Security update for python-aiohttp, python-time-machine

Announcement ID:	SUSE-SU-2024:0577-1
Rating:	important
References:	bsc#1217174 bsc#1217181 bsc#1217782 bsc#1219341 bsc#1219342
Cross-References:	CVE-2023-47627 CVE-2023-47641 CVE-2024-23334 CVE-2024-23829
CVSS scores:	CVE-2023-47627 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2023-47627 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2023-47641 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2023-47641 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2024-23334 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2024-23334 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2024-23829 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2024-23829 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Affected Products:	openSUSE Leap 15.4 openSUSE Leap 15.5 Python 3 Module 15-SP5 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 SUSE Linux Enterprise Desktop 15 SP5 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves four vulnerabilities and has one security fix can now be installed.

Description:

This update for python-aiohttp, python-time-machine fixes the following issues:

python-aiohttp was updated to version 3.9.3:

• Fixed backwards compatibility breakage (in 3.9.2) of ssl parameter when set outside of ClientSession (e.g. directly in TCPConnector)
• Improved test suite handling of paths and temp files to consistently use pathlib and pytest fixtures.

From version 3.9.2 (bsc#1219341, CVE-2024-23334, bsc#1219342, CVE-2024-23829):

• Fixed server-side websocket connection leak.
• Fixed web.FileResponse doing blocking I/O in the event loop.
• Fixed double compress when compression enabled and compressed file exists in server file responses.
• Added runtime type check for ClientSession timeout parameter.
• Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon.
• Improved validation of paths for static resources requests to the server.
• Added support for passing :py:data:True to ssl parameter in ClientSession while deprecating :py:data:None.
• Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon.
• Fixed examples of fallback_charset_resolver function in the :doc:client_advanced document.
• The Sphinx setup was updated to avoid showing the empty changelog draft section in the tagged release documentation builds on Read The Docs.
• The changelog categorization was made clearer. The contributors can now mark their fragment files more accurately.
• Updated :ref:contributing/Tests coverage <aiohttp-contributing> section to show how we use codecov.

• Replaced all tmpdir fixtures with tmp_path in test suite.

• Disable broken tests with openssl 3.2 and python < 3.11 bsc#1217782

update to 3.9.1:

• Fixed importing aiohttp under PyPy on Windows.
• Fixed async concurrency safety in websocket compressor.
• Fixed ClientResponse.close() releasing the connection instead of closing.
• Fixed a regression where connection may get closed during upgrade. -- by :user:Dreamsorcerer
• Fixed messages being reported as upgraded without an Upgrade header in Python parser. -- by :user:Dreamsorcerer

update to 3.9.0: (bsc#1217684, CVE-2023-49081, bsc#1217682, CVE-2023-49082)

• Introduced AppKey for static typing support of Application storage.
• Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called.
• Added handler_cancellation_ parameter to cancel web handler on client disconnection.
• This (optionally) reintroduces a feature removed in a previous release.
• Recommended for those looking for an extra level of protection against denial-of-service attacks.
• Added support for setting response header parameters max_line_size and max_field_size.
• Added auto_decompress parameter to ClientSession.request to override ClientSession._auto_decompress.
• Changed raise_for_status to allow a coroutine.
• Added client brotli compression support (optional with runtime check).
• Added client_max_size to BaseRequest.clone() to allow overriding the request body size. -- :user:anesabml.
• Added a middleware type alias aiohttp.typedefs.Middleware.
• Exported HTTPMove which can be used to catch any redirection request that has a location -- :user:dreamsorcerer.
• Changed the path parameter in web.run_app() to accept a pathlib.Path object.
• Performance: Skipped filtering CookieJar when the jar is empty or all cookies have expired.
• Performance: Only check origin if insecure scheme and there are origins to treat as secure, in CookieJar.filter_cookies().
• Performance: Used timestamp instead of datetime to achieve faster cookie expiration in CookieJar.
• Added support for passing a custom server name parameter to HTTPS connection.
• Added support for using Basic Auth credentials from :file:.netrc file when making HTTP requests with the
• :py:class:~aiohttp.ClientSession trust_env argument is set to True. -- by :user:yuvipanda.
• Turned access log into no-op when the logger is disabled.
• Added typing information to RawResponseMessage. -- by :user:Gobot1234
• Removed async-timeout for Python 3.11+ (replaced with asyncio.timeout() on newer releases).
• Added support for brotlicffi as an alternative to brotli (fixing Brotli support on PyPy).
• Added WebSocketResponse.get_extra_info() to access a protocol transport's extra info.
• Allow link argument to be set to None/empty in HTTP 451 exception.
• Fixed client timeout not working when incoming data is always available without waiting. -- by :user:Dreamsorcerer.
• Fixed readuntil to work with a delimiter of more than one character.
• Added __repr__ to EmptyStreamReader to avoid AttributeError.
• Fixed bug when using TCPConnector with ttl_dns_cache=0.
• Fixed response returned from expect handler being thrown away. -- by :user:Dreamsorcerer
• Avoided raising UnicodeDecodeError in multipart and in HTTP headers parsing.
• Changed sock_read timeout to start after writing has finished, avoiding read timeouts caused by an unfinished write. -- by :user:dtrifiro
• Fixed missing query in tracing method URLs when using yarl 1.9+.
• Changed max 32-bit timestamp to an aware datetime object, for consistency with the non-32-bit one, and to avoid a DeprecationWarning on Python 3.12.
• Fixed EmptyStreamReader.iter_chunks() never ending.
• Fixed a rare RuntimeError: await wasn't used with future exception.
• Fixed issue with insufficient HTTP method and version validation.
• Added check to validate that absolute URIs have schemes.
• Fixed unhandled exception when Python HTTP parser encounters unpaired Unicode surrogates.
• Updated parser to disallow invalid characters in header field names and stop accepting LF as a request line separator.
• Fixed Python HTTP parser not treating 204/304/1xx as an empty body.
• Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3.
• Fixed an issue when a client request is closed before completing a chunked payload. -- by :user:Dreamsorcerer
• Edge Case Handling for ResponseParser for missing reason value.
• Fixed ClientWebSocketResponse.close_code being erroneously set to None when there are concurrent async tasks receiving data and closing the connection.
• Added HTTP method validation.
• Fixed arbitrary sequence types being allowed to inject values via version parameter. -- by :user:Dreamsorcerer
• Performance: Fixed increase in latency with small messages from websocket compression changes.
• Improved Documentation
• Fixed the ClientResponse.release's type in the doc. Changed from comethod to method.
• Added information on behavior of base_url parameter in ClientSession.
• Completed trust_env parameter description to honor wss_proxy, ws_proxy or no_proxy env.
• Dropped Python 3.6 support.
• Dropped Python 3.7 support. -- by :user:Dreamsorcerer
• Removed support for abandoned tokio event loop.
• Made print argument in run_app() optional.
• Improved performance of ceil_timeout in some cases.
• Changed importing Gunicorn to happen on-demand, decreasing import time by ~53%. -- :user:Dreamsorcerer
• Improved import time by replacing http.server with http.HTTPStatus.
• Fixed annotation of ssl parameter to disallow True.

update to 3.8.6 (bsc#1217181, CVE-2023-47627):

• Security bugfixes
• https://github.com/aio-libs/aiohttp/security/advisories/GHSA- pjjw-qhg8-p2p9.
• https://github.com/aio-libs/aiohttp/security/advisories/GHSA- gfw2-4jvh-wgfg.
• Added fallback_charset_resolver parameter in ClientSession to allow a user-supplied character set detection function. Character set detection will no longer be included in 3.9 as a default. If this feature is needed, please use `fallback_charset_resolver the client
• Fixed PermissionError when .netrc is unreadable due to permissions.
• Fixed output of parsing errors
• Fixed sorting in filter_cookies to use cookie with longest path.

Release 3.8.0 (2021-10-31) (bsc#1217174, CVE-2023-47641)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.4
  zypper in -t patch SUSE-2024-577=1
• openSUSE Leap 15.5
  zypper in -t patch openSUSE-SLE-15.5-2024-577=1
• Python 3 Module 15-SP5
  zypper in -t patch SUSE-SLE-Module-Python3-15-SP5-2024-577=1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-577=1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-577=1
• SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
  zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-577=1
• SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-577=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP4
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-577=1

Package List:

• openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
  • python-aiohttp-debugsource-3.9.3-150400.10.14.1
  • python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
  • python311-aiohttp-3.9.3-150400.10.14.1
  • python311-time-machine-debuginfo-2.13.0-150400.9.3.1
  • python311-time-machine-2.13.0-150400.9.3.1
  • python-time-machine-debugsource-2.13.0-150400.9.3.1
• openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
  • python311-aiohttp-3.9.3-150400.10.14.1
  • python-aiohttp-debugsource-3.9.3-150400.10.14.1
  • python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
• Python 3 Module 15-SP5 (aarch64 ppc64le s390x x86_64)
  • python311-aiohttp-3.9.3-150400.10.14.1
  • python-aiohttp-debugsource-3.9.3-150400.10.14.1
  • python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64)
  • python311-aiohttp-3.9.3-150400.10.14.1
  • python-aiohttp-debugsource-3.9.3-150400.10.14.1
  • python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64)
  • python311-aiohttp-3.9.3-150400.10.14.1
  • python-aiohttp-debugsource-3.9.3-150400.10.14.1
  • python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
• SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (x86_64)
  • python311-aiohttp-3.9.3-150400.10.14.1
  • python-aiohttp-debugsource-3.9.3-150400.10.14.1
  • python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
• SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (aarch64 ppc64le s390x x86_64)
  • python311-aiohttp-3.9.3-150400.10.14.1
  • python-aiohttp-debugsource-3.9.3-150400.10.14.1
  • python311-aiohttp-debuginfo-3.9.3-150400.10.14.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
  • python311-aiohttp-3.9.3-150400.10.14.1
  • python-aiohttp-debugsource-3.9.3-150400.10.14.1
  • python311-aiohttp-debuginfo-3.9.3-150400.10.14.1

References:

• https://www.suse.com/security/cve/CVE-2023-47627.html
• https://www.suse.com/security/cve/CVE-2023-47641.html
• https://www.suse.com/security/cve/CVE-2024-23334.html
• https://www.suse.com/security/cve/CVE-2024-23829.html
• https://bugzilla.suse.com/show_bug.cgi?id=1217174
• https://bugzilla.suse.com/show_bug.cgi?id=1217181
• https://bugzilla.suse.com/show_bug.cgi?id=1217782
• https://bugzilla.suse.com/show_bug.cgi?id=1219341
• https://bugzilla.suse.com/show_bug.cgi?id=1219342