SUSE-SU-2024:0577-1 Security update for python-aiohttp, python-time-machine

This update for python-aiohttp, python-time-machine fixes the following issues: python-aiohttp was updated to version 3.9.3: Fixed backwards compatibility breakage in 3.9.2 of ssl parameter when set outside of ClientSession e.g. directly in TCPConnector Improved test suite handling of paths and...

Fedora 38 : python-aiohttp (2024-0ddda4c691)

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-0ddda4c691 advisory. Security update for CVE-2024-23334 and CVE-2024-23829 https://github.com/aio-libs/aiohttp/releases/tag/v3.9.2...

The vulnerability of the aiohttp HTTP client, related to deficiencies in HTTP request processing, allows attackers to execute the “HTTP request hijacking” attack.

The vulnerability of the aiohttp HTTP client is related to deficiencies in HTTP request processing. Exploiting this vulnerability allows a remote attacker to perform an “HTTP request hijacking” attack...

The vulnerability of the aiohttp HTTP client, related to incorrect path name restrictions for restricted access directories, allows attackers to gain unauthorized access to protected information.

The vulnerability of the aiohttp HTTP client is related to incorrect restrictions on the path name to the restricted directory. Exploiting this vulnerability could allow an attacker, operating remotely, to gain unauthorized access to protected information...

Fedora 39 : python-aiohttp (2024-f249b74f03)

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-f249b74f03 advisory. Security update for CVE-2024-23334 and CVE-2024-23829 https://github.com/aio-libs/aiohttp/releases/tag/v3.9.2...

SUSE CVE-2024-23334

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'followsymlinks' can be used to determine whether to follow symboli...

SUSE CVE-2024-23829

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against...

CVE-2024-23829

An HTTP request smuggling vulnerability was found in aiohttp. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets that must trigger error handling to robustly match frame boundaries of proxies in order to protect against the injection of...

Request Smuggling

aiohttp is vulnerable to Request Smuggling.The vulnerability is caused due to improper parsing of HTTP requests within httpparser.py. This flaw results in excessive resource consumption on the application server, resulting in Denial of Service DoS and/or Request Smuggling...

CVE-2024-23334

A flaw was found in aiohttp. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'followsymlinks' can be used to determine whether to follow symbolic links outside the static root directory. When...

Path Traversal

aiohttp is vulnerable to Path Traversal. The vulnerability is due to faulty path validation which checks if the file being accessed is within the intended static root directory when followsymlinks = True. This allows an attacker to access files and directories outside the intended static root...

CVE-2024-23334

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'followsymlinks' can be used to determine whether to follow symboli...

DEBIAN-CVE-2024-23829

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against...

AZL-43552 CVE-2024-23334 affecting package python-aiohttp 3.6.2-3

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'followsymlinks' can be used to determine whether to follow symboli...

AZL-44319 CVE-2024-23334 affecting package python-aiohttp 3.6.2-3

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'followsymlinks' can be used to determine whether to follow symboli...

CVE-2024-23334 vulnerabilities

Vulnerabilities for packages: py3-aiohttp, py3-cassandra-medusa, checkov...

CVE-2024-23829 vulnerabilities

Vulnerabilities for packages: py3-aiohttp, py3-cassandra-medusa, checkov...

CVE-2024-23829 vulnerabilities

Vulnerabilities for packages: py3-aiohttp, py3-cassandra-medusa, checkov...

AZL-43774 CVE-2024-23829 affecting package python-aiohttp 3.6.2-3

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against...

AZL-45189 CVE-2024-23829 affecting package python-aiohttp 3.6.2-3

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against...