- Update to 3.13.3:
* Security
+ Brotli and brotlicffi minimum version is now 1.2. Decompression now has
a default maximum output size of 32MiB per decompress call
(bsc#1256017, CVE-2025-69223, GHSA-6mq8-rvhq-8wgg)
+ Check for ASCII in header values
(bsc#1256018, CVE-2025-69224, GHSA-69f9-5gxw-wvc2)
+ Forbid non-ASCII decimals in the Range header
(bsc#1256019, CVE-2025-69225, GHSA-mqqc-3gqh-h2x8)
+ Reject static URLs that traverse outside static root
(bsc#1256020, CVE-2025-69226, GHSA-54jq-c3m8-4m76)
+ Raise exceptions when processing a POST body
(bsc#1256021, CVE-2025-69227, GHSA-jj3x-wxrx-4x23)
+ Enforce client_max_size over entire multipart form
(bsc#1256022, CVE-2025-69228, GHSA-6jhg-hg63-jvvf)
+ Pause reading of chunks when it reaches a high water mark
(bsc#1256023, CVE-2025-69229, GHSA-g84x-mcqj-x9qq)
+ Log only once per Cookie header
(bsc#1256024, CVE-2025-69230, GHSA-fh55-r93g-j68g)
* Bug fixes
+ Fixed proxy authorization headers not being passed when reusing a
connection, which caused 407 (Proxy authentication required) errors
+ Fixed multipart reading failing when encountering an empty body part
+ Fixed a case where the parser wasn't raising an exception for a
websocket continuation frame when there was no initial frame in context
* Miscellaneous internal changes
+ Optimized web server performance when access logging is disabled by
reducing time syscalls
+ Added regression test for cached logging status
- Refreshed patch fix-vendoring.patch
OBS-URL: https://build.opensuse.org/request/show/1326279
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-aiohttp?expand=0&rev=63
* Security
+ Brotli and brotlicffi minimum version is now 1.2. Decompression now has
a default maximum output size of 32MiB per decompress call
(bsc#1256017, CVE-2025-69223, GHSA-6mq8-rvhq-8wgg)
+ Forbid non-ASCII decimals in the Range header
(bsc#1256019, CVE-2025-69225, GHSA-mqqc-3gqh-h2x8)
+ Reject static URLs that traverse outside static root
(bsc#1256020, CVE-2025-69226, GHSA-54jq-c3m8-4m76)
+ Raise exceptions when processing a POST body
(bsc#1256021, CVE-2025-69227, GHSA-jj3x-wxrx-4x23)
+ Enforce client_max_size over entire multipart form
(bsc#1256022, CVE-2025-69228, GHSA-6jhg-hg63-jvvf)
+ Pause reading of chunks when it reaches a high water mark
(bsc#1256023, CVE-2025-69229, GHSA-g84x-mcqj-x9qq)
+ Log only once per Cookie header
(bsc#1256024, CVE-2025-69230, GHSA-fh55-r93g-j68g)
* Bug fixes
+ Fixed proxy authorization headers not being passed when reusing a
connection, which caused 407 (Proxy authentication required) errors
+ Fixed multipart reading failing when encountering an empty body part
+ Fixed a case where the parser wasn't raising an exception for a
websocket continuation frame when there was no initial frame in context
* Miscellaneous internal changes
+ Optimized web server performance when access logging is disabled by
reducing time syscalls
+ Added regression test for cached logging status
- Refreshed patch fix-vendoring.patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=166
* Fixed cookie parser to continue parsing subsequent cookies
when encountering a malformed cookie that fails regex
validation, such as Google's g_state cookie with unescaped
quotes -- by :user:`bdraco`. Related issues and pull requests
on GitHub: :issue:`11632`.
* Fixed loading netrc credentials from the default
:file:`~/.netrc` (:file:`~/_netrc` on Windows) location when
the :envvar:`NETRC` environment variable is not set -- by
:user:`bdraco`. Related issues and pull requests on GitHub:
:issue:`11713`, :issue:`11714`.
* Fixed WebSocket compressed sends to be cancellation safe.
Tasks are now shielded during compression to prevent
compressor state corruption. This ensures that the stateful
compressor remains consistent even when send operations are
cancelled -- by :user:`bdraco`. Related issues and pull
requests on GitHub: :issue:`11725`.
* Make configuration options in AppRunner also available in
run_app() -- by :user:`Cycloctane`. Related issues and pull
requests on GitHub: :issue:`11633`.
* Switched to backports.zstd for Python <3.14 and fixed zstd
decompression for chunked zstd streams -- by :user:`ZhaoMJ`.
Note: Users who installed zstandard for support on Python
<3.14 will now need to install backports.zstd instead
(installing aiohttp[speedups] will do this automatically).
Related issues and pull requests on GitHub: :issue:`11623`.
* Updated Content-Type header parsing to return
application/octet-stream when header contains invalid syntax.
See RFC 9110. -- by :user:`sgaist`. Related issues and pull
requests on GitHub: :issue:`10889`.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=162
Forwarded request #1298128 from glaubitz
- Update to 3.12.15
* Fixed :class:`~aiohttp.DigestAuthMiddleware` to preserve the algorithm case
from the server's challenge in the authorization response. This improves
compatibility with servers that perform case-sensitive algorithm matching
(e.g., servers expecting ``algorithm=MD5-sess`` instead of ``algorithm=MD5-SESS``)
* Remove outdated contents of ``aiohttp-devtools`` and ``aiohttp-swagger``
from Web_advanced docs.
* Started including the ``llhttp`` :file:`LICENSE` file in wheels by adding
``vendor/llhttp/LICENSE`` to ``license-files`` in :file:`setup.cfg`
* Updated a regex in `test_aiohttp_request_coroutine` for Python 3.14.
OBS-URL: https://build.opensuse.org/request/show/1298363
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-aiohttp?expand=0&rev=59
* Fixed :class:`~aiohttp.DigestAuthMiddleware` to preserve the algorithm case
from the server's challenge in the authorization response. This improves
compatibility with servers that perform case-sensitive algorithm matching
(e.g., servers expecting ``algorithm=MD5-sess`` instead of ``algorithm=MD5-SESS``)
* Remove outdated contents of ``aiohttp-devtools`` and ``aiohttp-swagger``
from Web_advanced docs.
* Started including the ``llhttp`` :file:`LICENSE` file in wheels by adding
``vendor/llhttp/LICENSE`` to ``license-files`` in :file:`setup.cfg`
* Updated a regex in `test_aiohttp_request_coroutine` for Python 3.14.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=156
- update to 3.12.14:
* Fixed file uploads failing with HTTP 422 errors when
encountering 307/308 redirects, and 301/302 redirects for
non-POST methods, by preserving the request body when
appropriate per RFC 9110 -- by :user:`bdraco`. Related issues
and pull requests on GitHub: :issue:`11270`.
* Fixed :py:meth:`ClientSession.close()
<aiohttp.ClientSession.close>` hanging indefinitely when
using HTTPS requests through HTTP proxies -- by
:user:`bdraco`. Related issues and pull requests on GitHub:
:issue:`11273`.
* Bumped minimum version of aiosignal to 1.4+ to resolve typing
issues -- by :user:`Dreamsorcerer`. Related issues and pull
requests on GitHub: :issue:`11280`.
* Added initial trailer parsing logic to Python HTTP parser --
by :user:`Dreamsorcerer`. Related issues and pull requests on
GitHub: :issue:`11269`.
* Clarified exceptions raised by WebSocketResponse.send_frame
et al. -- by :user:`DoctorJohn`. Related issues and pull
requests on GitHub: :issue:`11234`.
OBS-URL: https://build.opensuse.org/request/show/1294222
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-aiohttp?expand=0&rev=57
* Fixed file uploads failing with HTTP 422 errors when
encountering 307/308 redirects, and 301/302 redirects for
non-POST methods, by preserving the request body when
appropriate per RFC 9110 -- by :user:`bdraco`. Related issues
and pull requests on GitHub: :issue:`11270`.
* Fixed :py:meth:`ClientSession.close()
<aiohttp.ClientSession.close>` hanging indefinitely when
using HTTPS requests through HTTP proxies -- by
:user:`bdraco`. Related issues and pull requests on GitHub:
:issue:`11273`.
* Bumped minimum version of aiosignal to 1.4+ to resolve typing
issues -- by :user:`Dreamsorcerer`. Related issues and pull
requests on GitHub: :issue:`11280`.
* Added initial trailer parsing logic to Python HTTP parser --
by :user:`Dreamsorcerer`. Related issues and pull requests on
GitHub: :issue:`11269`.
* Clarified exceptions raised by WebSocketResponse.send_frame
et al. -- by :user:`DoctorJohn`. Related issues and pull
requests on GitHub: :issue:`11234`.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=149
- Add remove-isal-test-dep.patch to remove python-isal test
dependency, that's not part of Factory yet.
- Update to 3.12.13
* Optimized web server performance when access logging is disabled
by reducing time syscalls
* Improved performance of the WebSocket reader
* Disabled TLS in TLS warning (when using HTTPS proxies) for uvloop
and newer Python versions
* Added a comprehensive HTTP Digest Authentication client middleware
(DigestAuthMiddleware) that implements RFC 7616.
* Fixed pytest plugin to not use deprecated asyncio policy APIs.
* Allow user setting zlib compression backend
* Added host parameter to aiohttp_server fixture
* Added socket_factory to aiohttp.TCPConnector to allow specifying
custom socket options
* Upgraded to LLHTTP 9.3.0
* Optimized small HTTP requests/responses by coalescing headers and
body into a single TCP packet
* Removed non SPDX-license description from setup.cfg
* Added support for building against system llhttp library
* Fixed compatibility issue with Cython 3.1.1
* Added support for reusable request bodies to enable retries,
redirects, and digest authentication
* Improved performance of isinstance checks by using collections.abc
types instead of typing module equivalents
* Added ssl_shutdown_timeout parameter to aiohttp.ClientSession and
aiohttp.TCPConnector to control the grace period for SSL shutdown
handshake on TLS connections.
* Downgraded the logging level for connector close errors from ERROR
OBS-URL: https://build.opensuse.org/request/show/1289166
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-aiohttp?expand=0&rev=56
* Optimized web server performance when access logging is disabled
by reducing time syscalls
* Improved performance of the WebSocket reader
* Disabled TLS in TLS warning (when using HTTPS proxies) for uvloop
and newer Python versions
* Added a comprehensive HTTP Digest Authentication client middleware
(DigestAuthMiddleware) that implements RFC 7616.
* Fixed pytest plugin to not use deprecated asyncio policy APIs.
* Allow user setting zlib compression backend
* Added host parameter to aiohttp_server fixture
* Added socket_factory to aiohttp.TCPConnector to allow specifying
custom socket options
* Upgraded to LLHTTP 9.3.0
* Optimized small HTTP requests/responses by coalescing headers and
body into a single TCP packet
* Removed non SPDX-license description from setup.cfg
* Added support for building against system llhttp library
* Fixed compatibility issue with Cython 3.1.1
* Added support for reusable request bodies to enable retries,
redirects, and digest authentication
* Improved performance of isinstance checks by using collections.abc
types instead of typing module equivalents
* Added ssl_shutdown_timeout parameter to aiohttp.ClientSession and
aiohttp.TCPConnector to control the grace period for SSL shutdown
handshake on TLS connections.
* Downgraded the logging level for connector close errors from ERROR
to DEBUG, as these are expected behavior with TLS 1.3 connections
* Fixed cookie parsing to be more lenient when handling cookies with
special characters in names or values
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-aiohttp?expand=0&rev=146
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
