Closed fabaff closed 2 years ago
Hi Fabian,
Thank you for the patch!
According to https://github.com/advisories/GHSA-v6wp-4m6f-gcjg, CVE-2021-21330 is a vulnerability in the aiohttp HTTP server middleware. python-smarttub only uses aiohttp.ClientSession, so I don't think this vulnerability applies to this library.
Good to know that CVE-2021-21330 is not an issue.
For the distribution packages (e.g., NixOS) it would still require that the constraint is relaxed.
Can you help me understand why a change is required for NixOS? The current dependency spec is compatible with 3.7.4.
$ python3 -m venv venv
$ . venv/bin/activate
$] pip3 install aiohttp==3.7.4 python-smarttub
Collecting aiohttp==3.7.4
Downloading aiohttp-3.7.4-cp39-cp39-macosx_10_14_x86_64.whl (649 kB)
|████████████████████████████████| 649 kB 15.0 MB/s
Collecting python-smarttub
Downloading python-smarttub-0.0.27.tar.gz (12 kB)
Collecting attrs>=17.3.0
Using cached attrs-21.2.0-py2.py3-none-any.whl (53 kB)
Collecting yarl<2.0,>=1.0
Downloading yarl-1.7.2-cp39-cp39-macosx_10_9_x86_64.whl (121 kB)
|████████████████████████████████| 121 kB 2.7 MB/s
Collecting typing-extensions>=3.6.5
Downloading typing_extensions-4.0.0-py3-none-any.whl (22 kB)
Collecting multidict<7.0,>=4.5
Downloading multidict-5.2.0-cp39-cp39-macosx_10_9_x86_64.whl (45 kB)
|████████████████████████████████| 45 kB 10.4 MB/s
Collecting chardet<4.0,>=2.0
Using cached chardet-3.0.4-py2.py3-none-any.whl (133 kB)
Collecting async-timeout<4.0,>=3.0
Using cached async_timeout-3.0.1-py3-none-any.whl (8.2 kB)
Collecting inflection~=0.5.1
Using cached inflection-0.5.1-py2.py3-none-any.whl (9.5 kB)
Collecting pyjwt~=2.1.0
Using cached PyJWT-2.1.0-py3-none-any.whl (16 kB)
Collecting python-dateutil~=2.8.1
Downloading python_dateutil-2.8.2-py2.py3-none-any.whl (247 kB)
|████████████████████████████████| 247 kB 16.3 MB/s
Collecting idna>=2.0
Downloading idna-3.3-py3-none-any.whl (61 kB)
|████████████████████████████████| 61 kB 18.7 MB/s
Collecting six>=1.5
Using cached six-1.16.0-py2.py3-none-any.whl (11 kB)
Using legacy 'setup.py install' for python-smarttub, since package 'wheel' is not installed.
Installing collected packages: attrs, multidict, idna, yarl, typing-extensions, chardet, async-timeout, aiohttp, inflection, pyjwt, six, python-dateutil, python-smarttub
Running setup.py install for python-smarttub ... done
Successfully installed aiohttp-3.7.4 async-timeout-3.0.1 attrs-21.2.0 chardet-3.0.4 idna-3.3 inflection-0.5.1 multidict-5.2.0 pyjwt-2.1.0 python-dateutil-2.8.2 python-smarttub-0.0.27 six-1.16.0 typing-extensions-4.0.0 yarl-1.7.2
Because NIxOS and other distributions are shipping aiohttp 3.7.4 or later already. The current constraint prevent one from using 3.8.0 and make the build fail. Home Assistant has moved to aiohttp 3.8.0. The HA requirements have priority in the venv
, thus, aiohttp~=3.7.3
will be ignored most likely.
The current dependency spec is compatible with 3.7.4
Yes, it is but not with 3.8.0 and above.
I see, thank you. I'll get this merged and released once I figure out how to cause the CI checks to run
For some reason, the CI checks aren't running, nor is there a prompt for approval to run them. I'll submit the changes under a new PR
Thanks
aiohttp-3.8.0
was released a while ago.aiohttp >= 3.7.4
to avoid CVE-2021-21330