Closed renovate[bot] closed 1 week ago
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code
Because you closed this PR without merging, Renovate will ignore this update (^3
). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps
array of your Renovate config.
If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 80.37%. Comparing base (
ee8910c
) to head (82f07ee
).
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
π¨ Try these New Features:
This PR contains the following updates:
3.10.8
->3.10.11
GitHub Vulnerability Alerts
CVE-2024-52303
Summary
A memory leak can occur when a request produces a
MatchInfoError
. This was caused by adding an entry to a cache on each request, due to the building of eachMatchInfoError
producing a unique cache entry.Impact
If the user is making use of any middlewares with
aiohttp.web
then it is advisable to upgrade immediately.An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests.
Patch: https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936
CVE-2024-52304
Summary
The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.
Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or
AIOHTTP_NO_EXTENSIONS
is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.Patch: https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71
Release Notes
aio-libs/aiohttp (aiohttp)
### [`v3.10.11`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#31011-2024-11-13) [Compare Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.10...v3.10.11) \==================== ## Bug fixes - Authentication provided by a redirect now takes precedence over provided `auth` when making requests with the client -- by :user:`PLPeeters`. *Related issues and pull requests on GitHub:* :issue:`9436`. - Fixed :py:meth:`WebSocketResponse.close()Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.