aiohttp bundled with Python is outdated/vulnerable.

Description

Vulnerability Detection Result

Installed version: 3.7.4. Fixed version: 3.9.2 Installation path / port: 6000/tcp

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f,https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2

Problem/Justification

None

Impact

None

Activity

Show:

Michael Kimling 11 hours ago

Reviewing the list, it seems all but the earliest two are patched in
3.7.4-1+deb11u1 release.

Vulnerability Insight
aiohttp.web.Application is vulnerable to HTTP request smuggling via llhttp
HTTP request parser. aiohttp is bundled with llhttp which is vulnerable to
CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request
parser when available which is the default case when installing from a
wheel.

Either way, 13.0-U6.7 is using

pkg info | grep aiohttp
py39-aiohttp-3.7.4.p0 Async http client/server framework (asyncio)

It doesn't appear that 3.7.4-1+deb11u1 would be present in this version as

it was released after U6.7 was released.

Michael Kimling 11 hours ago

CVE-2023-30589
CVE-2023-37276
CVE-2023-47627
CVE-2023-47641
CVE-2023-49081
CVE-2023-49082
CVE-2024-23334
CVE-2024-23829
CVE-2024-27306
CVE-2024-30251

Andrew Walker yesterday

What are the specific CVEs you’re concerned about? As you can see here

the debian project actively backports security fixes and some security tools aren’t quite smart enough to know what fixes are backported into what version.

Bug Clerk 2 days ago

Thank you for submitting this TrueNAS Bug Report! So that we can quickly investigate your issue, please attach a Debug file and any other information related to this issue through our secure and private upload service below. Debug files can be generated in the UI by navigating to System -> Advanced -> Save Debug.

https://ixsystems.atlassian.net/servicedesk/customer/portal/15/group/37/create/153