<div class="container">
<h1>Security update for python-aiohttp, python-time-machine</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2024:0577-1</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217174">bsc#1217174</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217181">bsc#1217181</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217782">bsc#1217782</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219341">bsc#1219341</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219342">bsc#1219342</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-47627.html">CVE-2023-47627</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-47641.html">CVE-2023-47641</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-23334.html">CVE-2024-23334</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-23829.html">CVE-2024-23829</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-47627</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-47627</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-47641</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.4</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-47641</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-23334</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-23334</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-23829</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-23829</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">openSUSE Leap 15.4</li>
<li class="list-group-item">openSUSE Leap 15.5</li>
<li class="list-group-item">Python 3 Module 15-SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing LTSS 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP5</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves four vulnerabilities and has one security fix can now be installed.</p>
<h2>Description:</h2>
<p>This update for python-aiohttp, python-time-machine fixes the following issues:</p>
<p>python-aiohttp was updated to version 3.9.3:</p>
<ul>
<li>Fixed backwards compatibility breakage (in 3.9.2) of <code>ssl</code> parameter
when set outside of <code>ClientSession</code> (e.g. directly in <code>TCPConnector</code>)</li>
<li>Improved test suite handling of paths and temp files to consistently
use pathlib and pytest fixtures.</li>
</ul>
<p>From version 3.9.2 (bsc#1219341, CVE-2024-23334, bsc#1219342, CVE-2024-23829):</p>
<ul>
<li>Fixed server-side websocket connection leak.</li>
<li>Fixed <code>web.FileResponse</code> doing blocking I/O in the event loop.</li>
<li>Fixed double compress when compression enabled and compressed file
exists in server file responses.</li>
<li>Added runtime type check for <code>ClientSession</code> <code>timeout</code> parameter.</li>
<li>Fixed an unhandled exception in the Python HTTP parser on header lines
starting with a colon.</li>
<li>Improved validation of paths for static resources requests to the server.</li>
<li>Added support for passing :py:data:<code>True</code> to <code>ssl</code> parameter in
<code>ClientSession</code> while deprecating :py:data:<code>None</code>.</li>
<li>Fixed an unhandled exception in the Python HTTP parser on header lines
starting with a colon.</li>
<li>Fixed examples of <code>fallback_charset_resolver</code> function in the
:doc:<code>client_advanced</code> document.</li>
<li>The Sphinx setup was updated to avoid showing the empty
changelog draft section in the tagged release documentation
builds on Read The Docs.</li>
<li>The changelog categorization was made clearer. The contributors can
now mark their fragment files more accurately.</li>
<li>Updated :ref:<code>contributing/Tests coverage <aiohttp-contributing></code>
section to show how we use <code>codecov</code>.</li>
<li>
<p>Replaced all <code>tmpdir</code> fixtures with <code>tmp_path</code> in test suite.</p>
</li>
<li>
<p>Disable broken tests with openssl 3.2 and python < 3.11 bsc#1217782</p>
</li>
</ul>
<p>update to 3.9.1:</p>
<ul>
<li>Fixed importing aiohttp under PyPy on Windows.</li>
<li>Fixed async concurrency safety in websocket compressor.</li>
<li>Fixed <code>ClientResponse.close()</code> releasing the connection
instead of closing.</li>
<li>Fixed a regression where connection may get closed during
upgrade. -- by :user:<code>Dreamsorcerer</code></li>
<li>Fixed messages being reported as upgraded without an Upgrade
header in Python parser. -- by :user:<code>Dreamsorcerer</code></li>
</ul>
<p>update to 3.9.0: (bsc#1217684, CVE-2023-49081, bsc#1217682, CVE-2023-49082)</p>
<ul>
<li>Introduced <code>AppKey</code> for static typing support of
<code>Application</code> storage.</li>
<li>Added a graceful shutdown period which allows pending tasks
to complete before the application's cleanup is called.</li>
<li>Added <code>handler_cancellation</code>_ parameter to cancel web handler on
client disconnection.</li>
<li>This (optionally) reintroduces a feature removed in a
previous release.</li>
<li>Recommended for those looking for an extra level of
protection against denial-of-service attacks.</li>
<li>Added support for setting response header parameters
<code>max_line_size</code> and <code>max_field_size</code>.</li>
<li>Added <code>auto_decompress</code> parameter to
<code>ClientSession.request</code> to override
<code>ClientSession._auto_decompress</code>.</li>
<li>Changed <code>raise_for_status</code> to allow a coroutine.</li>
<li>Added client brotli compression support (optional with
runtime check).</li>
<li>Added <code>client_max_size</code> to <code>BaseRequest.clone()</code> to allow
overriding the request body size. -- :user:<code>anesabml</code>.</li>
<li>Added a middleware type alias
<code>aiohttp.typedefs.Middleware</code>.</li>
<li>Exported <code>HTTPMove</code> which can be used to catch any
redirection request that has a location -- :user:<code>dreamsorcerer</code>.</li>
<li>Changed the <code>path</code> parameter in <code>web.run_app()</code> to accept
a <code>pathlib.Path</code> object.</li>
<li>Performance: Skipped filtering <code>CookieJar</code> when the jar is
empty or all cookies have expired.</li>
<li>Performance: Only check origin if insecure scheme and there
are origins to treat as secure, in
<code>CookieJar.filter_cookies()</code>.</li>
<li>Performance: Used timestamp instead of <code>datetime</code> to
achieve faster cookie expiration in <code>CookieJar</code>.</li>
<li>Added support for passing a custom server name parameter to
HTTPS connection.</li>
<li>Added support for using Basic Auth credentials from
:file:<code>.netrc</code> file when making HTTP requests with the</li>
<li>:py:class:<code>~aiohttp.ClientSession</code> <code>trust_env</code> argument is
set to <code>True</code>. -- by :user:<code>yuvipanda</code>.</li>
<li>Turned access log into no-op when the logger is disabled.</li>
<li>Added typing information to <code>RawResponseMessage</code>. -- by
:user:<code>Gobot1234</code></li>
<li>Removed <code>async-timeout</code> for Python 3.11+ (replaced with
<code>asyncio.timeout()</code> on newer releases).</li>
<li>Added support for <code>brotlicffi</code> as an alternative to
<code>brotli</code> (fixing Brotli support on PyPy).</li>
<li>Added <code>WebSocketResponse.get_extra_info()</code> to access a
protocol transport's extra info.</li>
<li>Allow <code>link</code> argument to be set to None/empty in HTTP 451
exception.</li>
<li>Fixed client timeout not working when incoming data is always
available without waiting. -- by :user:<code>Dreamsorcerer</code>.</li>
<li>Fixed <code>readuntil</code> to work with a delimiter of more than one
character.</li>
<li>Added <code>__repr__</code> to <code>EmptyStreamReader</code> to avoid
<code>AttributeError</code>.</li>
<li>Fixed bug when using <code>TCPConnector</code> with
<code>ttl_dns_cache=0</code>.</li>
<li>Fixed response returned from expect handler being thrown
away. -- by :user:<code>Dreamsorcerer</code></li>
<li>Avoided raising <code>UnicodeDecodeError</code> in multipart and in
HTTP headers parsing.</li>
<li>Changed <code>sock_read</code> timeout to start after writing has
finished, avoiding read timeouts caused by an unfinished
write. -- by :user:<code>dtrifiro</code></li>
<li>Fixed missing query in tracing method URLs when using
<code>yarl</code> 1.9+.</li>
<li>Changed max 32-bit timestamp to an aware datetime object, for
consistency with the non-32-bit one, and to avoid a
<code>DeprecationWarning</code> on Python 3.12.</li>
<li>Fixed <code>EmptyStreamReader.iter_chunks()</code> never ending.</li>
<li>Fixed a rare <code>RuntimeError: await wasn't used with future</code>
exception.</li>
<li>Fixed issue with insufficient HTTP method and version
validation.</li>
<li>Added check to validate that absolute URIs have schemes.</li>
<li>Fixed unhandled exception when Python HTTP parser encounters
unpaired Unicode surrogates.</li>
<li>Updated parser to disallow invalid characters in header field
names and stop accepting LF as a request line separator.</li>
<li>Fixed Python HTTP parser not treating 204/304/1xx as an empty
body.</li>
<li>Ensure empty body response for 1xx/204/304 per RFC 9112 sec
6.3.</li>
<li>Fixed an issue when a client request is closed before
completing a chunked payload. -- by :user:<code>Dreamsorcerer</code></li>
<li>Edge Case Handling for ResponseParser for missing reason
value.</li>
<li>Fixed <code>ClientWebSocketResponse.close_code</code> being
erroneously set to <code>None</code> when there are concurrent async
tasks receiving data and closing the connection.</li>
<li>Added HTTP method validation.</li>
<li>Fixed arbitrary sequence types being allowed to inject values
via version parameter. -- by :user:<code>Dreamsorcerer</code></li>
<li>Performance: Fixed increase in latency with small messages
from websocket compression changes.</li>
<li>Improved Documentation</li>
<li>Fixed the <code>ClientResponse.release</code>'s type in the doc. Changed
from <code>comethod</code> to <code>method</code>.</li>
<li>Added information on behavior of base_url parameter in
<code>ClientSession</code>.</li>
<li>Completed <code>trust_env</code> parameter description to honor
<code>wss_proxy</code>, <code>ws_proxy</code> or <code>no_proxy</code> env.</li>
<li>Dropped Python 3.6 support.</li>
<li>Dropped Python 3.7 support. -- by :user:<code>Dreamsorcerer</code></li>
<li>Removed support for abandoned <code>tokio</code> event loop.</li>
<li>Made <code>print</code> argument in <code>run_app()</code> optional.</li>
<li>Improved performance of <code>ceil_timeout</code> in some cases.</li>
<li>Changed importing Gunicorn to happen on-demand, decreasing
import time by ~53%. -- :user:<code>Dreamsorcerer</code></li>
<li>Improved import time by replacing <code>http.server</code> with
<code>http.HTTPStatus</code>.</li>
<li>Fixed annotation of <code>ssl</code> parameter to disallow <code>True</code>.</li>
</ul>
<p>update to 3.8.6 (bsc#1217181, CVE-2023-47627):</p>
<ul>
<li>Security bugfixes</li>
<li>https://github.com/aio-libs/aiohttp/security/advisories/GHSA-
pjjw-qhg8-p2p9.</li>
<li>https://github.com/aio-libs/aiohttp/security/advisories/GHSA-
gfw2-4jvh-wgfg.</li>
<li>Added <code>fallback_charset_resolver</code> parameter in
<code>ClientSession</code> to allow a user-supplied
character set detection function.
Character set detection will no longer be included in 3.9 as
a default. If this feature is needed,
please use `fallback_charset_resolver
the client</li>
<li>Fixed <code>PermissionError</code> when <code>.netrc</code> is unreadable due
to permissions.</li>
<li>Fixed output of parsing errors</li>
<li>Fixed sorting in <code>filter_cookies</code> to use cookie with
longest path.</li>
</ul>
<p>Release 3.8.0 (2021-10-31) (bsc#1217174, CVE-2023-47641)</p>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap 15.4
<br/>
<code>zypper in -t patch SUSE-2024-577=1</code>
</li>
<li class="list-group-item">
openSUSE Leap 15.5
<br/>
<code>zypper in -t patch openSUSE-SLE-15.5-2024-577=1</code>
</li>
<li class="list-group-item">
Python 3 Module 15-SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Python3-15-SP5-2024-577=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-577=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-577=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-577=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-577=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 15 SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-577=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
<ul>
<li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li>
<li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li>
<li>python311-aiohttp-3.9.3-150400.10.14.1</li>
<li>python-time-machine-debugsource-2.13.0-150400.9.3.1</li>
<li>python311-time-machine-debuginfo-2.13.0-150400.9.3.1</li>
<li>python311-time-machine-2.13.0-150400.9.3.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li>
<li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li>
<li>python311-aiohttp-3.9.3-150400.10.14.1</li>
</ul>
</li>
<li>
Python 3 Module 15-SP5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li>
<li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li>
<li>python311-aiohttp-3.9.3-150400.10.14.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64)
<ul>
<li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li>
<li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li>
<li>python311-aiohttp-3.9.3-150400.10.14.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64)
<ul>
<li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li>
<li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li>
<li>python311-aiohttp-3.9.3-150400.10.14.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (x86_64)
<ul>
<li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li>
<li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li>
<li>python311-aiohttp-3.9.3-150400.10.14.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (aarch64 ppc64le s390x x86_64)
<ul>
<li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li>
<li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li>
<li>python311-aiohttp-3.9.3-150400.10.14.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
<ul>
<li>python-aiohttp-debugsource-3.9.3-150400.10.14.1</li>
<li>python311-aiohttp-debuginfo-3.9.3-150400.10.14.1</li>
<li>python311-aiohttp-3.9.3-150400.10.14.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-47627.html">https://www.suse.com/security/cve/CVE-2023-47627.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-47641.html">https://www.suse.com/security/cve/CVE-2023-47641.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-23334.html">https://www.suse.com/security/cve/CVE-2024-23334.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-23829.html">https://www.suse.com/security/cve/CVE-2024-23829.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217174">https://bugzilla.suse.com/show_bug.cgi?id=1217174</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217181">https://bugzilla.suse.com/show_bug.cgi?id=1217181</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1217782">https://bugzilla.suse.com/show_bug.cgi?id=1217782</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219341">https://bugzilla.suse.com/show_bug.cgi?id=1219341</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1219342">https://bugzilla.suse.com/show_bug.cgi?id=1219342</a>
</li>
</ul>
</div>