openSUSE Local Security Checks : openSUSE Security Advisory (SUSE-SU-2024:0577-1)

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.1.18.2.2024.0577.1

Kategorie: openSUSE Local Security Checks

Titel: openSUSE Security Advisory (SUSE-SU-2024:0577-1)

Zusammenfassung: The remote host is missing an update for the 'python-aiohttp, python-time-machine' package(s) announced via the SUSE-SU-2024:0577-1 advisory.

Beschreibung: Summary:
The remote host is missing an update for the 'python-aiohttp, python-time-machine' package(s) announced via the SUSE-SU-2024:0577-1 advisory.

Vulnerability Insight:
This update for python-aiohttp, python-time-machine fixes the following issues:

python-aiohttp was updated to version 3.9.3:

* Fixed backwards compatibility breakage (in 3.9.2) of ``ssl`` parameter
when set outside of ``ClientSession`` (e.g. directly in ``TCPConnector``)
* Improved test suite handling of paths and temp files to consistently
use pathlib and pytest fixtures.

From version 3.9.2 (bsc#1219341, CVE-2024-23334, bsc#1219342, CVE-2024-23829):

* Fixed server-side websocket connection leak.
* Fixed ``web.FileResponse`` doing blocking I/O in the event loop.
* Fixed double compress when compression enabled and compressed file
exists in server file responses.
* Added runtime type check for ``ClientSession`` ``timeout`` parameter.
* Fixed an unhandled exception in the Python HTTP parser on header lines
starting with a colon.
* Improved validation of paths for static resources requests to the server.
* Added support for passing :py:data:`True` to ``ssl`` parameter in
``ClientSession`` while deprecating :py:data:`None`.
* Fixed an unhandled exception in the Python HTTP parser on header lines
starting with a colon.
* Fixed examples of ``fallback_charset_resolver`` function in the
:doc:`client_advanced` document.
* The Sphinx setup was updated to avoid showing the empty
changelog draft section in the tagged release documentation
builds on Read The Docs.
* The changelog categorization was made clearer. The contributors can
now mark their fragment files more accurately.
* Updated :ref:`contributing/Tests coverage `
section to show how we use ``codecov``.
* Replaced all ``tmpdir`` fixtures with ``tmp_path`` in test suite.

- Disable broken tests with openssl 3.2 and python < 3.11 bsc#1217782

update to 3.9.1:

* Fixed importing aiohttp under PyPy on Windows.
* Fixed async concurrency safety in websocket compressor.
* Fixed ``ClientResponse.close()`` releasing the connection
instead of closing.
* Fixed a regression where connection may get closed during
upgrade. -- by :user:`Dreamsorcerer`
* Fixed messages being reported as upgraded without an Upgrade
header in Python parser. -- by :user:`Dreamsorcerer`

update to 3.9.0: (bsc#1217684, CVE-2023-49081, bsc#1217682, CVE-2023-49082)

* Introduced ``AppKey`` for static typing support of
``Application`` storage.
* Added a graceful shutdown period which allows pending tasks
to complete before the application's cleanup is called.
* Added `handler_cancellation`_ parameter to cancel web handler on
client disconnection.
* This (optionally) reintroduces a feature removed in a
previous release.
* Recommended for those looking for an extra level of
protection against denial-of-service attacks.
* Added support for setting response header parameters
``max_line_size`` and ``max_field_size``.
* Added ``auto_decompress`` parameter to
``ClientSession.request`` to override
... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'python-aiohttp, python-time-machine' package(s) on openSUSE Leap 15.5.

Solution:
Please install the updated package(s).

CVSS Score:
7.8

CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:N/A:N

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2023-47627
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUSJVQ7OQ55RWL4XAX2F5EZ73N4ZSH6U/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQYQL6WV535EEKSNH7KRARLLMOW5WXDM/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDKQ6HM3KNDU4OQI476ZWT4O7DMSIT35/
https://github.com/aio-libs/aiohttp/commit/d5c12ba890557a575c313bb3017910d7616fce3d
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg
Common Vulnerability Exposure (CVE) ID: CVE-2023-47641
https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j
Common Vulnerability Exposure (CVE) ID: CVE-2023-49081
https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e
https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b
https://github.com/aio-libs/aiohttp/pull/7835/files
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2
Common Vulnerability Exposure (CVE) ID: CVE-2023-49082
https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b
https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466
https://github.com/aio-libs/aiohttp/pull/7806/files
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx
Common Vulnerability Exposure (CVE) ID: CVE-2024-23334
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/
https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b
https://github.com/aio-libs/aiohttp/pull/8079
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f
Common Vulnerability Exposure (CVE) ID: CVE-2024-23829
https://github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827
https://github.com/aio-libs/aiohttp/pull/8074
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2

Copyright Copyright (C) 2025 Greenbone AG

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.1.18.2.2024.0577.1
Kategorie:	openSUSE Local Security Checks
Titel:	openSUSE Security Advisory (SUSE-SU-2024:0577-1)
Zusammenfassung:	The remote host is missing an update for the 'python-aiohttp, python-time-machine' package(s) announced via the SUSE-SU-2024:0577-1 advisory.
Beschreibung:	Summary: The remote host is missing an update for the 'python-aiohttp, python-time-machine' package(s) announced via the SUSE-SU-2024:0577-1 advisory. Vulnerability Insight: This update for python-aiohttp, python-time-machine fixes the following issues: python-aiohttp was updated to version 3.9.3: * Fixed backwards compatibility breakage (in 3.9.2) of ``ssl`` parameter when set outside of ``ClientSession`` (e.g. directly in ``TCPConnector``) * Improved test suite handling of paths and temp files to consistently use pathlib and pytest fixtures. From version 3.9.2 (bsc#1219341, CVE-2024-23334, bsc#1219342, CVE-2024-23829): * Fixed server-side websocket connection leak. * Fixed ``web.FileResponse`` doing blocking I/O in the event loop. * Fixed double compress when compression enabled and compressed file exists in server file responses. * Added runtime type check for ``ClientSession`` ``timeout`` parameter. * Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon. * Improved validation of paths for static resources requests to the server. * Added support for passing :py:data:`True` to ``ssl`` parameter in ``ClientSession`` while deprecating :py:data:`None`. * Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon. * Fixed examples of ``fallback_charset_resolver`` function in the :doc:`client_advanced` document. * The Sphinx setup was updated to avoid showing the empty changelog draft section in the tagged release documentation builds on Read The Docs. * The changelog categorization was made clearer. The contributors can now mark their fragment files more accurately. * Updated :ref:`contributing/Tests coverage ` section to show how we use ``codecov``. * Replaced all ``tmpdir`` fixtures with ``tmp_path`` in test suite. - Disable broken tests with openssl 3.2 and python < 3.11 bsc#1217782 update to 3.9.1: * Fixed importing aiohttp under PyPy on Windows. * Fixed async concurrency safety in websocket compressor. * Fixed ``ClientResponse.close()`` releasing the connection instead of closing. * Fixed a regression where connection may get closed during upgrade. -- by :user:`Dreamsorcerer` * Fixed messages being reported as upgraded without an Upgrade header in Python parser. -- by :user:`Dreamsorcerer` update to 3.9.0: (bsc#1217684, CVE-2023-49081, bsc#1217682, CVE-2023-49082) * Introduced ``AppKey`` for static typing support of ``Application`` storage. * Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called. * Added `handler_cancellation`_ parameter to cancel web handler on client disconnection. * This (optionally) reintroduces a feature removed in a previous release. * Recommended for those looking for an extra level of protection against denial-of-service attacks. * Added support for setting response header parameters ``max_line_size`` and ``max_field_size``. * Added ``auto_decompress`` parameter to ``ClientSession.request`` to override ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'python-aiohttp, python-time-machine' package(s) on openSUSE Leap 15.5. Solution: Please install the updated package(s). CVSS Score: 7.8 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2023-47627 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUSJVQ7OQ55RWL4XAX2F5EZ73N4ZSH6U/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQYQL6WV535EEKSNH7KRARLLMOW5WXDM/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDKQ6HM3KNDU4OQI476ZWT4O7DMSIT35/ https://github.com/aio-libs/aiohttp/commit/d5c12ba890557a575c313bb3017910d7616fce3d https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg Common Vulnerability Exposure (CVE) ID: CVE-2023-47641 https://github.com/aio-libs/aiohttp/commit/f016f0680e4ace6742b03a70cb0382ce86abe371 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xx9p-xxvh-7g8j Common Vulnerability Exposure (CVE) ID: CVE-2023-49081 https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b https://github.com/aio-libs/aiohttp/pull/7835/files https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 Common Vulnerability Exposure (CVE) ID: CVE-2023-49082 https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466 https://github.com/aio-libs/aiohttp/pull/7806/files https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx Common Vulnerability Exposure (CVE) ID: CVE-2024-23334 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/ https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b https://github.com/aio-libs/aiohttp/pull/8079 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f Common Vulnerability Exposure (CVE) ID: CVE-2024-23829 https://github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827 https://github.com/aio-libs/aiohttp/pull/8074 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2
Copyright	Copyright (C) 2025 Greenbone AG