- Update to 3.13.3:

* Security + Brotli and brotlicffi minimum version is now 1.2. Decompression now has a default maximum output size of 32MiB per decompress call (bsc#1256017, CVE-2025-69223, GHSA-6mq8-rvhq-8wgg) + Check for ASCII in header values (bsc#1256018, CVE-2025-69224, GHSA-69f9-5gxw-wvc2) + Forbid non-ASCII decimals in the Range header (bsc#1256019, CVE-2025-69225, GHSA-mqqc-3gqh-h2x8) + Reject static URLs that traverse outside static root (bsc#1256020, CVE-2025-69226, GHSA-54jq-c3m8-4m76) + Raise exceptions when processing a POST body (bsc#1256021, CVE-2025-69227, GHSA-jj3x-wxrx-4x23) + Enforce client_max_size over entire multipart form (bsc#1256022, CVE-2025-69228, GHSA-6jhg-hg63-jvvf) + Pause reading of chunks when it reaches a high water mark (bsc#1256023, CVE-2025-69229, GHSA-g84x-mcqj-x9qq) + Log only once per Cookie header (bsc#1256024, CVE-2025-69230, GHSA-fh55-r93g-j68g) * Bug fixes + Fixed proxy authorization headers not being passed when reusing a connection, which caused 407 (Proxy authentication required) errors + Fixed multipart reading failing when encountering an empty body part + Fixed a case where the parser wasn't raising an exception for a websocket continuation frame when there was no initial frame in context * Miscellaneous internal changes + Optimized web server performance when access logging is disabled by reducing time syscalls + Added regression test for cached logging status - Refreshed patches fix-vendoring.patch - Add patch remove-freethreading-cython-option.patch: * Drop newer Cython command line option.
2026-01-28 16:02:27 +11:00
parent 2702a0e6e2
commit b16665bdf7
8 changed files with 347 additions and 24 deletions
--- a/python-aiohttp.changes
+++ b/python-aiohttp.changes
@@ -1,3 +1,198 @@
+-------------------------------------------------------------------
+Wed Jan 28 04:50:29 UTC 2026 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Update to 3.13.3:
+  * Security
+    + Brotli and brotlicffi minimum version is now 1.2. Decompression now has
+      a default maximum output size of 32MiB per decompress call
+      (bsc#1256017, CVE-2025-69223, GHSA-6mq8-rvhq-8wgg)
+    + Check for ASCII in header values
+      (bsc#1256018, CVE-2025-69224, GHSA-69f9-5gxw-wvc2)
+    + Forbid non-ASCII decimals in the Range header
+      (bsc#1256019, CVE-2025-69225, GHSA-mqqc-3gqh-h2x8)
+    + Reject static URLs that traverse outside static root
+      (bsc#1256020, CVE-2025-69226, GHSA-54jq-c3m8-4m76)
+    + Raise exceptions when processing a POST body
+      (bsc#1256021, CVE-2025-69227, GHSA-jj3x-wxrx-4x23)
+    + Enforce client_max_size over entire multipart form
+      (bsc#1256022, CVE-2025-69228, GHSA-6jhg-hg63-jvvf)
+    + Pause reading of chunks when it reaches a high water mark
+      (bsc#1256023, CVE-2025-69229, GHSA-g84x-mcqj-x9qq)
+    + Log only once per Cookie header
+      (bsc#1256024, CVE-2025-69230, GHSA-fh55-r93g-j68g)
+  * Bug fixes
+    + Fixed proxy authorization headers not being passed when reusing a
+      connection, which caused 407 (Proxy authentication required) errors
+    + Fixed multipart reading failing when encountering an empty body part
+    + Fixed a case where the parser wasn't raising an exception for a
+      websocket continuation frame when there was no initial frame in context
+  * Miscellaneous internal changes
+    + Optimized web server performance when access logging is disabled by
+      reducing time syscalls
+    + Added regression test for cached logging status
+- Refreshed patches fix-vendoring.patch
+- Add patch remove-freethreading-cython-option.patch:
+  * Drop newer Cython command line option.
+
+-------------------------------------------------------------------
+Fri Nov 14 03:13:57 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Skip a test broken by idna 3.11.
+
+-------------------------------------------------------------------
+Mon Nov  3 11:51:55 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- update to 3.13.2:
+  * Fixed cookie parser to continue parsing subsequent cookies
+    when encountering a malformed cookie that fails regex
+    validation, such as Google's g_state cookie with unescaped
+    quotes -- by :user:`bdraco`. Related issues and pull requests
+    on GitHub: :issue:`11632`.
+  * Fixed loading netrc credentials from the default
+    :file:`~/.netrc` (:file:`~/_netrc` on Windows) location when
+    the :envvar:`NETRC` environment variable is not set -- by
+    :user:`bdraco`. Related issues and pull requests on GitHub:
+    :issue:`11713`, :issue:`11714`.
+  * Fixed WebSocket compressed sends to be cancellation safe.
+    Tasks are now shielded during compression to prevent
+    compressor state corruption. This ensures that the stateful
+    compressor remains consistent even when send operations are
+    cancelled -- by :user:`bdraco`. Related issues and pull
+    requests on GitHub: :issue:`11725`.
+  * Make configuration options in AppRunner also available in
+    run_app() -- by :user:`Cycloctane`. Related issues and pull
+    requests on GitHub: :issue:`11633`.
+  * Switched to backports.zstd for Python <3.14 and fixed zstd
+    decompression for chunked zstd streams -- by :user:`ZhaoMJ`.
+    Note: Users who installed zstandard for support on Python
+    <3.14 will now need to install backports.zstd instead
+    (installing aiohttp[speedups] will do this automatically).
+    Related issues and pull requests on GitHub: :issue:`11623`.
+  * Updated Content-Type header parsing to return
+    application/octet-stream when header contains invalid syntax.
+    See RFC 9110. -- by :user:`sgaist`. Related issues and pull
+    requests on GitHub: :issue:`10889`.
+  * Fixed Python 3.14 support when built without zstd support --
+    by :user:`JacobHenner`. Related issues and pull requests on
+    GitHub: :issue:`11603`.
+  * Fixed blocking I/O in the event loop when using netrc
+    authentication by moving netrc file lookup to an executor --
+    by :user:`bdraco`. Related issues and pull requests on
+    GitHub: :issue:`11634`.
+  * Fixed routing to a sub-application added via .add_domain()
+    not working if the same path exists on the parent app. -- by
+    :user:`Dreamsorcerer`. Related issues and pull requests on
+    GitHub: :issue:`11673`.
+  * Moved core packaging metadata from :file:`setup.cfg` to
+    :file:`pyproject.toml` per PEP 621 -- by :user:`cdce8p`.
+    Related issues and pull requests on GitHub: :issue:`9951`.
+
+-------------------------------------------------------------------
+Thu Oct 16 21:40:07 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Add fix-vendoring.patch
+
+-------------------------------------------------------------------
+Thu Oct 16 14:06:37 UTC 2025 - Adrian Schröter <adrian@suse.de>
+
+- Update to 3.13.0
+  Details: https://github.com/aio-libs/aiohttp/releases/tag/v3.13.0
+  * python 3.14 support
+  * zstd support
+- drop remove-isal-test-dep.patch
+- "make cythonize" is required as poetry is not supporting cython
+- add vendor-llhttp.tar.gz of new git submodule. 
+  added downloaded nodejs modules
+
+-------------------------------------------------------------------
+Thu Aug  7 11:36:47 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 3.12.15
+  * Fixed :class:`~aiohttp.DigestAuthMiddleware` to preserve the algorithm case
+    from the server's challenge in the authorization response. This improves
+    compatibility with servers that perform case-sensitive algorithm matching
+    (e.g., servers expecting ``algorithm=MD5-sess`` instead of ``algorithm=MD5-SESS``)
+  * Remove outdated contents of ``aiohttp-devtools`` and ``aiohttp-swagger``
+    from Web_advanced docs.
+  * Started including the ``llhttp`` :file:`LICENSE` file in wheels by adding
+    ``vendor/llhttp/LICENSE`` to ``license-files`` in :file:`setup.cfg`
+  * Updated a regex in `test_aiohttp_request_coroutine` for Python 3.14.
+
+-------------------------------------------------------------------
+Mon Jul 28 08:16:17 UTC 2025 - Nico Krapp <nico.krapp@suse.com>
+
+- Add remove-zlib-ng-test-dep.patch to remove python-zlib-ng test
+  dependency
+- enable test_leaks again, works with limited threads
+
+-------------------------------------------------------------------
+Mon Jul 14 15:17:06 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- update to 3.12.14:
+  * Fixed file uploads failing with HTTP 422 errors when
+    encountering 307/308 redirects, and 301/302 redirects for
+    non-POST methods, by preserving the request body when
+    appropriate per RFC 9110 -- by :user:`bdraco`. Related issues
+    and pull requests on GitHub: :issue:`11270`.
+  * Fixed :py:meth:`ClientSession.close()
+    <aiohttp.ClientSession.close>` hanging indefinitely when
+    using HTTPS requests through HTTP proxies -- by
+    :user:`bdraco`. Related issues and pull requests on GitHub:
+    :issue:`11273`.
+  * Bumped minimum version of aiosignal to 1.4+ to resolve typing
+    issues -- by :user:`Dreamsorcerer`. Related issues and pull
+    requests on GitHub: :issue:`11280`.
+  * Added initial trailer parsing logic to Python HTTP parser --
+    by :user:`Dreamsorcerer`. Related issues and pull requests on
+    GitHub: :issue:`11269`.
+  * Clarified exceptions raised by WebSocketResponse.send_frame
+    et al. -- by :user:`DoctorJohn`. Related issues and pull
+    requests on GitHub: :issue:`11234`.
+
+-------------------------------------------------------------------
+Mon Jun 30 06:00:18 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Add remove-isal-test-dep.patch to remove python-isal test
+  dependency, that's not part of Factory yet.
+
+-------------------------------------------------------------------
+Fri Jun 20 05:53:30 UTC 2025 - Markéta Machová <mmachova@suse.com>
+
+- Update to 3.12.13
+  * Optimized web server performance when access logging is disabled
+    by reducing time syscalls
+  * Improved performance of the WebSocket reader
+  * Disabled TLS in TLS warning (when using HTTPS proxies) for uvloop
+    and newer Python versions
+  * Added a comprehensive HTTP Digest Authentication client middleware
+    (DigestAuthMiddleware) that implements RFC 7616.
+  * Fixed pytest plugin to not use deprecated asyncio policy APIs.
+  * Allow user setting zlib compression backend
+  * Added host parameter to aiohttp_server fixture
+  * Added socket_factory to aiohttp.TCPConnector to allow specifying
+    custom socket options
+  * Upgraded to LLHTTP 9.3.0
+  * Optimized small HTTP requests/responses by coalescing headers and
+    body into a single TCP packet
+  * Removed non SPDX-license description from setup.cfg
+  * Added support for building against system llhttp library
+  * Fixed compatibility issue with Cython 3.1.1
+  * Added support for reusable request bodies to enable retries,
+    redirects, and digest authentication
+  * Improved performance of isinstance checks by using collections.abc
+    types instead of typing module equivalents
+  * Added ssl_shutdown_timeout parameter to aiohttp.ClientSession and
+    aiohttp.TCPConnector to control the grace period for SSL shutdown
+    handshake on TLS connections.
+  * Downgraded the logging level for connector close errors from ERROR
+    to DEBUG, as these are expected behavior with TLS 1.3 connections
+  * Fixed cookie parsing to be more lenient when handling cookies with
+    special characters in names or values
+  * Improved SSL connection handling by changing the default ssl_shutdown_timeout
+    from 0.1 to 0 seconds. The ssl_shutdown_timeout parameter is now deprecated
+    and will be removed in aiohttp 4.0
+- Review tests
+
 -------------------------------------------------------------------
 Tue Apr 15 09:18:21 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>