910575 – (CVE-2023-37276) <dev-python/aiohttp-3.8.5: HTTP request smuggling via llhttp HTTP request parser

Bug 910575 (CVE-2023-37276) - <dev-python/aiohttp-3.8.5: HTTP request smuggling via llhttp HTTP request parser

Summary: <dev-python/aiohttp-3.8.5: HTTP request smuggling via llhttp HTTP request parser

Status:	RESOLVED FIXED

Alias:	CVE-2023-37276

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/aio-libs/aiohttp/s...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:	910583
Blocks:
	Show dependency tree

Reported:	2023-07-20 07:30 UTC by filip ambroz
Modified:	2023-08-16 05:34 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description filip ambroz 2023-07-20 07:30:51 UTC

aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6 which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel.

This vulnerability only affects users of aiohttp as an HTTP server (ie aiohttp.Application), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie aiohttp.ClientSession).

Fix: Patch to v3.8.5

Workaround: Reinstall aiohttp using AIOHTTP_NO_EXTENSIONS=1 as an environment variable to disable the llhttp HTTP request parser implementation.

Comment 1 Michał Górny archtester

2023-07-20 09:41:15 UTC

Thanks for the report!  I was about to push 3.8.5, just waiting for other bumps to finish testing.

Comment 2 John Helmert III archtester

2023-08-16 05:34:17 UTC

Thanks, all done!