SUSE-SU-2024:0577-1

This update for python-aiohttp, python-time-machine fixes the following issues:

python-aiohttp was updated to version 3.9.3:

• Fixed backwards compatibility breakage (in 3.9.2) of ssl parameter when set outside of ClientSession (e.g. directly in TCPConnector)
• Improved test suite handling of paths and temp files to consistently use pathlib and pytest fixtures.

From version 3.9.2 (bsc#1219341, CVE-2024-23334, bsc#1219342, CVE-2024-23829):

• Fixed server-side websocket connection leak.
• Fixed web.FileResponse doing blocking I/O in the event loop.
• Fixed double compress when compression enabled and compressed file exists in server file responses.
• Added runtime type check for ClientSession timeout parameter.
• Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon.
• Improved validation of paths for static resources requests to the server.
• Added support for passing :py:data:True to ssl parameter in ClientSession while deprecating :py:data:None.
• Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon.
• Fixed examples of fallback_charset_resolver function in the :doc:client_advanced document.
• The Sphinx setup was updated to avoid showing the empty changelog draft section in the tagged release documentation builds on Read The Docs.
• The changelog categorization was made clearer. The contributors can now mark their fragment files more accurately.
• Updated :ref:contributing/Tests coverage <aiohttp-contributing> section to show how we use codecov.

• Replaced all tmpdir fixtures with tmp_path in test suite.

• Disable broken tests with openssl 3.2 and python < 3.11 bsc#1217782

update to 3.9.1:

• Fixed importing aiohttp under PyPy on Windows.
• Fixed async concurrency safety in websocket compressor.
• Fixed ClientResponse.close() releasing the connection instead of closing.
• Fixed a regression where connection may get closed during upgrade. -- by :user:Dreamsorcerer
• Fixed messages being reported as upgraded without an Upgrade header in Python parser. -- by :user:Dreamsorcerer

update to 3.9.0: (bsc#1217684, CVE-2023-49081, bsc#1217682, CVE-2023-49082)

• Introduced AppKey for static typing support of Application storage.
• Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called.
• Added handler_cancellation_ parameter to cancel web handler on client disconnection.
• This (optionally) reintroduces a feature removed in a previous release.
• Recommended for those looking for an extra level of protection against denial-of-service attacks.
• Added support for setting response header parameters max_line_size and max_field_size.
• Added auto_decompress parameter to ClientSession.request to override ClientSession._auto_decompress.
• Changed raise_for_status to allow a coroutine.
• Added client brotli compression support (optional with runtime check).
• Added client_max_size to BaseRequest.clone() to allow overriding the request body size. -- :user:anesabml.
• Added a middleware type alias aiohttp.typedefs.Middleware.
• Exported HTTPMove which can be used to catch any redirection request that has a location -- :user:dreamsorcerer.
• Changed the path parameter in web.run_app() to accept a pathlib.Path object.
• Performance: Skipped filtering CookieJar when the jar is empty or all cookies have expired.
• Performance: Only check origin if insecure scheme and there are origins to treat as secure, in CookieJar.filter_cookies().
• Performance: Used timestamp instead of datetime to achieve faster cookie expiration in CookieJar.
• Added support for passing a custom server name parameter to HTTPS connection.
• Added support for using Basic Auth credentials from :file:.netrc file when making HTTP requests with the
• :py:class:~aiohttp.ClientSession trust_env argument is set to True. -- by :user:yuvipanda.
• Turned access log into no-op when the logger is disabled.
• Added typing information to RawResponseMessage. -- by :user:Gobot1234
• Removed async-timeout for Python 3.11+ (replaced with asyncio.timeout() on newer releases).
• Added support for brotlicffi as an alternative to brotli (fixing Brotli support on PyPy).
• Added WebSocketResponse.get_extra_info() to access a protocol transport's extra info.
• Allow link argument to be set to None/empty in HTTP 451 exception.
• Fixed client timeout not working when incoming data is always available without waiting. -- by :user:Dreamsorcerer.
• Fixed readuntil to work with a delimiter of more than one character.
• Added __repr__ to EmptyStreamReader to avoid AttributeError.
• Fixed bug when using TCPConnector with ttl_dns_cache=0.
• Fixed response returned from expect handler being thrown away. -- by :user:Dreamsorcerer
• Avoided raising UnicodeDecodeError in multipart and in HTTP headers parsing.
• Changed sock_read timeout to start after writing has finished, avoiding read timeouts caused by an unfinished write. -- by :user:dtrifiro
• Fixed missing query in tracing method URLs when using yarl 1.9+.
• Changed max 32-bit timestamp to an aware datetime object, for consistency with the non-32-bit one, and to avoid a DeprecationWarning on Python 3.12.
• Fixed EmptyStreamReader.iter_chunks() never ending.
• Fixed a rare RuntimeError: await wasn't used with future exception.
• Fixed issue with insufficient HTTP method and version validation.
• Added check to validate that absolute URIs have schemes.
• Fixed unhandled exception when Python HTTP parser encounters unpaired Unicode surrogates.
• Updated parser to disallow invalid characters in header field names and stop accepting LF as a request line separator.
• Fixed Python HTTP parser not treating 204/304/1xx as an empty body.
• Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3.
• Fixed an issue when a client request is closed before completing a chunked payload. -- by :user:Dreamsorcerer
• Edge Case Handling for ResponseParser for missing reason value.
• Fixed ClientWebSocketResponse.close_code being erroneously set to None when there are concurrent async tasks receiving data and closing the connection.
• Added HTTP method validation.
• Fixed arbitrary sequence types being allowed to inject values via version parameter. -- by :user:Dreamsorcerer
• Performance: Fixed increase in latency with small messages from websocket compression changes.
• Improved Documentation
• Fixed the ClientResponse.release's type in the doc. Changed from comethod to method.
• Added information on behavior of base_url parameter in ClientSession.
• Completed trust_env parameter description to honor wss_proxy, ws_proxy or no_proxy env.
• Dropped Python 3.6 support.
• Dropped Python 3.7 support. -- by :user:Dreamsorcerer
• Removed support for abandoned tokio event loop.
• Made print argument in run_app() optional.
• Improved performance of ceil_timeout in some cases.
• Changed importing Gunicorn to happen on-demand, decreasing import time by ~53%. -- :user:Dreamsorcerer
• Improved import time by replacing http.server with http.HTTPStatus.
• Fixed annotation of ssl parameter to disallow True.

update to 3.8.6 (bsc#1217181, CVE-2023-47627):

• Security bugfixes
• https://github.com/aio-libs/aiohttp/security/advisories/GHSA- pjjw-qhg8-p2p9.
• https://github.com/aio-libs/aiohttp/security/advisories/GHSA- gfw2-4jvh-wgfg.
• Added fallback_charset_resolver parameter in ClientSession to allow a user-supplied character set detection function. Character set detection will no longer be included in 3.9 as a default. If this feature is needed, please use `fallbackcharsetresolver the client
• Fixed PermissionError when .netrc is unreadable due to permissions.
• Fixed output of parsing errors
• Fixed sorting in filter_cookies to use cookie with longest path.

Release 3.8.0 (2021-10-31) (bsc#1217174, CVE-2023-47641)