Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-aiohttp for openSUSE:Factory checked in at 2026-06-22 18:05:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-aiohttp (Old) and /work/SRC/openSUSE:Factory/.python-aiohttp.new.1956 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-aiohttp" Mon Jun 22 18:05:00 2026 rev:69 rq:1360555 version:3.14.1 Changes: -------- --- /work/SRC/openSUSE:Factory/python-aiohttp/python-aiohttp.changes 2026-06-05 14:55:37.752716056 +0200 +++ /work/SRC/openSUSE:Factory/.python-aiohttp.new.1956/python-aiohttp.changes 2026-06-22 18:05:07.920597304 +0200 @@ -1,0 +2,65 @@ +Tue Jun 16 12:54:58 UTC 2026 - Nico Krapp <[email protected]> + +- Update to 3.14.1 (fixes CVE-2026-50269 (bsc#1268398), + CVE-2026-54273 (bsc#1268543), CVE-2026-54274 (bsc#1268544), + CVE-2026-54275 (bsc#1268549), CVE-2026-54276 (bsc#1268552), + CVE-2026-54277 (bsc#1268556), CVE-2026-54278 (bsc#1268559), + CVE-2026-54279 (bsc#1268560), CVE-2026-54280 (bsc#1268561)) + * fixed a race condition in :py:class:~aiohttp.TCPConnector where closing the + connector while a DNS resolution was in-flight could raise + :py:exc:AttributeError instead of :py:exc:~aiohttp.ClientConnectionError + * Fixed CancelledError not closing a connection + * Tightened up some websocket parser checks + * fixed :class:~aiohttp.CookieJar dropping the host-only flag of cookies + when persisted with :meth:~aiohttp.CookieJar.save and reloaded with + :meth:~aiohttp.CookieJar.load, so a cookie set without a Domain attribute + is again scoped to the exact host that set it after a reload; the absolute + expiration deadline is now persisted as well, so a reloaded cookie keeps + its original lifetime instead of being rescheduled from the load time. + :meth:~aiohttp.CookieJar.load now replaces the jar contents rather than + merging onto prior state, and loaded cookies pass through the same + acceptance rules as :meth:~aiohttp.CookieJar.update_cookies, so a cookie + for an IP-address host is dropped when loaded into a jar created without + unsafe=True + * Scoped :class:~aiohttp.DigestAuthMiddleware credentials to the origin of + the first request it handles, so a redirect to a different origin no longer + triggers a digest response computed from the configured credentials; a + challenge from another origin is only answered when that origin falls + within a protection space advertised by the anchor origin through the RFC + 7616 domain directive + * Fixed the C HTTP parser not enforcing max_line_size on a request target or + response reason phrase that is split across multiple reads; each fragment + was checked on its own, so an accumulated line could exceed the limit + without raising LineTooLong. The accumulated length is now checked, + matching the pure-Python parser + * Changed :class:~aiohttp.TCPConnector to reject legacy non-canonical numeric + IPv4 host forms such as 2130706433, 017700000001 and 127.1 with + :exc:~aiohttp.InvalidUrlClientError; only canonical dotted-quad IPv4 + literals are now treated as IP address literals, while every other host is + sent through the configured resolver + * Fixed :meth:~aiohttp.StreamReader.readany and + :meth:~aiohttp.StreamReader.read_nowait joining data fed back into the + buffer during the call (when draining below the low water mark resumes + reading) into a single unbounded :class:bytes; a call now returns only the + chunks that were buffered when it started, keeping the drain of an unread + auto-decompressed request body bounded by the read buffer + * Bounded the number of parsed-but-unhandled pipelined HTTP/1 requests + buffered per connection on the server; once the queue reaches an internal + limit the parser stops emitting and the transport is paused, resuming as + the request handler drains the queue, so a client keeping one handler busy + can no longer accumulate an unbounded backlog of pipelined requests + * Fixed :meth:aiohttp.web.Response.write_eof skipping Payload.close() when + the body write was interrupted by an error or cancellation, for example + when a client disconnects mid-response; the payload close hook now runs in + a finally so a :class:~aiohttp.payload.Payload body always releases its + resources + * Fixed the pure-Python HTTP parser not enforcing max_line_size on a chunk- + size line when the whole line arrived in a single read; the limit was + only applied to chunk-size metadata split across reads. The complete-line + case is now checked too, matching the split-line behavior + * Included the per-request server_hostname override in the + :class:~aiohttp.TCPConnector connection pool key, so a pooled TLS + connection is no longer reused for a request that sets server_hostname to + a different value + +------------------------------------------------------------------- Old: ---- aiohttp-3.14.0.tar.gz New: ---- aiohttp-3.14.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-aiohttp.spec ++++++ --- /var/tmp/diff_new_pack.n8n9gC/_old 2026-06-22 18:05:10.356682301 +0200 +++ /var/tmp/diff_new_pack.n8n9gC/_new 2026-06-22 18:05:10.360682440 +0200 @@ -19,7 +19,7 @@ %bcond_with docs %{?sle15_python_module_pythons} Name: python-aiohttp -Version: 3.14.0 +Version: 3.14.1 Release: 0 Summary: Asynchronous HTTP client/server framework License: Apache-2.0 ++++++ aiohttp-3.14.0.tar.gz -> aiohttp-3.14.1.tar.gz ++++++ /work/SRC/openSUSE:Factory/python-aiohttp/aiohttp-3.14.0.tar.gz /work/SRC/openSUSE:Factory/.python-aiohttp.new.1956/aiohttp-3.14.1.tar.gz differ: char 5, line 1
