Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency aiohttp to v3.10.2 [security] #362

Conversation

renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Aug 13, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
aiohttp ==3.9.5 -> ==3.10.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-42367

Summary

Static routes which contain files with compressed variants (.gz or .br extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.

Details

The server protects static routes from path traversal outside the root directory when follow_symlinks=False (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the FileResponse class, and symbolic links are then automatically followed when performing Path.stat() and Path.open() to send the file.

Impact

Servers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.


Patch: https://github.com/aio-libs/aiohttp/pull/8653/files


Release Notes

aio-libs/aiohttp (aiohttp)

v3.10.2: 3.10.2

Compare Source

Bug fixes

  • Fixed server checks for circular symbolic links to be compatible with Python 3.13 -- by :user:steverep.

    Related issues and pull requests on GitHub:
    #​8565.

  • Fixed request body not being read when ignoring an Upgrade request -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    #​8597.

  • Fixed an edge case where shutdown would wait for timeout when the handler was already completed -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    #​8611.

  • Fixed connecting to npipe://, tcp://, and unix:// urls -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    #​8632.

  • Fixed WebSocket ping tasks being prematurely garbage collected -- by :user:bdraco.

    There was a small risk that WebSocket ping tasks would be prematurely garbage collected because the event loop only holds a weak reference to the task. The garbage collection risk has been fixed by holding a strong reference to the task. Additionally, the task is now scheduled eagerly with Python 3.12+ to increase the chance it can be completed immediately and avoid having to hold any references to the task.

    Related issues and pull requests on GitHub:
    #​8641.

  • Fixed incorrectly following symlinks for compressed file variants -- by :user:steverep.

    Related issues and pull requests on GitHub:
    #​8652.

Removals and backward incompatible breaking changes

  • Removed Request.wait_for_disconnection(), which was mistakenly added briefly in 3.10.0 -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    #​8636.

Contributor-facing changes

  • Fixed monkey patches for Path.stat() and Path.is_dir() for Python 3.13 compatibility -- by :user:steverep.

    Related issues and pull requests on GitHub:
    #​8551.

Miscellaneous internal changes

  • Improved WebSocket performance when messages are sent or received frequently -- by :user:bdraco.

    The WebSocket heartbeat scheduling algorithm was improved to reduce the asyncio scheduling overhead by decreasing the number of asyncio.TimerHandle creations and cancellations.

    Related issues and pull requests on GitHub:
    #​8608.

  • Minor improvements to various type annotations -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    #​8634.


v3.10.1

Compare Source

v3.10.0

Compare Source


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate-bot renovate-bot requested a review from a team as a code owner August 13, 2024 12:44
@renovate-bot renovate-bot force-pushed the renovate/pypi-aiohttp-vulnerability branch 2 times, most recently from 3ccc010 to a4eedad Compare August 14, 2024 20:14
@renovate-bot renovate-bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from a4eedad to cde4e72 Compare August 14, 2024 20:18
@nancynh nancynh enabled auto-merge (squash) August 14, 2024 20:18
@nancynh nancynh merged commit 710b950 into GoogleCloudPlatform:main Aug 14, 2024
12 checks passed
@renovate-bot renovate-bot deleted the renovate/pypi-aiohttp-vulnerability branch August 14, 2024 20:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants