Detections
Analytics

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python-aiohttp, python-time-machine (SUSE-SU-2024:0577-1)

high Nessus Plugin ID 190879

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0577-1 advisory.

 python-aiohttp was updated to version 3.9.3:

 * Fixed backwards compatibility breakage (in 3.9.2) of ``ssl`` parameter when set outside of ``ClientSession`` (e.g. directly in ``TCPConnector``)
 * Improved test suite handling of paths and temp files to consistently use pathlib and pytest fixtures.

 From version 3.9.2 (bsc#1219341, CVE-2024-23334, bsc#1219342, CVE-2024-23829):

 * Fixed server-side websocket connection leak.
 * Fixed ``web.FileResponse`` doing blocking I/O in the event loop.
 * Fixed double compress when compression enabled and compressed file exists in server file responses.
 * Added runtime type check for ``ClientSession`` ``timeout`` parameter.
 * Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon.
 * Improved validation of paths for static resources requests to the server.
 * Added support for passing :py:data:`True` to ``ssl`` parameter in ``ClientSession`` while deprecating :py:data:`None`.
 * Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon.
 * Fixed examples of ``fallback_charset_resolver`` function in the :doc:`client_advanced` document.
 * The Sphinx setup was updated to avoid showing the empty changelog draft section in the tagged release documentation builds on Read The Docs.
 * The changelog categorization was made clearer. The contributors can now mark their fragment files more accurately.
 * Updated :ref:`contributing/Tests coverage <aiohttp-contributing>` section to show how we use ``codecov``.
 * Replaced all ``tmpdir`` fixtures with ``tmp_path`` in test suite.

 - Disable broken tests with openssl 3.2 and python < 3.11 bsc#1217782

 update to 3.9.1:

 * Fixed importing aiohttp under PyPy on Windows.
 * Fixed async concurrency safety in websocket compressor.
 * Fixed ``ClientResponse.close()`` releasing the connection instead of closing.
 * Fixed a regression where connection may get closed during upgrade. -- by :user:`Dreamsorcerer`
 * Fixed messages being reported as upgraded without an Upgrade header in Python parser. -- by :user:`Dreamsorcerer`

 update to 3.9.0: (bsc#1217684, CVE-2023-49081, bsc#1217682, CVE-2023-49082)

 * Introduced ``AppKey`` for static typing support of ``Application`` storage.
 * Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called.
 * Added `handler_cancellation`_ parameter to cancel web handler on client disconnection.
 * This (optionally) reintroduces a feature removed in a previous release.
 * Recommended for those looking for an extra level of protection against denial-of-service attacks.
 * Added support for setting response header parameters ``max_line_size`` and ``max_field_size``.
 * Added ``auto_decompress`` parameter to ``ClientSession.request`` to override ``ClientSession._auto_decompress``.
 * Changed ``raise_for_status`` to allow a coroutine.
 * Added client brotli compression support (optional with runtime check).
 * Added ``client_max_size`` to ``BaseRequest.clone()`` to allow overriding the request body size. -- :user:`anesabml`.
 * Added a middleware type alias ``aiohttp.typedefs.Middleware``.
 * Exported ``HTTPMove`` which can be used to catch any redirection request that has a location -- :user:`dreamsorcerer`.
 * Changed the ``path`` parameter in ``web.run_app()`` to accept a ``pathlib.Path`` object.
 * Performance: Skipped filtering ``CookieJar`` when the jar is empty or all cookies have expired.
 * Performance: Only check origin if insecure scheme and there are origins to treat as secure, in ``CookieJar.filter_cookies()``.
 * Performance: Used timestamp instead of ``datetime`` to achieve faster cookie expiration in ``CookieJar``.
 * Added support for passing a custom server name parameter to HTTPS connection.
 * Added support for using Basic Auth credentials from :file:`.netrc` file when making HTTP requests with the
 * :py:class:`~aiohttp.ClientSession` ``trust_env`` argument is set to ``True``. -- by :user:`yuvipanda`.
 * Turned access log into no-op when the logger is disabled.
 * Added typing information to ``RawResponseMessage``. -- by :user:`Gobot1234`
 * Removed ``async-timeout`` for Python 3.11+ (replaced with ``asyncio.timeout()`` on newer releases).
 * Added support for ``brotlicffi`` as an alternative to ``brotli`` (fixing Brotli support on PyPy).
 * Added ``WebSocketResponse.get_extra_info()`` to access a protocol transport's extra info.
 * Allow ``link`` argument to be set to None/empty in HTTP 451 exception.
 * Fixed client timeout not working when incoming data is always available without waiting. -- by :user:`Dreamsorcerer`.
 * Fixed ``readuntil`` to work with a delimiter of more than one character.
 * Added ``__repr__`` to ``EmptyStreamReader`` to avoid ``AttributeError``.
 * Fixed bug when using ``TCPConnector`` with ``ttl_dns_cache=0``.
 * Fixed response returned from expect handler being thrown away. -- by :user:`Dreamsorcerer`
 * Avoided raising ``UnicodeDecodeError`` in multipart and in HTTP headers parsing.
 * Changed ``sock_read`` timeout to start after writing has finished, avoiding read timeouts caused by an unfinished write. -- by :user:`dtrifiro`
 * Fixed missing query in tracing method URLs when using ``yarl`` 1.9+.
 * Changed max 32-bit timestamp to an aware datetime object, for consistency with the non-32-bit one, and to avoid a ``DeprecationWarning`` on Python 3.12.
 * Fixed ``EmptyStreamReader.iter_chunks()`` never ending.
 * Fixed a rare ``RuntimeError: await wasn't used with future`` exception.
 * Fixed issue with insufficient HTTP method and version validation.
 * Added check to validate that absolute URIs have schemes.
 * Fixed unhandled exception when Python HTTP parser encounters unpaired Unicode surrogates.
 * Updated parser to disallow invalid characters in header field names and stop accepting LF as a request line separator.
 * Fixed Python HTTP parser not treating 204/304/1xx as an empty body.
 * Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3.
 * Fixed an issue when a client request is closed before completing a chunked payload. -- by :user:`Dreamsorcerer`
 * Edge Case Handling for ResponseParser for missing reason value.
 * Fixed ``ClientWebSocketResponse.close_code`` being erroneously set to ``None`` when there are concurrent async tasks receiving data and closing the connection.
 * Added HTTP method validation.
 * Fixed arbitrary sequence types being allowed to inject values via version parameter. -- by :user:`Dreamsorcerer`
 * Performance: Fixed increase in latency with small messages from websocket compression changes.
 * Improved Documentation
 * Fixed the `ClientResponse.release`'s type in the doc. Changed from `comethod` to `method`.
 * Added information on behavior of base_url parameter in `ClientSession`.
 * Completed ``trust_env`` parameter description to honor ``wss_proxy``, ``ws_proxy`` or ``no_proxy`` env.
 * Dropped Python 3.6 support.
 * Dropped Python 3.7 support. -- by :user:`Dreamsorcerer`
 * Removed support for abandoned ``tokio`` event loop.
 * Made ``print`` argument in ``run_app()`` optional.
 * Improved performance of ``ceil_timeout`` in some cases.
 * Changed importing Gunicorn to happen on-demand, decreasing import time by ~53%. -- :user:`Dreamsorcerer`
 * Improved import time by replacing ``http.server`` with ``http.HTTPStatus``.
 * Fixed annotation of ``ssl`` parameter to disallow ``True``.

 update to 3.8.6 (bsc#1217181, CVE-2023-47627):

 * Security bugfixes
 * https://github.com/aio-libs/aiohttp/security/advisories/GHSA- pjjw-qhg8-p2p9.
 * https://github.com/aio-libs/aiohttp/security/advisories/GHSA- gfw2-4jvh-wgfg.
 * Added ``fallback_charset_resolver`` parameter in ``ClientSession`` to allow a user-supplied character set detection function.
 Character set detection will no longer be included in 3.9 as a default. If this feature is needed, please use `fallback_charset_resolver the client
 * Fixed ``PermissionError`` when ``.netrc`` is unreadable due to permissions.
 * Fixed output of parsing errors
 * Fixed sorting in ``filter_cookies`` to use cookie with longest path.

 Release 3.8.0 (2021-10-31) (bsc#1217174, CVE-2023-47641)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected python311-aiohttp package.

See Also

https://bugzilla.suse.com/1217174

https://bugzilla.suse.com/1217181

https://bugzilla.suse.com/1217782

https://bugzilla.suse.com/1219341

https://bugzilla.suse.com/1219342

https://www.suse.com/security/cve/CVE-2023-47627

https://www.suse.com/security/cve/CVE-2023-47641

https://www.suse.com/security/cve/CVE-2024-23334

https://www.suse.com/security/cve/CVE-2024-23829

http://www.nessus.org/u?b97066ec

Plugin Details

Severity: High

ID: 190879

File Name: suse_SU-2024-0577-1.nasl

Version: 1.2

Type: Local

Agent: unix

Published: 2/22/2024

Updated: 6/25/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, tenable_cloud_security, tenable_self_hosted_container_security, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.1

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2024-23334

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.2

Threat Score: 6.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:python311-aiohttp, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/21/2024

Vulnerability Publication Date: 11/14/2023

Reference Information

CVE: CVE-2023-47627, CVE-2023-47641, CVE-2024-23334, CVE-2024-23829

SuSE: SUSE-SU-2024:0577-1