Advisories » MGASA-2024-0388

Updated python-aiohttp packages fix security vulnerabilities

Publication date: 04 Dec 2024
Modification date: 04 Dec 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-23334 , CVE-2024-52304

Description

When using aiohttp as a web server and configuring static routes, it is
necessary to specify the root path for static files. Additionally, the
option 'follow_symlinks' can be used to determine whether to follow
symbolic links outside the static root directory. When 'follow_symlinks'
is set to True, there is no validation to check if reading a file is
within the root directory. This can lead to directory traversal
vulnerabilities, resulting in unauthorized access to arbitrary files on
the system, even when symlinks are not present. Disabling
follow_symlinks and using a reverse proxy are encouraged mitigations.
CVE-2024-23334
The Python parser parses newlines in chunk extensions incorrectly which
can lead to request smuggling vulnerabilities under certain conditions.
If a pure Python version of aiohttp is installed (i.e. without the usual
C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker
may be able to execute a request smuggling attack to bypass certain
firewalls or proxy protections. CVE-2024-52304
                

References

• https://bugs.mageia.org/show_bug.cgi?id=33544
• https://ubuntu.com/security/notices/USN-6991-1
• https://lists.suse.com/pipermail/sle-security-updates/2024-November/019855.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23334
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52304

SRPMS

9/core

• python-aiohttp-3.8.3-3.2.mga9