aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0. https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2
Created python-aiohttp tracking bugs for this issue: Affects: fedora-all [bug 2252236]
Created python-aiohttp tracking bugs for this issue: Affects: epel-all [bug 2252239]
FEDORA-2023-d5bd6b62e4 has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2024:1057 https://access.redhat.com/errata/RHSA-2024:1057
This issue has been addressed in the following products: Red Hat Satellite 6.14 for RHEL 8 Via RHSA-2024:1536 https://access.redhat.com/errata/RHSA-2024:1536
This issue has been addressed in the following products: RHUI 4 for RHEL 8 Via RHSA-2024:1878 https://access.redhat.com/errata/RHSA-2024:1878
This issue has been addressed in the following products: Red Hat Satellite 6.15 for RHEL 8 Via RHSA-2024:2010 https://access.redhat.com/errata/RHSA-2024:2010