Bug 33174 - python-aiohttp new security issue CVE-2024-27306
Summary: python-aiohttp new security issue CVE-2024-27306
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-05-02 16:48 CEST by Nicolas Salguero
Modified: 2024-06-24 21:05 CEST (History)
4 users (show)

See Also:
Source RPM: python-aiohttp-3.8.3-3.mga9.src.rpm
CVE: CVE-2024-27306
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2024-05-02 16:48:36 CEST

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => python-aiohttp-3.9.1-1.mga10.src.rpm
CVE: (none) => CVE-2024-27306
Status comment: (none) => Fixed upstream in 3.9.4 and patch available from upstream

Comment 1 Lewis Smith 2024-05-03 21:24:42 CEST 
wally is clearly the current maintainer for this SRPM, so assigning to you.
Even v3.9.1 is quite recent; it has jumped several version quickly.

Assignee: bugsquad => jani.valimaa

Comment 2 Jani Välimaa 2024-05-04 14:03:34 CEST 
I'm not maintaining any python pkg. Reassigning to bug squad.

Assignee: jani.valimaa => bugsquad

Comment 3 Lewis Smith 2024-05-05 21:13:11 CEST 
Sorry; thank you for saying so.

Re-assigning generically to Python stack.

Assignee: bugsquad => python

Comment 4 papoteur 2024-06-23 17:40:42 CEST 
Cauldron updated.
python-aiohttp-3.9.5-1.mga10

Source RPM: python-aiohttp-3.9.1-1.mga10.src.rpm => python-aiohttp-3.8.3-3.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
CC: (none) => yvesbrungard

Comment 5 papoteur 2024-06-23 19:36:30 CEST 
Submitting:
SRPMS:
python-aiohttp-3.8.3-3.mga9
RPMS:
python3-aiohttp+speedups-3.8.3-3.mga9
python3-aiohttp-3.8.3-3.mga9.x86_64.rpm

Assignee: python => qa-bugs
Status comment: Fixed upstream in 3.9.4 and patch available from upstream => (none)

Comment 6 David GEIGER 2024-06-23 19:45:52 CEST 
You have forgot the "%define subrel 1" for mga9!

CC: (none) => geiger.david68210

Comment 7 katnatek 2024-06-23 21:13:33 CEST 
(In reply to David GEIGER from comment #6)
> You have forgot the "%define subrel 1" for mga9!

I must wait to new release to test and make advisory?
Comment 8 papoteur 2024-06-23 21:59:19 CEST 
Indeed.
Submitting:
SRPMS:
python-aiohttp-3.8.3-3.1.mga9
RPMS:
python3-aiohttp+speedups-3.8.3-3.1.mga9
python3-aiohttp-3.8.3-3.1.mga9
katnatek 2024-06-24 01:19:58 CEST

Keywords: (none) => advisory

Comment 9 katnatek 2024-06-24 01:46:56 CEST 
RH mageia 9 x86_64

Reference bug#28490

Install current version

In one terminal

python3 aio_http_server.py 
======== Running on http://0.0.0.0:8080 ========
(Press CTRL+C to quit)

In other terminal

python3 aio_http_client.py 
Status: 200
Content-type: text/html; charset=utf-8
Body: <!doctype html> ...

Open in the browser http://0.0.0.0:8080
Hello, Anonymous

And in terminal 1 this appear (perhaps because I have https only mode enable)
Traceback (most recent call last):
  File "/usr/lib64/python3.10/site-packages/aiohttp/web_protocol.py", line 332, in data_received
    messages, upgraded, tail = self._request_parser.feed_data(data)
  File "aiohttp/_http_parser.pyx", line 551, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: 400, message="Bad status line 'Invalid method encountered'"

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing python3-aiohttp+speedups-3.8.3-3.1.mga9.x86_64.rpm python3-aiohttp-3.8.3-3.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: python3-aiohttp       ##################################################################################################
      2/2: python3-aiohttp+speedups
                                 ##################################################################################################
      1/2: removing python3-aiohttp+speedups-3.8.3-3.mga9.x86_64
                                 ##################################################################################################
      2/2: removing python3-aiohttp-3.8.3-3.mga9.x86_64
                                 ##################################################################################################

Repeat the test all is the same except I not get the fail after open http://0.0.0.0:8080

Looks good to me

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 10 Thomas Andrews 2024-06-24 03:20:05 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2024-06-24 21:05:03 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0235.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.