MGASA-2024-0388

Description

Updated python-aiohttp packages fix security vulnerabilities When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. CVE-2024-23334 The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. CVE-2024-52304

Affected Systems

• mageia•python-aiohttp

  < 3.8.3-3.2.mga9

References (4)

• https://advisories.mageia.org/MGASA-2024-0388.html
• https://bugs.mageia.org/show_bug.cgi?id=33544
• https://ubuntu.com/security/notices/USN-6991-1
• https://lists.suse.com/pipermail/sle-security-updates/2024-November/019855.html