Recommended update for python-aiohttp, python-typing_extensions SUSE Patch security@suse.de SUSE Security Team SUSE-RU-2022:3275-1 Final 1 1 2022-09-15T04:12:50Z current 2022-09-15T04:12:50Z 2022-09-15T04:12:50Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Recommended update for python-aiohttp, python-typing_extensions This update for python-aiohttp, python-typing_extensions fixes the following issues: - Include in SLE-15 (bsc#1197831) - Fixed required/optional keys with old-style TypedDict - Test in separate multibuild flavor to break depcycles with full python stdlib - Clean requirements specifications for python flavors - Add transitional typing-extensions provides - Fix tests for Python 3.9 - Official support for Python 3.8 and 3.9 - Fix build without python2 available - Fix isinstance() with generic protocol subclasses after subscripting - Fix tests for non-default interpreters - Use environment marker to specify typing dependency - Fix unions of protocols on Python 2 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES15-SP3-BYOS-Azure-2022-3275,Image SLES15-SP3-HPC-BYOS-Azure-2022-3275,Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure-2022-3275,Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure-2022-3275,Image SLES15-SP3-SAP-BYOS-Azure-2022-3275,Image SLES15-SP3-SAPCAL-Azure-2022-3275,SUSE-2022-3275,SUSE-SLE-Module-Public-Cloud-15-SP1-2022-3275,SUSE-SLE-Module-Public-Cloud-15-SP2-2022-3275,SUSE-SLE-Module-Public-Cloud-15-SP3-2022-3275,SUSE-SLE-Module-Public-Cloud-15-SP4-2022-3275,SUSE-SLE-Module-Server-Applications-15-SP4-2022-3275,openSUSE-SLE-15.3-2022-3275,openSUSE-SLE-15.4-2022-3275 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/-2022-3275/suse-ru-20223275-1/ Link for SUSE-RU-2022:3275-1 https://lists.suse.com/pipermail/sle-updates/2022-September/025160.html E-Mail link for SUSE-RU-2022:3275-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1121578 SUSE Bug 1121578 https://bugzilla.suse.com/1197831 SUSE Bug 1197831 https://www.suse.com/security/cve/CVE-2021-21330/ SUSE CVE CVE-2021-21330 page Image SLES15-SP3-BYOS-Azure Image SLES15-SP3-HPC-BYOS-Azure Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure Image SLES15-SP3-SAP-BYOS-Azure Image SLES15-SP3-SAPCAL-Azure SUSE Linux Enterprise Module for Public Cloud 15 SP1 SUSE Linux Enterprise Module for Public Cloud 15 SP2 SUSE Linux Enterprise Module for Public Cloud 15 SP3 SUSE Linux Enterprise Module for Public Cloud 15 SP4 SUSE Linux Enterprise Module for Server Applications 15 SP4 openSUSE Leap 15.3 openSUSE Leap 15.4 python3-aiohttp-3.6.0-150100.3.9.1 python3-typing_extensions-3.10.0.0-150100.3.3.1 python-aiohttp-doc-3.6.0-150100.3.9.1 python2-typing_extensions-3.10.0.0-150100.3.3.1 python3-typing_extensions-3.10.0.0-150400.3.2.1 python3-aiohttp-3.6.0-150100.3.9.1 as a component of Image SLES15-SP3-BYOS-Azure python3-typing_extensions-3.10.0.0-150100.3.3.1 as a component of Image SLES15-SP3-BYOS-Azure python3-aiohttp-3.6.0-150100.3.9.1 as a component of Image SLES15-SP3-HPC-BYOS-Azure python3-typing_extensions-3.10.0.0-150100.3.3.1 as a component of Image SLES15-SP3-HPC-BYOS-Azure python3-typing_extensions-3.10.0.0-150100.3.3.1 as a component of Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure python3-typing_extensions-3.10.0.0-150100.3.3.1 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure python3-aiohttp-3.6.0-150100.3.9.1 as a component of Image SLES15-SP3-SAP-BYOS-Azure python3-typing_extensions-3.10.0.0-150100.3.3.1 as a component of Image SLES15-SP3-SAP-BYOS-Azure python3-aiohttp-3.6.0-150100.3.9.1 as a component of Image SLES15-SP3-SAPCAL-Azure python3-typing_extensions-3.10.0.0-150100.3.3.1 as a component of Image SLES15-SP3-SAPCAL-Azure python-aiohttp-doc-3.6.0-150100.3.9.1 as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP1 python3-aiohttp-3.6.0-150100.3.9.1 as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP1 python3-typing_extensions-3.10.0.0-150100.3.3.1 as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP1 python-aiohttp-doc-3.6.0-150100.3.9.1 as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP2 python3-aiohttp-3.6.0-150100.3.9.1 as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP2 python3-typing_extensions-3.10.0.0-150100.3.3.1 as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP2 python3-aiohttp-3.6.0-150100.3.9.1 as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP3 python3-typing_extensions-3.10.0.0-150100.3.3.1 as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP3 python3-aiohttp-3.6.0-150100.3.9.1 as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP4 python3-typing_extensions-3.10.0.0-150400.3.2.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP4 python-aiohttp-doc-3.6.0-150100.3.9.1 as a component of openSUSE Leap 15.3 python3-aiohttp-3.6.0-150100.3.9.1 as a component of openSUSE Leap 15.3 python-aiohttp-doc-3.6.0-150100.3.9.1 as a component of openSUSE Leap 15.4 python3-aiohttp-3.6.0-150100.3.9.1 as a component of openSUSE Leap 15.4 python3-typing_extensions-3.10.0.0-150400.3.2.1 as a component of openSUSE Leap 15.4 aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications. CVE-2021-21330 Image SLES15-SP3-BYOS-Azure:python3-aiohttp-3.6.0-150100.3.9.1 Image SLES15-SP3-BYOS-Azure:python3-typing_extensions-3.10.0.0-150100.3.3.1 Image SLES15-SP3-HPC-BYOS-Azure:python3-aiohttp-3.6.0-150100.3.9.1 Image SLES15-SP3-HPC-BYOS-Azure:python3-typing_extensions-3.10.0.0-150100.3.3.1 Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure:python3-typing_extensions-3.10.0.0-150100.3.3.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:python3-typing_extensions-3.10.0.0-150100.3.3.1 Image SLES15-SP3-SAP-BYOS-Azure:python3-aiohttp-3.6.0-150100.3.9.1 Image SLES15-SP3-SAP-BYOS-Azure:python3-typing_extensions-3.10.0.0-150100.3.3.1 Image SLES15-SP3-SAPCAL-Azure:python3-aiohttp-3.6.0-150100.3.9.1 Image SLES15-SP3-SAPCAL-Azure:python3-typing_extensions-3.10.0.0-150100.3.3.1 SUSE Linux Enterprise Module for Public Cloud 15 SP1:python-aiohttp-doc-3.6.0-150100.3.9.1 SUSE Linux Enterprise Module for Public Cloud 15 SP1:python3-aiohttp-3.6.0-150100.3.9.1 SUSE Linux Enterprise Module for Public Cloud 15 SP1:python3-typing_extensions-3.10.0.0-150100.3.3.1 SUSE Linux Enterprise Module for Public Cloud 15 SP2:python-aiohttp-doc-3.6.0-150100.3.9.1 SUSE Linux Enterprise Module for Public Cloud 15 SP2:python3-aiohttp-3.6.0-150100.3.9.1 SUSE Linux Enterprise Module for Public Cloud 15 SP2:python3-typing_extensions-3.10.0.0-150100.3.3.1 SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-aiohttp-3.6.0-150100.3.9.1 SUSE Linux Enterprise Module for Public Cloud 15 SP3:python3-typing_extensions-3.10.0.0-150100.3.3.1 SUSE Linux Enterprise Module for Public Cloud 15 SP4:python3-aiohttp-3.6.0-150100.3.9.1 SUSE Linux Enterprise Module for Server Applications 15 SP4:python3-typing_extensions-3.10.0.0-150400.3.2.1 openSUSE Leap 15.3:python-aiohttp-doc-3.6.0-150100.3.9.1 openSUSE Leap 15.3:python3-aiohttp-3.6.0-150100.3.9.1 openSUSE Leap 15.4:python-aiohttp-doc-3.6.0-150100.3.9.1 openSUSE Leap 15.4:python3-aiohttp-3.6.0-150100.3.9.1 openSUSE Leap 15.4:python3-typing_extensions-3.10.0.0-150400.3.2.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/-2022-3275/suse-ru-20223275-1/ https://www.suse.com/security/cve/CVE-2021-21330.html CVE-2021-21330 https://bugzilla.suse.com/1184745 SUSE Bug 1184745