An update for python-aiohttp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1900 Final 1.0 1.0 2023-12-08 Initial 2023-12-08 2023-12-08 openEuler SA Tool V1.0 2023-12-08 python-aiohttp security update An update for python-aiohttp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2. Async http client/server framework (asyncio). Security Fix(es): aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.(CVE-2023-49081) An update for python-aiohttp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High python-aiohttp https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1900 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-49081 https://nvd.nist.gov/vuln/detail/CVE-2023-49081 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 python-aiohttp-debuginfo-3.7.4-3.oe1.aarch64.rpm python-aiohttp-help-3.7.4-3.oe1.aarch64.rpm python3-aiohttp-3.7.4-3.oe1.aarch64.rpm python-aiohttp-debugsource-3.7.4-3.oe1.aarch64.rpm python-aiohttp-help-3.7.4-3.oe1.aarch64.rpm python3-aiohttp-3.7.4-3.oe1.aarch64.rpm python-aiohttp-debugsource-3.7.4-3.oe1.aarch64.rpm python-aiohttp-debuginfo-3.7.4-3.oe1.aarch64.rpm python-aiohttp-help-3.7.4-4.oe2203.aarch64.rpm python3-aiohttp-3.7.4-4.oe2203.aarch64.rpm python-aiohttp-debuginfo-3.7.4-4.oe2203.aarch64.rpm python-aiohttp-debugsource-3.7.4-4.oe2203.aarch64.rpm python3-aiohttp-3.7.4-4.oe2203sp1.aarch64.rpm python-aiohttp-help-3.7.4-4.oe2203sp1.aarch64.rpm python-aiohttp-debuginfo-3.7.4-4.oe2203sp1.aarch64.rpm python-aiohttp-debugsource-3.7.4-4.oe2203sp1.aarch64.rpm python-aiohttp-debugsource-3.7.4-4.oe2203sp2.aarch64.rpm python3-aiohttp-3.7.4-4.oe2203sp2.aarch64.rpm python-aiohttp-help-3.7.4-4.oe2203sp2.aarch64.rpm python-aiohttp-debuginfo-3.7.4-4.oe2203sp2.aarch64.rpm python-aiohttp-3.7.4-3.oe1.src.rpm python-aiohttp-3.7.4-3.oe1.src.rpm python-aiohttp-3.7.4-4.oe2203.src.rpm python-aiohttp-3.7.4-4.oe2203sp1.src.rpm python-aiohttp-3.7.4-4.oe2203sp2.src.rpm python3-aiohttp-3.7.4-3.oe1.x86_64.rpm python-aiohttp-debugsource-3.7.4-3.oe1.x86_64.rpm python-aiohttp-debuginfo-3.7.4-3.oe1.x86_64.rpm python-aiohttp-help-3.7.4-3.oe1.x86_64.rpm python-aiohttp-help-3.7.4-3.oe1.x86_64.rpm python3-aiohttp-3.7.4-3.oe1.x86_64.rpm python-aiohttp-debugsource-3.7.4-3.oe1.x86_64.rpm python-aiohttp-debuginfo-3.7.4-3.oe1.x86_64.rpm python-aiohttp-help-3.7.4-4.oe2203.x86_64.rpm python3-aiohttp-3.7.4-4.oe2203.x86_64.rpm python-aiohttp-debuginfo-3.7.4-4.oe2203.x86_64.rpm python-aiohttp-debugsource-3.7.4-4.oe2203.x86_64.rpm python3-aiohttp-3.7.4-4.oe2203sp1.x86_64.rpm python-aiohttp-debuginfo-3.7.4-4.oe2203sp1.x86_64.rpm python-aiohttp-help-3.7.4-4.oe2203sp1.x86_64.rpm python-aiohttp-debugsource-3.7.4-4.oe2203sp1.x86_64.rpm python-aiohttp-debuginfo-3.7.4-4.oe2203sp2.x86_64.rpm python3-aiohttp-3.7.4-4.oe2203sp2.x86_64.rpm python-aiohttp-help-3.7.4-4.oe2203sp2.x86_64.rpm python-aiohttp-debugsource-3.7.4-4.oe2203sp2.x86_64.rpm aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0. 2023-12-08 CVE-2023-49081 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 High 7.2 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N python-aiohttp security update 2023-12-08 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1900