Update dependency aiohttp to v3.10.2 [SECURITY] #205
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
de27c92
to
fa28054
Compare
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
3 times, most recently
from
4e1e0ae
to
013e8dc
Compare
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
3 times, most recently
from
c899542
to
b8ca129
Compare
renovate
bot
force-pushed
the
renovate/pypi-aiohttp-vulnerability
branch
from
b8ca129
to
a22af23
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.9.5->3.10.2GitHub Vulnerability Alerts
CVE-2024-42367
Summary
Static routes which contain files with compressed variants (
.gzor.brextension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.Details
The server protects static routes from path traversal outside the root directory when
follow_symlinks=False(default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in theFileResponseclass, and symbolic links are then automatically followed when performingPath.stat()andPath.open()to send the file.Impact
Servers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.
Patch: https://github.com/aio-libs/aiohttp/pull/8653/files
Release Notes
aio-libs/aiohttp (aiohttp)
v3.10.2Compare Source
===================
Bug fixes
Fixed server checks for circular symbolic links to be compatible with Python 3.13 -- by :user:
steverep.Related issues and pull requests on GitHub:
:issue:
8565.Fixed request body not being read when ignoring an Upgrade request -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
8597.Fixed an edge case where shutdown would wait for timeout when the handler was already completed -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
8611.Fixed connecting to
npipe://,tcp://, andunix://urls -- by :user:bdraco.Related issues and pull requests on GitHub:
:issue:
8632.Fixed WebSocket ping tasks being prematurely garbage collected -- by :user:
bdraco.There was a small risk that WebSocket ping tasks would be prematurely garbage collected because the event loop only holds a weak reference to the task. The garbage collection risk has been fixed by holding a strong reference to the task. Additionally, the task is now scheduled eagerly with Python 3.12+ to increase the chance it can be completed immediately and avoid having to hold any references to the task.
Related issues and pull requests on GitHub:
:issue:
8641.Fixed incorrectly following symlinks for compressed file variants -- by :user:
steverep.Related issues and pull requests on GitHub:
:issue:
8652.Removals and backward incompatible breaking changes
Removed
Request.wait_for_disconnection(), which was mistakenly added briefly in 3.10.0 -- by :user:Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
8636.Contributor-facing changes
Fixed monkey patches for
Path.stat()andPath.is_dir()for Python 3.13 compatibility -- by :user:steverep.Related issues and pull requests on GitHub:
:issue:
8551.Miscellaneous internal changes
Improved WebSocket performance when messages are sent or received frequently -- by :user:
bdraco.The WebSocket heartbeat scheduling algorithm was improved to reduce the
asyncioscheduling overhead by decreasing the number ofasyncio.TimerHandlecreations and cancellations.Related issues and pull requests on GitHub:
:issue:
8608.Minor improvements to various type annotations -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
:issue:
8634.v3.10.1Compare Source
v3.10.0Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.