Bug 1219342 (CVE-2024-23829)

Summary: VUL-0: CVE-2024-23829: python-aiohttp: HTTP parser still overly lenient about separators
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: John Paul Adrian Glaubitz <adrian.glaubitz>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: adrian.glaubitz, meissner, rjschwei, stoyan.manolov, thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/392490/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-23829:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-01-30 09:39:15 UTC 
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.  Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23829
https://www.cve.org/CVERecord?id=CVE-2024-23829
https://github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827
https://github.com/aio-libs/aiohttp/pull/8074
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2
Comment 1 Thomas Leroy 2024-01-30 09:42:33 UTC 
Affected:

- SUSE:ALP:Source:Standard:1.0
- SUSE:SLE-15-SP1:Update
- SUSE:SLE-15-SP4:Update
Comment 2 John Paul Adrian Glaubitz 2024-01-30 10:32:55 UTC 
(In reply to Thomas Leroy from comment #1)
> Affected:
> 
> - SUSE:ALP:Source:Standard:1.0
> - SUSE:SLE-15-SP1:Update
> - SUSE:SLE-15-SP4:Update

openSUSE:Factory is affected as well. I just submitted an update to 3.9.3.

I will look into SUSE:SLE-15-SP1 and SUSE:SLE-15-SP4.
Comment 3 John Paul Adrian Glaubitz 2024-02-15 15:52:47 UTC 
Submitted an update for SUSE:SLE-15-SP4:Update to 3.9.3 to address this.
Comment 5 Maintenance Automation 2024-02-21 12:30:12 UTC 
SUSE-SU-2024:0577-1: An update that solves four vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1217174, 1217181, 1217782, 1219341, 1219342
CVE References: CVE-2023-47627, CVE-2023-47641, CVE-2024-23334, CVE-2024-23829
Sources used:
openSUSE Leap 15.4 (src): python-aiohttp-3.9.3-150400.10.14.1, python-time-machine-2.13.0-150400.9.3.1
openSUSE Leap 15.5 (src): python-aiohttp-3.9.3-150400.10.14.1
Python 3 Module 15-SP5 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): python-aiohttp-3.9.3-150400.10.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.