Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency aiohttp to v3.10.2 [SECURITY] #205

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 12, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
aiohttp 3.9.5 -> 3.10.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-42367

Summary

Static routes which contain files with compressed variants (.gz or .br extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.

Details

The server protects static routes from path traversal outside the root directory when follow_symlinks=False (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the FileResponse class, and symbolic links are then automatically followed when performing Path.stat() and Path.open() to send the file.

Impact

Servers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.


Patch: https://github.com/aio-libs/aiohttp/pull/8653/files


Release Notes

aio-libs/aiohttp (aiohttp)

v3.10.2

Compare Source

===================

Bug fixes

  • Fixed server checks for circular symbolic links to be compatible with Python 3.13 -- by :user:steverep.

    Related issues and pull requests on GitHub:
    :issue:8565.

  • Fixed request body not being read when ignoring an Upgrade request -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8597.

  • Fixed an edge case where shutdown would wait for timeout when the handler was already completed -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8611.

  • Fixed connecting to npipe://, tcp://, and unix:// urls -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    :issue:8632.

  • Fixed WebSocket ping tasks being prematurely garbage collected -- by :user:bdraco.

    There was a small risk that WebSocket ping tasks would be prematurely garbage collected because the event loop only holds a weak reference to the task. The garbage collection risk has been fixed by holding a strong reference to the task. Additionally, the task is now scheduled eagerly with Python 3.12+ to increase the chance it can be completed immediately and avoid having to hold any references to the task.

    Related issues and pull requests on GitHub:
    :issue:8641.

  • Fixed incorrectly following symlinks for compressed file variants -- by :user:steverep.

    Related issues and pull requests on GitHub:
    :issue:8652.

Removals and backward incompatible breaking changes

  • Removed Request.wait_for_disconnection(), which was mistakenly added briefly in 3.10.0 -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8636.

Contributor-facing changes

  • Fixed monkey patches for Path.stat() and Path.is_dir() for Python 3.13 compatibility -- by :user:steverep.

    Related issues and pull requests on GitHub:
    :issue:8551.

Miscellaneous internal changes

  • Improved WebSocket performance when messages are sent or received frequently -- by :user:bdraco.

    The WebSocket heartbeat scheduling algorithm was improved to reduce the asyncio scheduling overhead by decreasing the number of asyncio.TimerHandle creations and cancellations.

    Related issues and pull requests on GitHub:
    :issue:8608.

  • Minor improvements to various type annotations -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    :issue:8634.


v3.10.1

Compare Source

v3.10.0

Compare Source


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from de27c92 to fa28054 Compare August 20, 2024 09:52
@renovate renovate bot force-pushed the renovate/pypi-aiohttp-vulnerability branch 3 times, most recently from 4e1e0ae to 013e8dc Compare September 6, 2024 10:26
@renovate renovate bot force-pushed the renovate/pypi-aiohttp-vulnerability branch 4 times, most recently from b8ca129 to a22af23 Compare September 11, 2024 13:30
@renovate renovate bot force-pushed the renovate/pypi-aiohttp-vulnerability branch 6 times, most recently from 1a0b6fa to dd34037 Compare September 23, 2024 13:35
@renovate renovate bot force-pushed the renovate/pypi-aiohttp-vulnerability branch 3 times, most recently from 7e53f68 to f84462b Compare October 17, 2024 12:19
@renovate renovate bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from f84462b to c0a017b Compare October 17, 2024 15:12
@renovate renovate bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from c0a017b to 66d096b Compare October 30, 2024 02:39
@renovate renovate bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 66d096b to 9368dd5 Compare November 4, 2024 05:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants