{"affected":[{"ecosystem_specific":{"binaries":[{"python311-aiohttp":"3.9.3-150400.10.14.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Python 3 15 SP5","name":"python-aiohttp","purl":"pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.9.3-150400.10.14.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"python311-aiohttp":"3.9.3-150400.10.14.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise High Performance Computing 15 SP4-ESPOS","name":"python-aiohttp","purl":"pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.9.3-150400.10.14.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"python311-aiohttp":"3.9.3-150400.10.14.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise High Performance Computing 15 SP4-LTSS","name":"python-aiohttp","purl":"pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.9.3-150400.10.14.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"python311-aiohttp":"3.9.3-150400.10.14.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 15 SP4-LTSS","name":"python-aiohttp","purl":"pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.9.3-150400.10.14.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"python311-aiohttp":"3.9.3-150400.10.14.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 15 SP4","name":"python-aiohttp","purl":"pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.9.3-150400.10.14.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"python311-aiohttp":"3.9.3-150400.10.14.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.5","name":"python-aiohttp","purl":"pkg:rpm/opensuse/python-aiohttp&distro=openSUSE%20Leap%2015.5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.9.3-150400.10.14.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for python-aiohttp, python-time-machine fixes the following issues:\n\npython-aiohttp was updated to version 3.9.3:\n\n* Fixed backwards compatibility breakage (in 3.9.2) of ``ssl`` parameter\n  when set outside of ``ClientSession`` (e.g. directly in ``TCPConnector``)\n* Improved test suite handling of paths and temp files to consistently\n  use pathlib and pytest fixtures.\n\nFrom version 3.9.2 (bsc#1219341, CVE-2024-23334, bsc#1219342, CVE-2024-23829):\n\n* Fixed server-side websocket connection leak.\n* Fixed ``web.FileResponse`` doing blocking I/O in the event loop.\n* Fixed double compress when compression enabled and compressed file\n  exists in server file responses.\n* Added runtime type check for ``ClientSession`` ``timeout`` parameter.\n* Fixed an unhandled exception in the Python HTTP parser on header lines\n  starting with a colon.\n* Improved validation of paths for static resources requests to the server.\n* Added support for passing :py:data:`True` to ``ssl`` parameter in\n  ``ClientSession`` while deprecating :py:data:`None`.\n* Fixed an unhandled exception in the Python HTTP parser on header lines\n  starting with a colon.\n* Fixed examples of ``fallback_charset_resolver`` function in the\n  :doc:`client_advanced` document.\n* The Sphinx setup was updated to avoid showing the empty\n  changelog draft section in the tagged release documentation\n  builds on Read The Docs.\n* The changelog categorization was made clearer. The contributors can\n  now mark their fragment files more accurately.\n* Updated :ref:`contributing/Tests coverage <aiohttp-contributing>`\n  section to show how we use ``codecov``.\n* Replaced all ``tmpdir`` fixtures with ``tmp_path`` in test suite.\n\n- Disable broken tests with openssl 3.2 and python < 3.11 bsc#1217782\n\nupdate to 3.9.1:\n\n* Fixed importing aiohttp under PyPy on Windows.\n* Fixed async concurrency safety in websocket compressor.\n* Fixed ``ClientResponse.close()`` releasing the connection\n  instead of closing.\n* Fixed a regression where connection may get closed during\n  upgrade. -- by :user:`Dreamsorcerer`\n* Fixed messages being reported as upgraded without an Upgrade\n  header in Python parser. -- by :user:`Dreamsorcerer`\n\nupdate to 3.9.0: (bsc#1217684, CVE-2023-49081, bsc#1217682, CVE-2023-49082)\n\n* Introduced ``AppKey`` for static typing support of\n  ``Application`` storage.\n* Added a graceful shutdown period which allows pending tasks\n  to complete before the application's cleanup is called.\n* Added `handler_cancellation`_ parameter to cancel web handler on\n  client disconnection.\n* This (optionally) reintroduces a feature removed in a\n  previous release.\n* Recommended for those looking for an extra level of\n  protection against denial-of-service attacks.\n* Added support for setting response header parameters\n  ``max_line_size`` and ``max_field_size``.\n* Added ``auto_decompress`` parameter to\n  ``ClientSession.request`` to override\n  ``ClientSession._auto_decompress``.\n* Changed ``raise_for_status`` to allow a coroutine.\n* Added client brotli compression support (optional with\n  runtime check).\n* Added ``client_max_size`` to ``BaseRequest.clone()`` to allow\n  overriding the request body size. -- :user:`anesabml`.\n* Added a middleware type alias\n  ``aiohttp.typedefs.Middleware``.\n* Exported ``HTTPMove`` which can be used to catch any\n  redirection request that has a location -- :user:`dreamsorcerer`.\n* Changed the ``path`` parameter in ``web.run_app()`` to accept\n  a ``pathlib.Path`` object.\n* Performance: Skipped filtering ``CookieJar`` when the jar is\n  empty or all cookies have expired.\n* Performance: Only check origin if insecure scheme and there\n  are origins to treat as secure, in\n  ``CookieJar.filter_cookies()``.\n* Performance: Used timestamp instead of ``datetime`` to\n  achieve faster cookie expiration in ``CookieJar``.\n* Added support for passing a custom server name parameter to\n  HTTPS connection.\n* Added support for using Basic Auth credentials from\n  :file:`.netrc` file when making HTTP requests with the\n* :py:class:`~aiohttp.ClientSession` ``trust_env`` argument is\n  set to ``True``. -- by :user:`yuvipanda`.\n* Turned access log into no-op when the logger is disabled.\n* Added typing information to ``RawResponseMessage``. -- by\n  :user:`Gobot1234`\n* Removed ``async-timeout`` for Python 3.11+ (replaced with\n  ``asyncio.timeout()`` on newer releases).\n* Added support for ``brotlicffi`` as an alternative to\n  ``brotli`` (fixing Brotli support on PyPy).\n* Added ``WebSocketResponse.get_extra_info()`` to access a\n  protocol transport's extra info.\n* Allow ``link`` argument to be set to None/empty in HTTP 451\n  exception.\n* Fixed client timeout not working when incoming data is always\n  available without waiting. -- by :user:`Dreamsorcerer`.\n* Fixed ``readuntil`` to work with a delimiter of more than one\n  character.\n* Added ``__repr__`` to ``EmptyStreamReader`` to avoid\n  ``AttributeError``.\n* Fixed bug when using ``TCPConnector`` with\n  ``ttl_dns_cache=0``.\n* Fixed response returned from expect handler being thrown\n  away. -- by :user:`Dreamsorcerer`\n* Avoided raising ``UnicodeDecodeError`` in multipart and in\n  HTTP headers parsing.\n* Changed ``sock_read`` timeout to start after writing has\n  finished, avoiding read timeouts caused by an unfinished\n  write. -- by :user:`dtrifiro`\n* Fixed missing query in tracing method URLs when using\n  ``yarl`` 1.9+.\n* Changed max 32-bit timestamp to an aware datetime object, for\n  consistency with the non-32-bit one, and to avoid a\n  ``DeprecationWarning`` on Python 3.12.\n* Fixed ``EmptyStreamReader.iter_chunks()`` never ending.\n* Fixed a rare ``RuntimeError: await wasn't used with future``\n  exception.\n* Fixed issue with insufficient HTTP method and version\n  validation.\n* Added check to validate that absolute URIs have schemes.\n* Fixed unhandled exception when Python HTTP parser encounters\n  unpaired Unicode surrogates.\n* Updated parser to disallow invalid characters in header field\n  names and stop accepting LF as a request line separator.\n* Fixed Python HTTP parser not treating 204/304/1xx as an empty\n  body.\n* Ensure empty body response for 1xx/204/304 per RFC 9112 sec\n  6.3.\n* Fixed an issue when a client request is closed before\n  completing a chunked payload. -- by :user:`Dreamsorcerer`\n* Edge Case Handling for ResponseParser for missing reason\n  value.\n* Fixed ``ClientWebSocketResponse.close_code`` being\n  erroneously set to ``None`` when there are concurrent async\n  tasks receiving data and closing the connection.\n* Added HTTP method validation.\n* Fixed arbitrary sequence types being allowed to inject values\n  via version parameter. -- by :user:`Dreamsorcerer`\n* Performance: Fixed increase in latency with small messages\n  from websocket compression changes.\n* Improved Documentation\n* Fixed the `ClientResponse.release`'s type in the doc. Changed\n  from `comethod` to `method`.\n* Added information on behavior of base_url parameter in\n  `ClientSession`.\n* Completed ``trust_env`` parameter description to honor\n  ``wss_proxy``, ``ws_proxy`` or ``no_proxy`` env.\n* Dropped Python 3.6 support.\n* Dropped Python 3.7 support. -- by :user:`Dreamsorcerer`\n* Removed support for abandoned ``tokio`` event loop.\n* Made ``print`` argument in ``run_app()`` optional.\n* Improved performance of ``ceil_timeout`` in some cases.\n* Changed importing Gunicorn to happen on-demand, decreasing\n  import time by ~53%. -- :user:`Dreamsorcerer`\n* Improved import time by replacing ``http.server`` with\n  ``http.HTTPStatus``.\n* Fixed annotation of ``ssl`` parameter to disallow ``True``.\n\nupdate to 3.8.6 (bsc#1217181, CVE-2023-47627):\n\n* Security bugfixes\n* https://github.com/aio-libs/aiohttp/security/advisories/GHSA-\n  pjjw-qhg8-p2p9.\n* https://github.com/aio-libs/aiohttp/security/advisories/GHSA-\n  gfw2-4jvh-wgfg.\n* Added ``fallback_charset_resolver`` parameter in\n  ``ClientSession`` to allow a user-supplied\n  character set detection function.\n  Character set detection will no longer be included in 3.9 as\n  a default. If this feature is needed,\n  please use `fallback_charset_resolver\n  the client\n* Fixed ``PermissionError`` when ``.netrc`` is unreadable due\n  to permissions.\n* Fixed output of parsing errors\n* Fixed sorting in ``filter_cookies`` to use cookie with\n  longest path.\n\nRelease 3.8.0 (2021-10-31) (bsc#1217174, CVE-2023-47641)\n","id":"SUSE-SU-2024:0577-1","modified":"2024-02-21T10:43:49Z","published":"2024-02-21T10:43:49Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2024/suse-su-20240577-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1217174"},{"type":"REPORT","url":"https://bugzilla.suse.com/1217181"},{"type":"REPORT","url":"https://bugzilla.suse.com/1217782"},{"type":"REPORT","url":"https://bugzilla.suse.com/1219341"},{"type":"REPORT","url":"https://bugzilla.suse.com/1219342"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-47627"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-47641"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-23334"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-23829"}],"related":["CVE-2023-47627","CVE-2023-47641","CVE-2024-23334","CVE-2024-23829"],"summary":"Security update for python-aiohttp, python-time-machine","upstream":["CVE-2023-47627","CVE-2023-47641","CVE-2024-23334","CVE-2024-23829"]}