Accepting request 1326279 from devel:languages:python

- Update to 3.13.3: * Security + Brotli and brotlicffi minimum version is now 1.2. Decompression now has a default maximum output size of 32MiB per decompress call (bsc#1256017, CVE-2025-69223, GHSA-6mq8-rvhq-8wgg) + Check for ASCII in header values (bsc#1256018, CVE-2025-69224, GHSA-69f9-5gxw-wvc2) + Forbid non-ASCII decimals in the Range header (bsc#1256019, CVE-2025-69225, GHSA-mqqc-3gqh-h2x8) + Reject static URLs that traverse outside static root (bsc#1256020, CVE-2025-69226, GHSA-54jq-c3m8-4m76) + Raise exceptions when processing a POST body (bsc#1256021, CVE-2025-69227, GHSA-jj3x-wxrx-4x23) + Enforce client_max_size over entire multipart form (bsc#1256022, CVE-2025-69228, GHSA-6jhg-hg63-jvvf) + Pause reading of chunks when it reaches a high water mark (bsc#1256023, CVE-2025-69229, GHSA-g84x-mcqj-x9qq) + Log only once per Cookie header (bsc#1256024, CVE-2025-69230, GHSA-fh55-r93g-j68g) * Bug fixes + Fixed proxy authorization headers not being passed when reusing a connection, which caused 407 (Proxy authentication required) errors + Fixed multipart reading failing when encountering an empty body part + Fixed a case where the parser wasn't raising an exception for a websocket continuation frame when there was no initial frame in context * Miscellaneous internal changes + Optimized web server performance when access logging is disabled by reducing time syscalls + Added regression test for cached logging status - Refreshed patch fix-vendoring.patch OBS-URL: https://build.opensuse.org/request/show/1326279 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-aiohttp?expand=0&rev=63
2026-01-09 16:03:10 +00:00
parent 8f8eb378f9 d5e817803c
commit 7aefc44bc2
5 changed files with 57 additions and 19 deletions
--- a/aiohttp-3.13.2.tar.gz
+++ b/aiohttp-3.13.2.tar.gz
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:40176a52c186aefef6eb3cad2cdd30cd06e3afbe88fe8ab2af9c0b90f228daca
-size 7837994
--- a/aiohttp-3.13.3.tar.gz
+++ b/aiohttp-3.13.3.tar.gz
--- a/fix-vendoring.patch
+++ b/fix-vendoring.patch
@@ -1,6 +1,8 @@
--- a/Makefile.orig	2025-10-16 13:56:38.297077787 +0200
-+++ b/Makefile	2025-10-16 13:59:43.532929894 +0200
-@@ -47,10 +47,8 @@
+Index: aiohttp-3.13.3/Makefile
+===================================================================
+--- aiohttp-3.13.3.orig/Makefile
+++ aiohttp-3.13.3/Makefile
+@@ -47,10 +47,8 @@ endif
 .SECONDARY: $(call to-hash,$(ALLS))
 
 .update-pip:
@@ -11,7 +13,7 @@
 	@touch .install-cython
 
 aiohttp/_find_header.c: $(call to-hash,aiohttp/hdrs.py ./tools/gen.py)
-@@ -85,7 +83,6 @@
+@@ -85,7 +83,6 @@ cythonize: .install-cython $(PYXS:.pyx=.
 cythonize-nodeps: $(PYXS:.pyx=.c) aiohttp/_websocket/reader_c.c
 
 .install-deps: .install-cython $(PYXS:.pyx=.c) aiohttp/_websocket/reader_c.c $(call to-hash,$(CYS) $(REQS))
@@ -19,7 +21,7 @@
 	@touch .install-deps
 
 .PHONY: lint
-@@ -100,7 +97,6 @@
+@@ -100,7 +97,6 @@ mypy:
 	mypy
 
 .develop: .install-deps generate-llhttp $(call to-hash,$(PYS) $(CYS) $(CS))
@@ -27,7 +29,7 @@
 	@touch .develop
 
 .PHONY: test
-@@ -110,12 +106,12 @@
+@@ -110,12 +106,12 @@ test: .develop
 .PHONY: vtest
 vtest: .develop
 	@pytest -s -v
@@ -42,7 +44,7 @@
 
 
 define run_tests_in_docker
-@@ -151,7 +147,7 @@
+@@ -151,7 +147,7 @@ clean:
 	@rm -rf build
 	@rm -rf cover
 	@make -C docs clean
@@ -51,7 +53,7 @@
 	@rm -f aiohttp/*.so
 	@rm -f aiohttp/*.pyd
 	@rm -f aiohttp/*.html
-@@ -182,7 +178,6 @@
+@@ -182,7 +178,6 @@ doc-spelling:
 
 .PHONY: install
 install: .update-pip
@@ -59,14 +61,16 @@
 
 .PHONY: install-dev
 install-dev: .develop
-@@ -190,4 +185,4 @@
+@@ -190,4 +185,4 @@ install-dev: .develop
 .PHONY: sync-direct-runtime-deps
 sync-direct-runtime-deps:
- 	@echo Updating 'requirements/runtime-deps.in' from 'setup.cfg'... >&2
+ 	@echo Updating 'requirements/runtime-deps.in' from 'pyproject.toml'... >&2
 -	@python requirements/sync-direct-runtime-deps.py
 +	python3 requirements/sync-direct-runtime-deps.py
--- a/tools/gen.py.orig	2025-10-16 14:00:10.257485651 +0200
-+++ a/tools/gen.py	2025-10-16 14:00:18.604659234 +0200
+Index: aiohttp-3.13.3/tools/gen.py
+===================================================================
+--- aiohttp-3.13.3.orig/tools/gen.py
+++ aiohttp-3.13.3/tools/gen.py
@@ -1,4 +1,4 @@
 -#!/usr/bin/env python
 +#!/usr/bin/python3
--- a/python-aiohttp.changes
+++ b/python-aiohttp.changes
@@ -1,3 +1,37 @@
+-------------------------------------------------------------------
+Fri Jan  9 01:40:14 UTC 2026 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Update to 3.13.3:
+  * Security
+    + Brotli and brotlicffi minimum version is now 1.2. Decompression now has
+      a default maximum output size of 32MiB per decompress call
+      (bsc#1256017, CVE-2025-69223, GHSA-6mq8-rvhq-8wgg)
+    + Check for ASCII in header values
+      (bsc#1256018, CVE-2025-69224, GHSA-69f9-5gxw-wvc2)
+    + Forbid non-ASCII decimals in the Range header
+      (bsc#1256019, CVE-2025-69225, GHSA-mqqc-3gqh-h2x8)
+    + Reject static URLs that traverse outside static root
+      (bsc#1256020, CVE-2025-69226, GHSA-54jq-c3m8-4m76)
+    + Raise exceptions when processing a POST body
+      (bsc#1256021, CVE-2025-69227, GHSA-jj3x-wxrx-4x23)
+    + Enforce client_max_size over entire multipart form
+      (bsc#1256022, CVE-2025-69228, GHSA-6jhg-hg63-jvvf)
+    + Pause reading of chunks when it reaches a high water mark
+      (bsc#1256023, CVE-2025-69229, GHSA-g84x-mcqj-x9qq)
+    + Log only once per Cookie header
+      (bsc#1256024, CVE-2025-69230, GHSA-fh55-r93g-j68g)
+  * Bug fixes
+    + Fixed proxy authorization headers not being passed when reusing a
+      connection, which caused 407 (Proxy authentication required) errors
+    + Fixed multipart reading failing when encountering an empty body part
+    + Fixed a case where the parser wasn't raising an exception for a
+      websocket continuation frame when there was no initial frame in context
+  * Miscellaneous internal changes
+    + Optimized web server performance when access logging is disabled by
+      reducing time syscalls
+    + Added regression test for cached logging status
+- Refreshed patch fix-vendoring.patch
+
 -------------------------------------------------------------------
 Fri Nov 14 03:13:57 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>

--- a/python-aiohttp.spec
+++ b/python-aiohttp.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package python-aiohttp
 #
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
 %bcond_with docs
 %{?sle15_python_module_pythons}
 Name:           python-aiohttp
-Version:        3.13.2
+Version:        3.13.3
 Release:        0
 Summary:        Asynchronous HTTP client/server framework
 License:        Apache-2.0
@@ -42,7 +42,7 @@ Requires:       python-frozenlist >= 1.1.1
 Requires:       (python-charset-normalizer >= 2.0 with python-charset-normalizer < 4)
 Requires:       (python-multidict >= 4.5 with python-multidict < 7)
 Requires:       (python-yarl >= 1.17.0 with python-yarl < 2)
-Recommends:     python-Brotli
+Recommends:     python-Brotli >= 1.2
 Recommends:     python-aiodns
 Recommends:     python-cChardet
 Suggests:       %{name}-doc
@@ -65,7 +65,7 @@ BuildRequires:  %{python_module multidict >= 4.5 with %python-multidict < 7}
 BuildRequires:  %{python_module yarl >= 1.17.0 with %python-yarl < 2}
 # /SECTION
 # SECTION test requirements
-BuildRequires:  %{python_module Brotli}
+BuildRequires:  %{python_module Brotli >= 1.2}
 BuildRequires:  %{python_module blockbuster}
 BuildRequires:  %{python_module freezegun}
 BuildRequires:  %{python_module gunicorn}