summaryrefslogtreecommitdiffstats
path: root/meta-python/recipes-devtools/python/python3-aiohttp_3.8.6.bb
Commit message (Collapse)AuthorAgeFilesLines
* python3-aiohttp: Fix CVE-2024-23334Rahul Janani Pandi2024-04-281-0/+3
| | | | | | | | | | | | | | | | | | | | | | | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue. References: https://security-tracker.debian.org/tracker/CVE-2024-23334 https://github.com/aio-libs/aiohttp/releases/tag/v3.9.2 Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-aiohttp: upgrade 3.8.5 -> 3.8.6Narpat Mali2024-02-071-0/+27
The delta between 3.8.5 & 3.8.6 contains the CVE-2023-47627 fix and other bugfixes. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg Changelog: ---------- https://docs.aiohttp.org/en/stable/changes.html#id72 The git log --oneline v3.8.5..v3.8.6 shows: 996de262 (tag: v3.8.6) Release v3.8.6 (#7668) 8c128d4f [PR #7651/45f98b7d backport][3.8] Fix BadStatusLine message (#7666) 89b7df15 Allow lax response parsing on Py parser (#7663) (#7664) d5c12ba8 [PR #7661/85713a48 backport][3.8] Update Python parser for RFCs 9110/9112 (#7662) 8a3977ac [PR #7272/b2a7983a backport][3.8] Fix Read The Docs config (#7650) bcc416e5 [PR #7647/1303350e backport][3.8] Upgrade to llhttp 9.1.3 (#7648) b30c0cd2 Remove chardet/charset-normalizer. (#7589) 5946c743 CookieJar - return 'best-match' and not LIFO (#7577) (#7588) 8c4ec62f [PR #7518/8bd42e74 backport][3.8] Fix GunicornWebWorker max_requests_jitter not work (#7519) a0d234df Use lenient headers for response parser (#7490) (#7492) f92b27b0 Update to LLHTTP 9 (#7485) (#7487) 8129d26f [PR #7480/1fb06bbc backport][3.8] Fix error pointer on linebreaks (#7482) 8d701c3d Fix PermissionError when loading .netrc (#7237) (#7378) (#7395) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-02-17 07:28:43 +0000