SUSE-SU-2024:0577-1: important: Security update for python-aiohttp, python-time-machine

SLE-UPDATES null at suse.de
Wed Feb 21 12:30:12 UTC 2024



# Security update for python-aiohttp, python-time-machine

Announcement ID: SUSE-SU-2024:0577-1  
Rating: important  
References:

  * bsc#1217174
  * bsc#1217181
  * bsc#1217782
  * bsc#1219341
  * bsc#1219342

  
Cross-References:

  * CVE-2023-47627
  * CVE-2023-47641
  * CVE-2024-23334
  * CVE-2024-23829

  
CVSS scores:

  * CVE-2023-47627 ( SUSE ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  * CVE-2023-47627 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  * CVE-2023-47641 ( SUSE ):  5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
  * CVE-2023-47641 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
  * CVE-2024-23334 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  * CVE-2024-23334 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  * CVE-2024-23829 ( SUSE ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  * CVE-2024-23829 ( NVD ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

  
Affected Products:

  * openSUSE Leap 15.4
  * openSUSE Leap 15.5
  * Python 3 Module 15-SP5
  * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
  * SUSE Linux Enterprise Desktop 15 SP5
  * SUSE Linux Enterprise High Performance Computing 15 SP4
  * SUSE Linux Enterprise High Performance Computing 15 SP5
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
  * SUSE Linux Enterprise Server 15 SP4
  * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
  * SUSE Linux Enterprise Server 15 SP5
  * SUSE Linux Enterprise Server for SAP Applications 15 SP4
  * SUSE Linux Enterprise Server for SAP Applications 15 SP5

  
  
An update that solves four vulnerabilities and has one security fix can now be
installed.

## Description:

This update for python-aiohttp, python-time-machine fixes the following issues:

python-aiohttp was updated to version 3.9.3:

  * Fixed backwards compatibility breakage (in 3.9.2) of `ssl` parameter when
    set outside of `ClientSession` (e.g. directly in `TCPConnector`)
  * Improved test suite handling of paths and temp files to consistently use
    pathlib and pytest fixtures.

>From version 3.9.2 (bsc#1219341, CVE-2024-23334, bsc#1219342, CVE-2024-23829):

  * Fixed server-side websocket connection leak.
  * Fixed `web.FileResponse` doing blocking I/O in the event loop.
  * Fixed double compress when compression enabled and compressed file exists in
    server file responses.
  * Added runtime type check for `ClientSession` `timeout` parameter.
  * Fixed an unhandled exception in the Python HTTP parser on header lines
    starting with a colon.
  * Improved validation of paths for static resources requests to the server.
  * Added support for passing :py:data:`True` to `ssl` parameter in
    `ClientSession` while deprecating :py:data:`None`.
  * Fixed an unhandled exception in the Python HTTP parser on header lines
    starting with a colon.
  * Fixed examples of `fallback_charset_resolver` function in the
    :doc:`client_advanced` document.
  * The Sphinx setup was updated to avoid showing the empty changelog draft
    section in the tagged release documentation builds on Read The Docs.
  * The changelog categorization was made clearer. The contributors can now mark
    their fragment files more accurately.
  * Updated :ref:`contributing/Tests coverage <aiohttp-contributing>`
    section to show how we use `codecov`.
  * Replaced all `tmpdir` fixtures with `tmp_path` in test suite.

  * Disable broken tests with openssl 3.2 and python < 3.11 bsc#1217782

update to 3.9.1:

  * Fixed importing aiohttp under PyPy on Windows.
  * Fixed async concurrency safety in websocket compressor.
  * Fixed `ClientResponse.close()` releasing the connection instead of closing.
  * Fixed a regression where connection may get closed during upgrade. -- by
    :user:`Dreamsorcerer`
  * Fixed messages being reported as upgraded without an Upgrade header in
    Python parser. -- by :user:`Dreamsorcerer`

update to 3.9.0: (bsc#1217684, CVE-2023-49081, bsc#1217682, CVE-2023-49082)

  * Introduced `AppKey` for static typing support of `Application` storage.
  * Added a graceful shutdown period which allows pending tasks to complete
    before the application's cleanup is called.
  * Added `handler_cancellation`_ parameter to cancel web handler on client
    disconnection.
  * This (optionally) reintroduces a feature removed in a previous release.
  * Recommended for those looking for an extra level of protection against
    denial-of-service attacks.
  * Added support for setting response header parameters `max_line_size` and
    `max_field_size`.
  * Added `auto_decompress` parameter to `ClientSession.request` to override
    `ClientSession._auto_decompress`.
  * Changed `raise_for_status` to allow a coroutine.
  * Added client brotli compression support (optional with runtime check).
  * Added `client_max_size` to `BaseRequest.clone()` to allow overriding the
    request body size. -- :user:`anesabml`.
  * Added a middleware type alias `aiohttp.typedefs.Middleware`.
  * Exported `HTTPMove` which can be used to catch any redirection request that
    has a location -- :user:`dreamsorcerer`.
  * Changed the `path` parameter in `web.run_app()` to accept a `pathlib.Path`
    object.
  * Performance: Skipped filtering `CookieJar` when the jar is empty or all
    cookies have expired.
  * Performance: Only check origin if insecure scheme and there are origins to
    treat as secure, in `CookieJar.filter_cookies()`.
  * Performance: Used timestamp instead of `datetime` to achieve faster cookie
    expiration in `CookieJar`.
  * Added support for passing a custom server name parameter to HTTPS
    connection.
  * Added support for using Basic Auth credentials from :file:`.netrc` file when
    making HTTP requests with the
  * :py:class:`~aiohttp.ClientSession` `trust_env` argument is set to `True`. --
    by :user:`yuvipanda`.
  * Turned access log into no-op when the logger is disabled.
  * Added typing information to `RawResponseMessage`. -- by :user:`Gobot1234`
  * Removed `async-timeout` for Python 3.11+ (replaced with `asyncio.timeout()`
    on newer releases).
  * Added support for `brotlicffi` as an alternative to `brotli` (fixing Brotli
    support on PyPy).
  * Added `WebSocketResponse.get_extra_info()` to access a protocol transport's
    extra info.
  * Allow `link` argument to be set to None/empty in HTTP 451 exception.
  * Fixed client timeout not working when incoming data is always available
    without waiting. -- by :user:`Dreamsorcerer`.
  * Fixed `readuntil` to work with a delimiter of more than one character.
  * Added `__repr__` to `EmptyStreamReader` to avoid `AttributeError`.
  * Fixed bug when using `TCPConnector` with `ttl_dns_cache=0`.
  * Fixed response returned from expect handler being thrown away. -- by
    :user:`Dreamsorcerer`
  * Avoided raising `UnicodeDecodeError` in multipart and in HTTP headers
    parsing.
  * Changed `sock_read` timeout to start after writing has finished, avoiding
    read timeouts caused by an unfinished write. -- by :user:`dtrifiro`
  * Fixed missing query in tracing method URLs when using `yarl` 1.9+.
  * Changed max 32-bit timestamp to an aware datetime object, for consistency
    with the non-32-bit one, and to avoid a `DeprecationWarning` on Python 3.12.
  * Fixed `EmptyStreamReader.iter_chunks()` never ending.
  * Fixed a rare `RuntimeError: await wasn&#x27;t used with future` exception.
  * Fixed issue with insufficient HTTP method and version validation.
  * Added check to validate that absolute URIs have schemes.
  * Fixed unhandled exception when Python HTTP parser encounters unpaired
    Unicode surrogates.
  * Updated parser to disallow invalid characters in header field names and stop
    accepting LF as a request line separator.
  * Fixed Python HTTP parser not treating 204/304/1xx as an empty body.
  * Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3.
  * Fixed an issue when a client request is closed before completing a chunked
    payload. -- by :user:`Dreamsorcerer`
  * Edge Case Handling for ResponseParser for missing reason value.
  * Fixed `ClientWebSocketResponse.close_code` being erroneously set to `None`
    when there are concurrent async tasks receiving data and closing the
    connection.
  * Added HTTP method validation.
  * Fixed arbitrary sequence types being allowed to inject values via version
    parameter. -- by :user:`Dreamsorcerer`
  * Performance: Fixed increase in latency with small messages from websocket
    compression changes.
  * Improved Documentation
  * Fixed the `ClientResponse.release`'s type in the doc. Changed from
    `comethod` to `method`.
  * Added information on behavior of base_url parameter in `ClientSession`.
  * Completed `trust_env` parameter description to honor `wss_proxy`, `ws_proxy`
    or `no_proxy` env.
  * Dropped Python 3.6 support.
  * Dropped Python 3.7 support. -- by :user:`Dreamsorcerer`
  * Removed support for abandoned `tokio` event loop.
  * Made `print` argument in `run_app()` optional.
  * Improved performance of `ceil_timeout` in some cases.
  * Changed importing Gunicorn to happen on-demand, decreasing import time by
    ~53%. -- :user:`Dreamsorcerer`
  * Improved import time by replacing `http.server` with `http.HTTPStatus`.
  * Fixed annotation of `ssl` parameter to disallow `True`.

update to 3.8.6 (bsc#1217181, CVE-2023-47627):

  * Security bugfixes
  * https://github.com/aio-libs/aiohttp/security/advisories/GHSA- pjjw-
    qhg8-p2p9.
  * https://github.com/aio-libs/aiohttp/security/advisories/GHSA- gfw2-4jvh-
    wgfg.
  * Added `fallback_charset_resolver` parameter in `ClientSession` to allow a
    user-supplied character set detection function. Character set detection will
    no longer be included in 3.9 as a default. If this feature is needed, please
    use `fallback_charset_resolver the client
  * Fixed `PermissionError` when `.netrc` is unreadable due to permissions.
  * Fixed output of parsing errors
  * Fixed sorting in `filter_cookies` to use cookie with longest path.

Release 3.8.0 (2021-10-31) (bsc#1217174, CVE-2023-47641)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * openSUSE Leap 15.4  
    zypper in -t patch SUSE-2024-577=1

  * openSUSE Leap 15.5  
    zypper in -t patch openSUSE-SLE-15.5-2024-577=1

  * Python 3 Module 15-SP5  
    zypper in -t patch SUSE-SLE-Module-Python3-15-SP5-2024-577=1

  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-577=1

  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-577=1

  * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4  
    zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-577=1

  * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-577=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP4  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-577=1

## Package List:

  * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
    * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
    * python-aiohttp-debugsource-3.9.3-150400.10.14.1
    * python311-aiohttp-3.9.3-150400.10.14.1
    * python-time-machine-debugsource-2.13.0-150400.9.3.1
    * python311-time-machine-debuginfo-2.13.0-150400.9.3.1
    * python311-time-machine-2.13.0-150400.9.3.1
  * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
    * python-aiohttp-debugsource-3.9.3-150400.10.14.1
    * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
    * python311-aiohttp-3.9.3-150400.10.14.1
  * Python 3 Module 15-SP5 (aarch64 ppc64le s390x x86_64)
    * python-aiohttp-debugsource-3.9.3-150400.10.14.1
    * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
    * python311-aiohttp-3.9.3-150400.10.14.1
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
    x86_64)
    * python-aiohttp-debugsource-3.9.3-150400.10.14.1
    * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
    * python311-aiohttp-3.9.3-150400.10.14.1
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
    x86_64)
    * python-aiohttp-debugsource-3.9.3-150400.10.14.1
    * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
    * python311-aiohttp-3.9.3-150400.10.14.1
  * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (x86_64)
    * python-aiohttp-debugsource-3.9.3-150400.10.14.1
    * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
    * python311-aiohttp-3.9.3-150400.10.14.1
  * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (aarch64 ppc64le s390x
    x86_64)
    * python-aiohttp-debugsource-3.9.3-150400.10.14.1
    * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
    * python311-aiohttp-3.9.3-150400.10.14.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
    * python-aiohttp-debugsource-3.9.3-150400.10.14.1
    * python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
    * python311-aiohttp-3.9.3-150400.10.14.1

## References:

  * https://www.suse.com/security/cve/CVE-2023-47627.html
  * https://www.suse.com/security/cve/CVE-2023-47641.html
  * https://www.suse.com/security/cve/CVE-2024-23334.html
  * https://www.suse.com/security/cve/CVE-2024-23829.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1217174
  * https://bugzilla.suse.com/show_bug.cgi?id=1217181
  * https://bugzilla.suse.com/show_bug.cgi?id=1217782
  * https://bugzilla.suse.com/show_bug.cgi?id=1219341
  * https://bugzilla.suse.com/show_bug.cgi?id=1219342

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20240221/c4db87ec/attachment.htm>


More information about the sle-updates mailing list