Bug 1219342 (CVE-2024-23829) - VUL-0: CVE-2024-23829: python-aiohttp: HTTP parser still overly lenient about separators
Summary: VUL-0: CVE-2024-23829: python-aiohttp: HTTP parser still overly lenient about...
Status: IN_PROGRESS
Alias: CVE-2024-23829
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: John Paul Adrian Glaubitz
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/392490/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-23829:5.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-01-30 09:39 UTC by SMASH SMASH
Modified: 2024-06-10 10:40 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-01-30 09:39:15 UTC 
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.  Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23829
https://www.cve.org/CVERecord?id=CVE-2024-23829
https://github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827
https://github.com/aio-libs/aiohttp/pull/8074
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2
Comment 1 Thomas Leroy 2024-01-30 09:42:33 UTC 
Affected:

- SUSE:ALP:Source:Standard:1.0
- SUSE:SLE-15-SP1:Update
- SUSE:SLE-15-SP4:Update
Comment 2 John Paul Adrian Glaubitz 2024-01-30 10:32:55 UTC 
(In reply to Thomas Leroy from comment #1)
> Affected:
> 
> - SUSE:ALP:Source:Standard:1.0
> - SUSE:SLE-15-SP1:Update
> - SUSE:SLE-15-SP4:Update

openSUSE:Factory is affected as well. I just submitted an update to 3.9.3.

I will look into SUSE:SLE-15-SP1 and SUSE:SLE-15-SP4.
Comment 3 John Paul Adrian Glaubitz 2024-02-15 15:52:47 UTC 
Submitted an update for SUSE:SLE-15-SP4:Update to 3.9.3 to address this.
Comment 5 Maintenance Automation 2024-02-21 12:30:12 UTC 
SUSE-SU-2024:0577-1: An update that solves four vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1217174, 1217181, 1217782, 1219341, 1219342
CVE References: CVE-2023-47627, CVE-2023-47641, CVE-2024-23334, CVE-2024-23829
Sources used:
openSUSE Leap 15.4 (src): python-aiohttp-3.9.3-150400.10.14.1, python-time-machine-2.13.0-150400.9.3.1
openSUSE Leap 15.5 (src): python-aiohttp-3.9.3-150400.10.14.1
Python 3 Module 15-SP5 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): python-aiohttp-3.9.3-150400.10.14.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): python-aiohttp-3.9.3-150400.10.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.