SUSE-SU-2024:4110-1

Опубликовано: 29 нояб. 2024

Источник: suse-cvrf

Описание

Security update for python-aiohttp

This update for python-aiohttp fixes the following issues:

CVE-2024-52304: Fixed request smuggling due to incorrect parsing of chunk extensions (bsc#1233447)

Список пакетов

Image SLES15-SP3-BYOS-Azure

python3-aiohttp-3.6.0-150100.3.18.1

Image SLES15-SP3-HPC-BYOS-Azure

python3-aiohttp-3.6.0-150100.3.18.1

Image SLES15-SP3-SAP-BYOS-Azure

python3-aiohttp-3.6.0-150100.3.18.1

Image SLES15-SP3-SAPCAL-Azure

python3-aiohttp-3.6.0-150100.3.18.1

SUSE Linux Enterprise Module for Public Cloud 15 SP2

python-aiohttp-doc-3.6.0-150100.3.18.1

python3-aiohttp-3.6.0-150100.3.18.1

SUSE Linux Enterprise Module for Public Cloud 15 SP3

python3-aiohttp-3.6.0-150100.3.18.1

SUSE Linux Enterprise Module for Public Cloud 15 SP4

python3-aiohttp-3.6.0-150100.3.18.1

SUSE Linux Enterprise Module for Public Cloud 15 SP5

python3-aiohttp-3.6.0-150100.3.18.1

SUSE Linux Enterprise Module for Public Cloud 15 SP6

python3-aiohttp-3.6.0-150100.3.18.1

openSUSE Leap 15.5

python-aiohttp-doc-3.6.0-150100.3.18.1

python3-aiohttp-3.6.0-150100.3.18.1

Ссылки

https://www.suse.com/support/update/announcement/2024/suse-su-20244110-1/
Link for SUSE-SU-2024:4110-1
https://lists.suse.com/pipermail/sle-security-updates/2024-November/019875.html
E-Mail link for SUSE-SU-2024:4110-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1233447
SUSE Bug 1233447
https://www.suse.com/security/cve/CVE-2024-52304/
SUSE CVE CVE-2024-52304 page

Описание

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue.

Затронутые продукты

Image SLES15-SP3-BYOS-Azure:python3-aiohttp-3.6.0-150100.3.18.1

Image SLES15-SP3-HPC-BYOS-Azure:python3-aiohttp-3.6.0-150100.3.18.1

Image SLES15-SP3-SAP-BYOS-Azure:python3-aiohttp-3.6.0-150100.3.18.1

Image SLES15-SP3-SAPCAL-Azure:python3-aiohttp-3.6.0-150100.3.18.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-52304.html
CVE-2024-52304
https://bugzilla.suse.com/1233447
SUSE Bug 1233447

SUSE-SU-2024:4110-1

Описание

Список пакетов

Image SLES15-SP3-BYOS-Azure

Image SLES15-SP3-HPC-BYOS-Azure

Image SLES15-SP3-SAP-BYOS-Azure

Image SLES15-SP3-SAPCAL-Azure

SUSE Linux Enterprise Module for Public Cloud 15 SP2

SUSE Linux Enterprise Module for Public Cloud 15 SP3

SUSE Linux Enterprise Module for Public Cloud 15 SP4

SUSE Linux Enterprise Module for Public Cloud 15 SP5

SUSE Linux Enterprise Module for Public Cloud 15 SP6

openSUSE Leap 15.5

Ссылки

Уязвимость: CVE-2024-52304

Описание

Затронутые продукты

Ссылки