meta-openembedded

mirrors/meta-openembedded

Fork 0

mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-01-30 09:21:24 +00:00

Commit Graph

Author	SHA1	Message	Date
Rahul Janani Pandi	a9a4998947	python3-aiohttp: Fix CVE-2024-23334 aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue. References: https://security-tracker.debian.org/tracker/CVE-2024-23334 https://github.com/aio-libs/aiohttp/releases/tag/v3.9.2 Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>	2024-04-28 13:10:23 -04:00
Narpat Mali	4af7df7929	python3-aiohttp: upgrade 3.8.5 -> 3.8.6 The delta between 3.8.5 & 3.8.6 contains the CVE-2023-47627 fix and other bugfixes. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg Changelog: ---------- https://docs.aiohttp.org/en/stable/changes.html#id72 The git log --oneline v3.8.5..v3.8.6 shows: 996de262 (tag: v3.8.6) Release v3.8.6 (#7668) 8c128d4f [PR #7651/45f98b7d backport][3.8] Fix BadStatusLine message (#7666) 89b7df15 Allow lax response parsing on Py parser (#7663) (#7664) d5c12ba8 [PR #7661/85713a48 backport][3.8] Update Python parser for RFCs 9110/9112 (#7662) 8a3977ac [PR #7272/b2a7983a backport][3.8] Fix Read The Docs config (#7650) bcc416e5 [PR #7647/1303350e backport][3.8] Upgrade to llhttp 9.1.3 (#7648) b30c0cd2 Remove chardet/charset-normalizer. (#7589) 5946c743 CookieJar - return 'best-match' and not LIFO (#7577) (#7588) 8c4ec62f [PR #7518/8bd42e74 backport][3.8] Fix GunicornWebWorker max_requests_jitter not work (#7519) a0d234df Use lenient headers for response parser (#7490) (#7492) f92b27b0 Update to LLHTTP 9 (#7485) (#7487) 8129d26f [PR #7480/1fb06bbc backport][3.8] Fix error pointer on linebreaks (#7482) 8d701c3d Fix PermissionError when loading .netrc (#7237) (#7378) (#7395) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>	2024-02-07 18:41:41 -05:00

Author

SHA1

Message

Date

Rahul Janani Pandi

a9a4998947

python3-aiohttp: Fix CVE-2024-23334

aiohttp is an asynchronous HTTP client/server framework
for asyncio and Python.When using aiohttp as a web server
and configuring static routes, it is necessary to specify
the root path for static files. Additionally, the option
'follow_symlinks' can be used to determine whether to
follow symbolic links outside the static root directory.
When 'follow_symlinks' is set to True, there is no
validation to check if reading a file is within the root
directory. This can lead to directory traversal
vulnerabilities, resulting in unauthorized access to
arbitrary files on the system, even when symlinks are not
present. Disabling follow_symlinks and using a reverse proxy
are encouraged mitigations. Version 3.9.2 fixes this issue.

References:
https://security-tracker.debian.org/tracker/CVE-2024-23334
https://github.com/aio-libs/aiohttp/releases/tag/v3.9.2

Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

2024-04-28 13:10:23 -04:00

Narpat Mali

4af7df7929

python3-aiohttp: upgrade 3.8.5 -> 3.8.6

The delta between 3.8.5 & 3.8.6 contains the CVE-2023-47627 fix and other bugfixes.
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg

Changelog:
----------
https://docs.aiohttp.org/en/stable/changes.html#id72

The git log --oneline v3.8.5..v3.8.6 shows:

996de262 (tag: v3.8.6) Release v3.8.6 (#7668)
8c128d4f [PR #7651/45f98b7d backport][3.8] Fix BadStatusLine message (#7666)
89b7df15 Allow lax response parsing on Py parser (#7663) (#7664)
d5c12ba8 [PR #7661/85713a48 backport][3.8] Update Python parser for RFCs 9110/9112 (#7662)
8a3977ac [PR #7272/b2a7983a backport][3.8] Fix Read The Docs config (#7650)
bcc416e5 [PR #7647/1303350e backport][3.8] Upgrade to llhttp 9.1.3 (#7648)
b30c0cd2 Remove chardet/charset-normalizer. (#7589)
5946c743 CookieJar - return 'best-match' and not LIFO (#7577) (#7588)
8c4ec62f [PR #7518/8bd42e74 backport][3.8] Fix GunicornWebWorker max_requests_jitter not work (#7519)
a0d234df Use lenient headers for response parser (#7490) (#7492)
f92b27b0 Update to LLHTTP 9 (#7485) (#7487)
8129d26f [PR #7480/1fb06bbc backport][3.8] Fix error pointer on linebreaks (#7482)
8d701c3d Fix PermissionError when loading .netrc (#7237) (#7378) (#7395)

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

2024-02-07 18:41:41 -05:00

2 Commits