search

yeagerai / genlayer-simulator

MIT License
16 stars 8 forks source link

chore(deps): update dependency aiohttp to v3.10.11 [security] #617

Closed renovate[bot] closed 51 minutes ago

renovate[bot] commented 3 days ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
aiohttp ==3.10.5 -> ==3.10.11 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-52304

Summary

The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.

Impact

If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

Patch: https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71

aiohttp allows request smuggling due to incorrect parsing of chunk extensions

CVE-2024-52304 / GHSA-8495-4g3g-x7pr

More information #### Details ##### Summary The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. ##### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. ----- Patch: https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71 #### Severity - CVSS Score: 0.0 / 10 (None) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N` #### References - [https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr](https://redirect.github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr) - [https://nvd.nist.gov/vuln/detail/CVE-2024-52304](https://nvd.nist.gov/vuln/detail/CVE-2024-52304) - [https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71](https://redirect.github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71) - [https://github.com/aio-libs/aiohttp](https://redirect.github.com/aio-libs/aiohttp) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8495-4g3g-x7pr) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).

Release Notes

aio-libs/aiohttp (aiohttp) ### [`v3.10.11`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#31011-2024-11-13) [Compare Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.10...v3.10.11) \==================== ## Bug fixes - Authentication provided by a redirect now takes precedence over provided `auth` when making requests with the client -- by :user:`PLPeeters`. *Related issues and pull requests on GitHub:* :issue:`9436`. - Fixed :py:meth:`WebSocketResponse.close() ` to discard non-close messages within its timeout window after sending close -- by :user:`lenard-mosys`. *Related issues and pull requests on GitHub:* :issue:`9506`. - Fixed a deadlock that could occur while attempting to get a new connection slot after a timeout -- by :user:`bdraco`. The connector was not cancellation-safe. *Related issues and pull requests on GitHub:* :issue:`9670`, :issue:`9671`. - Fixed the WebSocket flow control calculation undercounting with multi-byte data -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9686`. - Fixed incorrect parsing of chunk extensions with the pure Python parser -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9851`. - Fixed system routes polluting the middleware cache -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9852`. ## Removals and backward incompatible breaking changes - Improved performance of the connector when a connection can be reused -- by :user:`bdraco`. If `BaseConnector.connect` has been subclassed and replaced with custom logic, the `ceil_timeout` must be added. *Related issues and pull requests on GitHub:* :issue:`9600`. ## Miscellaneous internal changes - Improved performance of the client request lifecycle when there are no cookies -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9470`. - Improved performance of sending client requests when the writer can finish synchronously -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9485`. - Improved performance of serializing HTTP headers -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9603`. - Passing `enable_cleanup_closed` to :py:class:`aiohttp.TCPConnector` is now ignored on Python 3.12.7+ and 3.13.1+ since the underlying bug that caused asyncio to leak SSL connections has been fixed upstream -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9726`, :issue:`9736`. *** ### [`v3.10.10`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#31010-2024-10-10) [Compare Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.9...v3.10.10) \==================== ## Bug fixes - Fixed error messages from :py:class:`~aiohttp.resolver.AsyncResolver` being swallowed -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9451`, :issue:`9455`. ## Features - Added :exc:`aiohttp.ClientConnectorDNSError` for differentiating DNS resolution errors from other connector errors -- by :user:`mstojcevich`. *Related issues and pull requests on GitHub:* :issue:`8455`. ## Miscellaneous internal changes - Simplified DNS resolution throttling code to reduce chance of race conditions -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9454`. *** ### [`v3.10.9`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3109-2024-10-04) [Compare Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.8...v3.10.9) \=================== ## Bug fixes - Fixed proxy headers being used in the `ConnectionKey` hash when a proxy was not being used -- by :user:`bdraco`. If default headers are used, they are also used for proxy headers. This could have led to creating connections that were not needed when one was already available. *Related issues and pull requests on GitHub:* :issue:`9368`. - Widened the type of the `trace_request_ctx` parameter of :meth:`ClientSession.request() ` and friends \-- by :user:`layday`. *Related issues and pull requests on GitHub:* :issue:`9397`. ## Removals and backward incompatible breaking changes - Fixed failure to try next host after single-host connection timeout -- by :user:`brettdh`. The default client :class:`aiohttp.ClientTimeout` params has changed to include a `sock_connect` timeout of 30 seconds so that this correct behavior happens by default. *Related issues and pull requests on GitHub:* :issue:`7342`. ## Miscellaneous internal changes - Improved performance of resolving hosts with Python 3.12+ -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9342`. - Reduced memory required for timer objects created during the client request lifecycle -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9406`. *** ### [`v3.10.8`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3108-2024-09-28) [Compare Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.7...v3.10.8) \=================== ## Bug fixes - Fixed cancellation leaking upwards on timeout -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9326`. *** ### [`v3.10.7`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3107-2024-09-27) [Compare Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.6...v3.10.7) \=================== ## Bug fixes - Fixed assembling the :class:`~yarl.URL` for web requests when the host contains a non-default port or IPv6 address -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9309`. ## Miscellaneous internal changes - Improved performance of determining if a URL is absolute -- by :user:`bdraco`. The property :attr:`~yarl.URL.absolute` is more performant than the method `URL.is_absolute()` and preferred when newer versions of yarl are used. *Related issues and pull requests on GitHub:* :issue:`9171`. - Replaced code that can now be handled by `yarl` -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9301`. *** ### [`v3.10.6`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3106-2024-09-24) [Compare Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.5...v3.10.6) \=================== ## Bug fixes - Added :exc:`aiohttp.ClientConnectionResetError`. Client code that previously threw :exc:`ConnectionResetError` will now throw this -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`9137`. - Fixed an unclosed transport `ResourceWarning` on web handlers -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8875`. - Fixed resolve_host() 'Task was destroyed but is pending' errors -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8967`. - Fixed handling of some file-like objects (e.g. `tarfile.extractfile()`) which raise `AttributeError` instead of `OSError` when `fileno` fails for streaming payload data -- by :user:`ReallyReivax`. *Related issues and pull requests on GitHub:* :issue:`6732`. - Fixed web router not matching pre-encoded URLs (requires yarl 1.9.6+) -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8898`, :issue:`9267`. - Fixed an error when trying to add a route for multiple methods with a path containing a regex pattern -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8998`. - Fixed `Response.text` when body is a `Payload` -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`6485`. - Fixed compressed requests failing when no body was provided -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`9108`. - Fixed client incorrectly reusing a connection when the previous message had not been fully sent -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8992`. - Fixed race condition that could cause server to close connection incorrectly at keepalive timeout -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`9140`. - Fixed Python parser chunked handling with multiple Transfer-Encoding values -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8823`. - Fixed error handling after 100-continue so server sends 500 response instead of disconnecting -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8876`. - Stopped adding a default Content-Type header when response has no content -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8858`. - Added support for URL credentials with empty (zero-length) username, e.g. `https://:password@host` -- by :user:`shuckc` *Related issues and pull requests on GitHub:* :issue:`6494`. - Stopped logging exceptions from `web.run_app()` that would be raised regardless -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`6807`. - Implemented binding to IPv6 addresses in the pytest server fixture. *Related issues and pull requests on GitHub:* :issue:`4650`. - Fixed the incorrect use of flags for `getnameinfo()` in the Resolver --by :user:`GitNMLee` Link-Local IPv6 addresses can now be handled by the Resolver correctly. *Related issues and pull requests on GitHub:* :issue:`9032`. - Fixed StreamResponse.prepared to return True after EOF is sent -- by :user:`arthurdarcet`. *Related issues and pull requests on GitHub:* :issue:`5343`. - Changed `make_mocked_request()` to use empty payload by default -- by :user:`rahulnht`. *Related issues and pull requests on GitHub:* :issue:`7167`. - Used more precise type for `ClientResponseError.headers`, fixing some type errors when using them -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8768`. - Changed behavior when returning an invalid response to send a 500 response -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8845`. - Fixed response reading from closed session to throw an error immediately instead of timing out -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8878`. - Fixed `CancelledError` from one cleanup context stopping other contexts from completing -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8908`. - Fixed changing scheme/host in `Response.clone()` for absolute URLs -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8990`. - Fixed `Site.name` when host is an empty string -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8929`. - Updated Python parser to reject messages after a close message, matching C parser behaviour -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`9018`. - Fixed creation of `SSLContext` inside of :py:class:`aiohttp.TCPConnector` with multiple event loops in different threads -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9029`. - Fixed (on Python 3.11+) some edge cases where a task cancellation may get incorrectly suppressed -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`9030`. - Fixed exception information getting lost on `HttpProcessingError` -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`9052`. - Fixed `If-None-Match` not using weak comparison -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`9063`. - Fixed badly encoded charset crashing when getting response text instead of falling back to charset detector. *Related issues and pull requests on GitHub:* :issue:`9160`. - Rejected `\n` in `reason` values to avoid sending broken HTTP messages -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`9167`. - Changed :py:meth:`ClientResponse.raise_for_status() ` to only release the connection when invoked outside an `async with` context -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`9239`. ## Features - Improved type on `params` to match the underlying type allowed by `yarl` -- by :user:`lpetre`. *Related issues and pull requests on GitHub:* :issue:`8564`. - Declared Python 3.13 supported -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`8748`. ## Removals and backward incompatible breaking changes - Improved middleware performance -- by :user:`bdraco`. The `set_current_app` method was removed from `UrlMappingMatchInfo` because it is no longer used, and it was unlikely external caller would ever use it. *Related issues and pull requests on GitHub:* :issue:`9200`. - Increased minimum yarl version to 1.12.0 -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9267`. ## Improved documentation - Clarified that `GracefulExit` needs to be handled in `AppRunner` and `ServerRunner` when using `handle_signals=True`. -- by :user:`Daste745` *Related issues and pull requests on GitHub:* :issue:`4414`. - Clarified that auth parameter in ClientSession will persist and be included with any request to any origin, even during redirects to different origins. -- by :user:`MaximZemskov`. *Related issues and pull requests on GitHub:* :issue:`6764`. - Clarified which timeout exceptions happen on which timeouts -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8968`. - Updated `ClientSession` parameters to match current code -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8991`. ## Packaging updates and notes for downstreams - Fixed `test_client_session_timeout_zero` to not require internet access -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`9004`. ## Miscellaneous internal changes - Improved performance of making requests when there are no auto headers to skip -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`8847`. - Exported `aiohttp.TraceRequestHeadersSentParams` -- by :user:`Hadock-is-ok`. *Related issues and pull requests on GitHub:* :issue:`8947`. - Avoided tracing overhead in the http writer when there are no active traces -- by user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9031`. - Improved performance of reify Cython implementation -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9054`. - Use :meth:`URL.extend_query() ` to extend query params (requires yarl 1.11.0+) -- by :user:`bdraco`. If yarl is older than 1.11.0, the previous slower hand rolled version will be used. *Related issues and pull requests on GitHub:* :issue:`9068`. - Improved performance of checking if a host is an IP Address -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9095`. - Significantly improved performance of middlewares -- by :user:`bdraco`. The construction of the middleware wrappers is now cached and is built once per handler instead of on every request. *Related issues and pull requests on GitHub:* :issue:`9158`, :issue:`9170`. - Improved performance of web requests -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9168`, :issue:`9169`, :issue:`9172`, :issue:`9174`, :issue:`9175`, :issue:`9241`. - Improved performance of starting web requests when there is no response prepare hook -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9173`. - Significantly improved performance of expiring cookies -- by :user:`bdraco`. Expiring cookies has been redesigned to use :mod:`heapq` instead of a linear search, to better scale. *Related issues and pull requests on GitHub:* :issue:`9203`. - Significantly sped up filtering cookies -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9204`. ***

Configuration

šŸ“… Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

šŸš¦ Automerge: Enabled.

ā™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

šŸ”• Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.