeout` for Python 3.11+ (replaced with `asyncio.timeout()`
on newer releases).
* Added support for `brotlicffi` as an alternative to `brotli` (fixing Brotli
support on PyPy).
* Added `WebSocketResponse.get_extra_info()` to access a protocol transport's
extra info.
* Allow `link` argument to be set to None/empty in HTTP 451 exception.
* Fixed client timeout not working when incoming data is always available
without waiting. -- by :user:`Dreamsorcerer`.
* Fixed `readuntil` to work with a delimiter of more than one character.
* Added `__repr__` to `EmptyStreamReader` to avoid `AttributeError`.
* Fixed bug when using `TCPConnector` with `ttl_dns_cache=0`.
* Fixed response returned from expect handler being thrown away. -- by
:user:`Dreamsorcerer`
* Avoided raising `UnicodeDecodeError` in multipart and in HTTP headers
parsing.
* Changed `sock_read` timeout to start after writing has finished, avoiding
read timeouts caused by an unfinished write. -- by :user:`dtrifiro`
* Fixed missing query in tracing method URLs when using `yarl` 1.9+.
* Changed max 32-bit timestamp to an aware datetime object, for consistency
with the non-32-bit one, and to avoid a `DeprecationWarning` on Python 3.12.
* Fixed `EmptyStreamReader.iter_chunks()` never ending.
* Fixed a rare `RuntimeError: await wasn't used with future` exception.
* Fixed issue with insufficient HTTP method and version validation.
* Added check to validate that absolute URIs have schemes.
* Fixed unhandled exception when Python HTTP parser encounters unpaired
Unicode surrogates.
* Updated parser to disallow invalid characters in header field names and stop
accepting LF as a request line separator.
* Fixed Python HTTP parser not treating 204/304/1xx as an empty body.
* Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3.
* Fixed an issue when a client request is closed before completing a chunked
payload. -- by :user:`Dreamsorcerer`
* Edge Case Handling for ResponseParser for missing reason value.
* Fixed `ClientWebSocketResponse.close_code` being erroneously set to `None`
when there are concurrent async tasks receiving data and closing the
connection.
* Added HTTP method validation.
* Fixed arbitrary sequence types being allowed to inject values via version
parameter. -- by :user:`Dreamsorcerer`
* Performance: Fixed increase in latency with small messages from websocket
compression changes.
* Improved Documentation
* Fixed the `ClientResponse.release`'s type in the doc. Changed from
`comethod` to `method`.
* Added information on behavior of base_url parameter in `ClientSession`.
* Completed `trust_env` parameter description to honor `wss_proxy`, `ws_proxy`
or `no_proxy` env.
* Dropped Python 3.6 support.
* Dropped Python 3.7 support. -- by :user:`Dreamsorcerer`
* Removed support for abandoned `tokio` event loop.
* Made `print` argument in `run_app()` optional.
* Improved performance of `ceil_timeout` in some cases.
* Changed importing Gunicorn to happen on-demand, decreasing import time by
~53%. -- :user:`Dreamsorcerer`
* Improved import time by replacing `http.server` with `http.HTTPStatus`.
* Fixed annotation of `ssl` parameter to disallow `True`.
update to 3.8.6 (bsc#1217181, CVE-2023-47627):
* Security bugfixes
* https://github.com/aio-libs/aiohttp/security/advisories/GHSA- pjjw-
qhg8-p2p9.
* https://github.com/aio-libs/aiohttp/security/advisories/GHSA- gfw2-4jvh-
wgfg.
* Added `fallback_charset_resolver` parameter in `ClientSession` to allow a
user-supplied character set detection function. Character set detection will
no longer be included in 3.9 as a default. If this feature is needed, please
use `fallback_charset_resolver the client
* Fixed `PermissionError` when `.netrc` is unreadable due to permissions.
* Fixed output of parsing errors
* Fixed sorting in `filter_cookies` to use cookie with longest path.
Release 3.8.0 (2021-10-31) (bsc#1217174, CVE-2023-47641)
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.4
zypper in -t patch SUSE-2024-577=1
* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-577=1
* Python 3 Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Python3-15-SP5-2024-577=1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-577=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-577=1
* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-577=1
* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-577=1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-577=1
## Package List:
* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
* python-aiohttp-debugsource-3.9.3-150400.10.14.1
* python311-aiohttp-3.9.3-150400.10.14.1
* python-time-machine-debugsource-2.13.0-150400.9.3.1
* python311-time-machine-debuginfo-2.13.0-150400.9.3.1
* python311-time-machine-2.13.0-150400.9.3.1
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* python-aiohttp-debugsource-3.9.3-150400.10.14.1
* python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
* python311-aiohttp-3.9.3-150400.10.14.1
* Python 3 Module 15-SP5 (aarch64 ppc64le s390x x86_64)
* python-aiohttp-debugsource-3.9.3-150400.10.14.1
* python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
* python311-aiohttp-3.9.3-150400.10.14.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
x86_64)
* python-aiohttp-debugsource-3.9.3-150400.10.14.1
* python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
* python311-aiohttp-3.9.3-150400.10.14.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
x86_64)
* python-aiohttp-debugsource-3.9.3-150400.10.14.1
* python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
* python311-aiohttp-3.9.3-150400.10.14.1
* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (x86_64)
* python-aiohttp-debugsource-3.9.3-150400.10.14.1
* python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
* python311-aiohttp-3.9.3-150400.10.14.1
* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (aarch64 ppc64le s390x
x86_64)
* python-aiohttp-debugsource-3.9.3-150400.10.14.1
* python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
* python311-aiohttp-3.9.3-150400.10.14.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
* python-aiohttp-debugsource-3.9.3-150400.10.14.1
* python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
* python311-aiohttp-3.9.3-150400.10.14.1
## References:
* https://www.suse.com/security/cve/CVE-2023-47627.html
* https://www.suse.com/security/cve/CVE-2023-47641.html
* https://www.suse.com/security/cve/CVE-2024-23334.html
* https://www.suse.com/security/cve/CVE-2024-23829.html
* https://bugzilla.suse.com/show_bug.cgi?id=1217174
* https://bugzilla.suse.com/show_bug.cgi?id=1217181
* https://bugzilla.suse.com/show_bug.cgi?id=1217782
* https://bugzilla.suse.com/show_bug.cgi?id=1219341
* https://bugzilla.suse.com/show_bug.cgi?id=1219342
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20240221/437e964c/attachment.htm>
More information about the sle-security-updates
mailing list