Bug 33174

Summary:	python-aiohttp new security issue CVE-2024-27306
Product:	Mageia	Reporter:	Nicolas Salguero <nicolas.salguero>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, geiger.david68210, sysadmin-bugs, yvesbrungard
Version:	9	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA9-64-OK
Source RPM:	python-aiohttp-3.8.3-3.mga9.src.rpm	CVE:	CVE-2024-27306
Status comment:

Description Nicolas Salguero 2024-05-02 16:48:09 CEST

Fedora has issued an advisory on May 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWEI6NIHZ3G7DURDZVMRK7ZEFC2BTD3U/

The fix is: https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397

Mageia 9 is also affected.

Nicolas Salguero 2024-05-02 16:48:36 CEST

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => python-aiohttp-3.9.1-1.mga10.src.rpm
CVE: (none) => CVE-2024-27306
Status comment: (none) => Fixed upstream in 3.9.4 and patch available from upstream

Comment 1 Lewis Smith 2024-05-03 21:24:42 CEST

wally is clearly the current maintainer for this SRPM, so assigning to you.
Even v3.9.1 is quite recent; it has jumped several version quickly.

Assignee: bugsquad => jani.valimaa

Comment 2 Jani Välimaa 2024-05-04 14:03:34 CEST

I'm not maintaining any python pkg. Reassigning to bug squad.

Assignee: jani.valimaa => bugsquad

Comment 3 Lewis Smith 2024-05-05 21:13:11 CEST

Sorry; thank you for saying so.

Re-assigning generically to Python stack.

Assignee: bugsquad => python

Comment 4 papoteur 2024-06-23 17:40:42 CEST

Cauldron updated.
python-aiohttp-3.9.5-1.mga10

Source RPM: python-aiohttp-3.9.1-1.mga10.src.rpm => python-aiohttp-3.8.3-3.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
CC: (none) => yvesbrungard

Comment 5 papoteur 2024-06-23 19:36:30 CEST

Submitting:
SRPMS:
python-aiohttp-3.8.3-3.mga9
RPMS:
python3-aiohttp+speedups-3.8.3-3.mga9
python3-aiohttp-3.8.3-3.mga9.x86_64.rpm

Assignee: python => qa-bugs
Status comment: Fixed upstream in 3.9.4 and patch available from upstream => (none)

Comment 6 David GEIGER 2024-06-23 19:45:52 CEST

You have forgot the "%define subrel 1" for mga9!

CC: (none) => geiger.david68210

Comment 7 katnatek 2024-06-23 21:13:33 CEST

(In reply to David GEIGER from comment #6)
> You have forgot the "%define subrel 1" for mga9!

I must wait to new release to test and make advisory?

Comment 8 papoteur 2024-06-23 21:59:19 CEST

Indeed.
Submitting:
SRPMS:
python-aiohttp-3.8.3-3.1.mga9
RPMS:
python3-aiohttp+speedups-3.8.3-3.1.mga9
python3-aiohttp-3.8.3-3.1.mga9

katnatek 2024-06-24 01:19:58 CEST

Keywords: (none) => advisory

Comment 9 katnatek 2024-06-24 01:46:56 CEST

RH mageia 9 x86_64

Reference bug#28490

Install current version

In one terminal

python3 aio_http_server.py 
======== Running on http://0.0.0.0:8080 ========
(Press CTRL+C to quit)

In other terminal

python3 aio_http_client.py 
Status: 200
Content-type: text/html; charset=utf-8
Body: <!doctype html> ...

Open in the browser http://0.0.0.0:8080
Hello, Anonymous

And in terminal 1 this appear (perhaps because I have https only mode enable)
Traceback (most recent call last):
  File "/usr/lib64/python3.10/site-packages/aiohttp/web_protocol.py", line 332, in data_received
    messages, upgraded, tail = self._request_parser.feed_data(data)
  File "aiohttp/_http_parser.pyx", line 551, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: 400, message="Bad status line 'Invalid method encountered'"

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing python3-aiohttp+speedups-3.8.3-3.1.mga9.x86_64.rpm python3-aiohttp-3.8.3-3.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: python3-aiohttp       ##################################################################################################
      2/2: python3-aiohttp+speedups
                                 ##################################################################################################
      1/2: removing python3-aiohttp+speedups-3.8.3-3.mga9.x86_64
                                 ##################################################################################################
      2/2: removing python3-aiohttp-3.8.3-3.mga9.x86_64
                                 ##################################################################################################

Repeat the test all is the same except I not get the fail after open http://0.0.0.0:8080

Looks good to me

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 10 Thomas Andrews 2024-06-24 03:20:05 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2024-06-24 21:05:03 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0235.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED