search

amenezes / config-client

config-client package for spring cloud config and cloud foundry
https://config-client.amenezes.net/
Apache License 2.0
24 stars 17 forks source link

[Security] Bump aiohttp from 3.5.4 to 3.7.4 #42

Closed dependabot-preview[bot] closed 3 years ago

dependabot-preview[bot] commented 3 years ago

Bumps aiohttp from 3.5.4 to 3.7.4. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Open redirect vulnerability in aiohttp (normalize_path_middleware middleware)

Impact

What kind of vulnerability is it? Who is impacted?

Open redirect vulnerability — a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.

It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware middleware.

Patches

Has the problem been patched? What versions should users upgrade to?

This security problem has been fixed in v3.7.4. Upgrade your dependency as follows: [pip install aiohttp >= 3.7.4]

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

If upgrading is not an option for you, a workaround can be to avoid using aiohttp.web_middlewares.normalize_path_middleware in your applications.

References

Are there any links users can visit to find out more?

... (truncated)

Affected versions: < 3.7.4

Release notes

Sourced from aiohttp's releases.

aiohttp 3.7.3 release

Features

  • Use Brotli instead of brotlipy [#3803](https://github.com/aio-libs/aiohttp/issues/3803) <https://github.com/aio-libs/aiohttp/issues/3803>_
  • Made exceptions pickleable. Also changed the repr of some exceptions. [#4077](https://github.com/aio-libs/aiohttp/issues/4077) <https://github.com/aio-libs/aiohttp/issues/4077>_

Bugfixes

  • Raise a ClientResponseError instead of an AssertionError for a blank HTTP Reason Phrase. [#3532](https://github.com/aio-libs/aiohttp/issues/3532) <https://github.com/aio-libs/aiohttp/issues/3532>_
  • Fix web_middlewares.normalize_path_middleware behavior for patch without slash. [#3669](https://github.com/aio-libs/aiohttp/issues/3669) <https://github.com/aio-libs/aiohttp/issues/3669>_
  • Fix overshadowing of overlapped sub-applications prefixes. [#3701](https://github.com/aio-libs/aiohttp/issues/3701) <https://github.com/aio-libs/aiohttp/issues/3701>_
  • Make BaseConnector.close() a coroutine and wait until the client closes all connections. Drop deprecated "with Connector():" syntax. [#3736](https://github.com/aio-libs/aiohttp/issues/3736) <https://github.com/aio-libs/aiohttp/issues/3736>_
  • Reset the sock_read timeout each time data is received for a aiohttp.client response. [#3808](https://github.com/aio-libs/aiohttp/issues/3808) <https://github.com/aio-libs/aiohttp/issues/3808>_
  • Fixed type annotation for add_view method of UrlDispatcher to accept any subclass of View [#3880](https://github.com/aio-libs/aiohttp/issues/3880) <https://github.com/aio-libs/aiohttp/issues/3880>_
  • Fixed querying the address families from DNS that the current host supports. [#5156](https://github.com/aio-libs/aiohttp/issues/5156) <https://github.com/aio-libs/aiohttp/issues/5156>_
  • Change return type of MultipartReader.aiter() and BodyPartReader.aiter() to AsyncIterator. [#5163](https://github.com/aio-libs/aiohttp/issues/5163) <https://github.com/aio-libs/aiohttp/issues/5163>_
  • Provide x86 Windows wheels. [#5230](https://github.com/aio-libs/aiohttp/issues/5230) <https://github.com/aio-libs/aiohttp/issues/5230>_

Improved Documentation

  • Add documentation for aiohttp.web.FileResponse. [#3958](https://github.com/aio-libs/aiohttp/issues/3958) <https://github.com/aio-libs/aiohttp/issues/3958>_
  • Removed deprecation warning in tracing example docs [#3964](https://github.com/aio-libs/aiohttp/issues/3964) <https://github.com/aio-libs/aiohttp/issues/3964>_
  • Fixed wrong "Usage" docstring of aiohttp.client.request. [#4603](https://github.com/aio-libs/aiohttp/issues/4603) <https://github.com/aio-libs/aiohttp/issues/4603>_
  • Add aiohttp-pydantic to third party libraries [#5228](https://github.com/aio-libs/aiohttp/issues/5228) <https://github.com/aio-libs/aiohttp/issues/5228>_

Misc

... (truncated)

Changelog

Sourced from aiohttp's changelog.

3.7.4 (2021-02-25)

Bugfixes

  • (SECURITY BUG) Started preventing open redirects in the aiohttp.web.normalize_path_middleware middleware. For more details, see https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg.

    Thanks to Beast Glatisant for finding the first instance of this issue and Jelmer Vernooij for reporting and tracking it down in aiohttp. #5497

  • Fix interpretation difference of the pure-Python and the Cython-based HTTP parsers construct a yarl.URL object for HTTP request-target.

    Before this fix, the Python parser would turn the URI's absolute-path for //some-path into / while the Cython code preserved it as //some-path. Now, both do the latter. #5498

3.7.3 (2020-11-18)

Features

  • Use Brotli instead of brotlipy #3803
  • Made exceptions pickleable. Also changed the repr of some exceptions. #4077

Bugfixes

  • Raise a ClientResponseError instead of an AssertionError for a blank HTTP Reason Phrase. #3532
  • Fix web_middlewares.normalize_path_middleware behavior for patch without slash. #3669
  • Fix overshadowing of overlapped sub-applications prefixes. #3701
  • Make BaseConnector.close() a coroutine and wait until the client closes all connections. Drop deprecated "with Connector():" syntax. #3736
  • Reset the sock_read timeout each time data is received for a aiohttp.client response. #3808
  • Fixed type annotation for add_view method of UrlDispatcher to accept any subclass of View #3880
  • Fixed querying the address families from DNS that the current host supports. #5156
  • Change return type of MultipartReader.__aiter__() and BodyPartReader.__aiter__() to AsyncIterator. #5163
  • Provide x86 Windows wheels. #5230

Improved Documentation

  • Add documentation for aiohttp.web.FileResponse. #3958
  • Removed deprecation warning in tracing example docs #3964
  • Fixed wrong "Usage" docstring of aiohttp.client.request. #4603
  • Add aiohttp-pydantic to third party libraries #5228

Misc

... (truncated)

Commits
  • 0a26acc Bump aiohttp to v3.7.4 for a security release
  • 021c416 Merge branch 'ghsa-v6wp-4m6f-gcjg' into master
  • 4ed7c25 Bump chardet from 3.0.4 to 4.0.0 (#5333)
  • b61f0fd Fix how pure-Python HTTP parser interprets //
  • 5c1efbc Bump pre-commit from 2.9.2 to 2.9.3 (#5322)
  • 0075075 Bump pygments from 2.7.2 to 2.7.3 (#5318)
  • 5085173 Bump multidict from 5.0.2 to 5.1.0 (#5308)
  • 5d1a75e Bump pre-commit from 2.9.0 to 2.9.2 (#5290)
  • 6724d0e Bump pre-commit from 2.8.2 to 2.9.0 (#5273)
  • c688451 Removed duplicate timeout parameter in ClientSession reference docs. (#5262) ...
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)
amenezes commented 3 years ago

resolved in the version 0.12.0

dependabot-preview[bot] commented 3 years ago

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.