Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package python-aiohttp for openSUSE:Factory 
checked in at 2026-06-22 18:05:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-aiohttp (Old)
 and      /work/SRC/openSUSE:Factory/.python-aiohttp.new.1956 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "python-aiohttp"

Mon Jun 22 18:05:00 2026 rev:69 rq:1360555 version:3.14.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/python-aiohttp/python-aiohttp.changes    
2026-06-05 14:55:37.752716056 +0200
+++ /work/SRC/openSUSE:Factory/.python-aiohttp.new.1956/python-aiohttp.changes  
2026-06-22 18:05:07.920597304 +0200
@@ -1,0 +2,65 @@
+Tue Jun 16 12:54:58 UTC 2026 - Nico Krapp <[email protected]>
+
+- Update to 3.14.1 (fixes CVE-2026-50269 (bsc#1268398),
+  CVE-2026-54273 (bsc#1268543), CVE-2026-54274 (bsc#1268544),
+  CVE-2026-54275 (bsc#1268549), CVE-2026-54276 (bsc#1268552),
+  CVE-2026-54277 (bsc#1268556), CVE-2026-54278 (bsc#1268559),
+  CVE-2026-54279 (bsc#1268560), CVE-2026-54280 (bsc#1268561))
+  * fixed a race condition in :py:class:~aiohttp.TCPConnector where closing the
+    connector while a DNS resolution was in-flight could raise
+    :py:exc:AttributeError instead of :py:exc:~aiohttp.ClientConnectionError
+  * Fixed CancelledError not closing a connection
+  * Tightened up some websocket parser checks
+  * fixed :class:~aiohttp.CookieJar dropping the host-only flag of cookies
+    when persisted with :meth:~aiohttp.CookieJar.save and reloaded with
+    :meth:~aiohttp.CookieJar.load, so a cookie set without a Domain attribute
+    is again scoped to the exact host that set it after a reload; the absolute
+    expiration deadline is now persisted as well, so a reloaded cookie keeps
+    its original lifetime instead of being rescheduled from the load time.
+    :meth:~aiohttp.CookieJar.load now replaces the jar contents rather than
+    merging onto prior state, and loaded cookies pass through the same
+    acceptance rules as :meth:~aiohttp.CookieJar.update_cookies, so a cookie
+    for an IP-address host is dropped when loaded into a jar created without
+    unsafe=True
+  * Scoped :class:~aiohttp.DigestAuthMiddleware credentials to the origin of
+    the first request it handles, so a redirect to a different origin no longer
+    triggers a digest response computed from the configured credentials; a
+    challenge from another origin is only answered when that origin falls
+    within a protection space advertised by the anchor origin through the RFC
+    7616 domain directive
+  * Fixed the C HTTP parser not enforcing max_line_size on a request target or
+    response reason phrase that is split across multiple reads; each fragment
+    was checked on its own, so an accumulated line could exceed the limit
+    without raising LineTooLong. The accumulated length is now checked,
+    matching the pure-Python parser
+  * Changed :class:~aiohttp.TCPConnector to reject legacy non-canonical numeric
+    IPv4 host forms such as 2130706433, 017700000001 and 127.1 with
+    :exc:~aiohttp.InvalidUrlClientError; only canonical dotted-quad IPv4
+    literals are now treated as IP address literals, while every other host is
+    sent through the configured resolver
+  * Fixed :meth:~aiohttp.StreamReader.readany and
+    :meth:~aiohttp.StreamReader.read_nowait joining data fed back into the
+    buffer during the call (when draining below the low water mark resumes
+    reading) into a single unbounded :class:bytes; a call now returns only the
+    chunks that were buffered when it started, keeping the drain of an unread
+    auto-decompressed request body bounded by the read buffer
+  * Bounded the number of parsed-but-unhandled pipelined HTTP/1 requests
+    buffered per connection on the server; once the queue reaches an internal
+    limit the parser stops emitting and the transport is paused, resuming as
+    the request handler drains the queue, so a client keeping one handler busy
+    can no longer accumulate an unbounded backlog of pipelined requests
+  * Fixed :meth:aiohttp.web.Response.write_eof skipping Payload.close() when
+    the body write was interrupted by an error or cancellation, for example
+    when a client disconnects mid-response; the payload close hook now runs in
+    a finally so a :class:~aiohttp.payload.Payload body always releases its
+    resources
+  * Fixed the pure-Python HTTP parser not enforcing max_line_size on a chunk-
+    size line when the whole line arrived in a single read; the limit was
+    only applied to chunk-size metadata split across reads. The complete-line
+    case is now checked too, matching the split-line behavior
+  * Included the per-request server_hostname override in the
+    :class:~aiohttp.TCPConnector connection pool key, so a pooled TLS
+    connection is no longer reused for a request that sets server_hostname to
+    a different value
+
+-------------------------------------------------------------------

Old:
----
  aiohttp-3.14.0.tar.gz

New:
----
  aiohttp-3.14.1.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ python-aiohttp.spec ++++++
--- /var/tmp/diff_new_pack.n8n9gC/_old  2026-06-22 18:05:10.356682301 +0200
+++ /var/tmp/diff_new_pack.n8n9gC/_new  2026-06-22 18:05:10.360682440 +0200
@@ -19,7 +19,7 @@
 %bcond_with docs
 %{?sle15_python_module_pythons}
 Name:           python-aiohttp
-Version:        3.14.0
+Version:        3.14.1
 Release:        0
 Summary:        Asynchronous HTTP client/server framework
 License:        Apache-2.0

++++++ aiohttp-3.14.0.tar.gz -> aiohttp-3.14.1.tar.gz ++++++
/work/SRC/openSUSE:Factory/python-aiohttp/aiohttp-3.14.0.tar.gz 
/work/SRC/openSUSE:Factory/.python-aiohttp.new.1956/aiohttp-3.14.1.tar.gz 
differ: char 5, line 1

Reply via email to