Описание
Security update for python-aiohttp
This update for python-aiohttp fixes the following issues:
- CVE-2024-27306: filenames and paths not escaped when generating index pages for static file handling. (bsc#1223098)
Список пакетов
Image SLES15-SP3-BYOS-Azure
python3-aiohttp-3.6.0-150100.3.24.1
Image SLES15-SP3-HPC-BYOS-Azure
python3-aiohttp-3.6.0-150100.3.24.1
Image SLES15-SP3-SAP-BYOS-Azure
python3-aiohttp-3.6.0-150100.3.24.1
Image SLES15-SP3-SAPCAL-Azure
python3-aiohttp-3.6.0-150100.3.24.1
SUSE Linux Enterprise Module for Public Cloud 15 SP2
python-aiohttp-doc-3.6.0-150100.3.24.1
python3-aiohttp-3.6.0-150100.3.24.1
SUSE Linux Enterprise Module for Public Cloud 15 SP3
python3-aiohttp-3.6.0-150100.3.24.1
SUSE Linux Enterprise Module for Public Cloud 15 SP4
python3-aiohttp-3.6.0-150100.3.24.1
SUSE Linux Enterprise Module for Public Cloud 15 SP5
python3-aiohttp-3.6.0-150100.3.24.1
SUSE Linux Enterprise Module for Public Cloud 15 SP6
python3-aiohttp-3.6.0-150100.3.24.1
openSUSE Leap 15.5
python-aiohttp-doc-3.6.0-150100.3.24.1
python3-aiohttp-3.6.0-150100.3.24.1
Ссылки
- Link for SUSE-SU-2024:4396-1
- E-Mail link for SUSE-SU-2024:4396-1
- SUSE Security Ratings
- SUSE Bug 1223098
- SUSE CVE CVE-2024-27306 page
Описание
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade.
Затронутые продукты
Image SLES15-SP3-BYOS-Azure:python3-aiohttp-3.6.0-150100.3.24.1
Image SLES15-SP3-HPC-BYOS-Azure:python3-aiohttp-3.6.0-150100.3.24.1
Image SLES15-SP3-SAP-BYOS-Azure:python3-aiohttp-3.6.0-150100.3.24.1
Image SLES15-SP3-SAPCAL-Azure:python3-aiohttp-3.6.0-150100.3.24.1
Ссылки
- CVE-2024-27306
- SUSE Bug 1223098