Bug 1217181 (CVE-2023-47627)

Summary: VUL-0: CVE-2023-47627: python-aiohttp: numerous problems with header parsing which could lead to request smuggling
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: John Paul Adrian Glaubitz <adrian.glaubitz>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: adrian.glaubitz, gianluca.gabrielli, kvanderveer, public-cloud-maintainers, rjschwei, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/385157/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-47627:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-11-15 12:58:41 UTC 
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-47627
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg
Comment 1 Gianluca Gabrielli 2023-11-15 12:59:55 UTC 
Affected packages:
 - SUSE:ALP:Source:Standard:1.0/python-aiohttp
 - SUSE:SLE-15-SP4:Update/python-aiohttp
 - SUSE:SLE-15-SP1:Update/python-aiohttp

Already Fixed:
 - openSUSE:Factory/python-aiohttp

Upstream patch: https://github.com/aio-libs/aiohttp/commit/d5c12ba890557a575c313bb3017910d7616fce3d
Comment 9 Maintenance Automation 2024-02-21 12:30:11 UTC 
SUSE-SU-2024:0577-1: An update that solves four vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1217174, 1217181, 1217782, 1219341, 1219342
CVE References: CVE-2023-47627, CVE-2023-47641, CVE-2024-23334, CVE-2024-23829
Sources used:
openSUSE Leap 15.4 (src): python-aiohttp-3.9.3-150400.10.14.1, python-time-machine-2.13.0-150400.9.3.1
openSUSE Leap 15.5 (src): python-aiohttp-3.9.3-150400.10.14.1
Python 3 Module 15-SP5 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): python-aiohttp-3.9.3-150400.10.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.