diff --git a/.gitignore b/.gitignore index cf78870..41d44a0 100644 --- a/.gitignore +++ b/.gitignore @@ -75,3 +75,4 @@ /aiohttp-3.8.4.tar.gz /aiohttp-3.8.5.tar.gz /aiohttp-3.8.6.tar.gz +/aiohttp-3.9.1.tar.gz diff --git a/0001-ignore-DeprecationWarning-set_child_watcher-is-depre.patch b/0001-ignore-DeprecationWarning-set_child_watcher-is-depre.patch deleted file mode 100644 index 824766d..0000000 --- a/0001-ignore-DeprecationWarning-set_child_watcher-is-depre.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 21aa104edf799cdda94168a049aed7dfd0254cec Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hrn=C4=8Diar?= -Date: Mon, 15 May 2023 16:22:25 +0200 -Subject: [PATCH] ignore DeprecationWarning 'set_child_watcher' is deprecated - as of Python 3.12 - ---- - setup.cfg | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/setup.cfg b/setup.cfg -index 12cd4124..330b1cb5 100644 ---- a/setup.cfg -+++ b/setup.cfg -@@ -150,6 +150,7 @@ filterwarnings = - # can be dropped with the next release of `certify`, specifically - # `certify > 2022.06.15`. - ignore:path is deprecated. Use files.. instead. Refer to https.//importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy for migration advice.:DeprecationWarning:certifi.core -+ ignore:'set_child_watcher' is deprecated as of Python 3.12 and will be removed in Python 3.14.:DeprecationWarning:: - ignore:Automatic charset detection will be removed in 3.9:DeprecationWarning - junit_suite_name = aiohttp_test_suite - norecursedirs = dist docs build .tox .eggs --- -2.41.0 - diff --git a/Update-update_query-calls-to-work-with-latest-yarl.patch b/Update-update_query-calls-to-work-with-latest-yarl.patch deleted file mode 100644 index de0c45d..0000000 --- a/Update-update_query-calls-to-work-with-latest-yarl.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 8afa163fba77b38de1c2356668f08a7c3b9d0b58 Mon Sep 17 00:00:00 2001 -From: danigm -Date: Mon, 15 May 2023 15:20:35 +0200 -Subject: [PATCH] Update update_query calls to work with latest yarl - ---- - aiohttp/client.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/aiohttp/client.py b/aiohttp/client.py -index 0d0f4c1..56ec740 100644 ---- a/aiohttp/client.py -+++ b/aiohttp/client.py -@@ -414,6 +414,7 @@ class ClientSession: - redirects = 0 - history = [] - version = self._version -+ params = params or {} - - # Merge with default headers and transform to CIMultiDict - headers = self._prepare_headers(headers) -@@ -630,7 +631,7 @@ class ClientSession: - headers.pop(hdrs.AUTHORIZATION, None) - - url = parsed_url -- params = None -+ params = {} - resp.release() - continue - --- -2.40.1 - diff --git a/python-aiohttp.spec b/python-aiohttp.spec index c36694d..0a43d04 100644 --- a/python-aiohttp.spec +++ b/python-aiohttp.spec @@ -1,7 +1,7 @@ %bcond_without tests Name: python-aiohttp -Version: 3.8.6 +Version: 3.9.1 Release: 1%{?dist} Summary: Python HTTP client/server for asyncio @@ -14,25 +14,13 @@ Source0: %{url}/archive/v%{version}/aiohttp-%{version}.tar.gz # downstream only patch Patch: 0001-Unbundle-llhttp.patch -# Update update_query calls to work with latest yarl (1.9.2) -# Patch was inspired by this upstream commit: -# https://github.com/aio-libs/aiohttp/commit/2be9318 -Patch: Update-update_query-calls-to-work-with-latest-yarl.patch - -# [3.12] Ignore DeprecationWarning: 'set_child_watcher' is deprecated as of Python 3.12 -# and will be removed in Python 3.14. -# Upstream report: https://github.com/aio-libs/aiohttp/issues/7291 -Patch: 0001-ignore-DeprecationWarning-set_child_watcher-is-depre.patch - BuildRequires: gcc -# CVE-2023-30589 requires >= 8.1.1. For 9.1.3: -# Missing security advisories for release 3.8.6 -# https://github.com/aio-libs/aiohttp/issues/7711 +# CVE-2023-30589 requires >= 8.1.1. GHSA-pjjw-qhg8-p2p9 requires >= 9.0.0. The +# actual lower bound is based on the version that upstream bundles/vendors. BuildRequires: llhttp-devel >= 9.1.3 BuildRequires: python3-devel -BuildRequires: python3dist(cython) %global common_description %{expand: Python HTTP client/server for asyncio which supports both the client and the @@ -53,47 +41,39 @@ Recommends: python3-aiohttp+speedups %prep %autosetup -p 1 -n aiohttp-%{version} # Remove bundled llhttp -rm -rvf vendor/llhttp +rm -rv vendor/llhttp # Disable test coverage reports # https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/#_linters sed -r -i '/--cov=/d' setup.cfg -# We don’t use %%tox because it just runs pytest with coverage analysis; rather -# than patching out the coverage invocation, we can run pytest directly. Still, -# it is useful to generate test dependencies from tox.ini. -# Upstream supports both brotlipy and Brotli, in theory; we have the latter. -sed -r -i \ - -e 's/^[[:blank:]]*coverage$/# &/' \ - -e 's/^[[:blank:]]*-e[[:blank:]]+\.$/# &/' \ - -e 's/brotlipy/Brotli/' \ - tox.ini -# Unpin dependency versions in requirements files, so we can use them to -# generate additional dependencies. Comment out a few optional test -# dependencies that are not yet packaged, as well as coverage dependencies. -sed -r -i \ - -e 's/==[^#;]+//' \ +# Comment out: +# - optional test dependencies that are not yet packaged or are useless here +# - coverage dependnecies +# - the “-c” constraint, which the pyproject-rpm-macros don’t support +sed -r \ -e 's/^(proxy[-\.]py|python-on-whales|wait-for-it)/# &/' \ -e 's/^(coverage|pytest-cov|mypy)/# &/' \ -e 's/^(setuptools-git)/# &/' \ - requirements/*.txt + -e 's/^-c /# &/' \ + requirements/test.in | +%if 0%{?el9} + sed -r 's/^time-machine\b/# /' | +%endif + tee requirements/test.in.filtered %if 0%{?el9} -# The python-cchardet package, specified for Python 3.9 and older, was never -# built for EPEL9, and was orphaned and retired in F37. It should be fine to -# patch this out of the “speedups” extra, as python-charset-normalizer should -# do the same job anyway. -sed -r -i 's/^[[:blank:]]*cchardet;/# &/' setup.cfg requirements/*.txt +# This is normally a hard dependency, but we can still make a usable package +# without it. +sed -r -i 's/^uvloop\b/# &/' requirements/base.in %endif -# Remove files generated by Cython to regenerate them + +# Make sure the source archive does not include any files generated by Cython grep -rl '/\* Generated by Cython' | xargs -r rm -v -# async_generator is for Python 3.5/3.6 compatibility and should be deprecated now -# https://github.com/python-trio/async_generator/issues/35#issuecomment-1242576699 -sed -i -e 's/,async_generator//' setup.cfg -sed -i -e '/async-generator/d' tox.ini requirements/base.txt requirements/constraints.txt # don't treat DeprecationWarnings as errors in subprocess based tests sed -i 's/"-W", "error"/"-W", "error", "-W", "ignore::DeprecationWarning"/' tests/test_circular_imports.py %generate_buildrequires %{pyproject_buildrequires \ - requirements/base.txt %{?with_tests:requirements/test.txt -t}} + requirements/cython.in \ + requirements/base.in %{?with_tests:requirements/test.in.filtered}} %build # Recreate removed Cython files using commands extracted from the Makefile. @@ -131,16 +111,27 @@ k="${k-}${k+ and }not test_no_warnings" %endif # test_proxy_functional.py requires python3dist(proxy-py) ignore="${ignore-} --ignore=tests/test_proxy_functional.py" +# These require python-on-whales and a running Docker +ignore="${ignore-} --ignore=tests/autobahn" # test_client_session_timeout_zero requires DNS k="${k-}${k+ and }not test_client_session_timeout_zero" -# Unexplained flaky error during teardown: -# E RuntimeError: Event loop is closed -k="${k-}${k+ and }not test_static_file_if_match" -k="${k-}${k+ and }not test_static_file_if_none_match" -%ifarch %{arm32} -# Unexplained error during teardown: -# ResourceWarning: unclosed transport <_SelectorSocketTransport fd=15> -k="${k-}${k+ and }not test_tcp_connector_fingerprint_fail[pyloop]" +# A slow builder may easily violate an arbitrary bound on how long it should +# take to import the package. This is not something we need to care about +# downstream. +k="${k-}${k+ and }not test_import_time" +%if 0%{?fc39} || 0%{?fc38} +# E TypeError: Unsupported destination +# datetime.timedelta(seconds=1000) +# This appears to be an incompatibility with older versions of the test +# dependency time-machine. +k="${k-}${k+ and }not (TestCookieJarSafe and test_max_age)" +%endif +%if 0%{?el9} +# E TypeError: 'NoneType' object is not callable +# This is probably due to the absence of the test dependency time-machine. +k="${k-}${k+ and }not (TestCookieJarSafe and test_expires)" +k="${k-}${k+ and }not (TestCookieJarSafe and test_max_age)" +k="${k-}${k+ and }not test_cookie_jar_clear_expired" %endif %pytest -Wdefault ${ignore-} -k "${k-}" -m 'not dev_mode' %else @@ -153,6 +144,10 @@ k="${k-}${k+ and }not test_tcp_connector_fingerprint_fail[pyloop]" %doc README.rst %changelog +* Thu Nov 30 2023 Benjamin A. Beasley - 3.9.1-1 +- Update to 3.9.1 (fix RHBZ#2252236, fix RHBZ#2252249) +- Fixes CVE-2023-49081 and CVE-2023-49082 + * Mon Oct 16 2023 Benjamin A. Beasley - 3.8.6-1 - Update to 3.8.6 diff --git a/sources b/sources index b6dfd7f..e80a9d6 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (aiohttp-3.8.6.tar.gz) = e0b603a9c168bf7613303f32523a145dd8f53c00e5f1549d14bd04ec31847a0ec8f0a9a4630c7a37930f8dda478257fd6f8c67e3c76054a56b6efd6c614b20cd +SHA512 (aiohttp-3.9.1.tar.gz) = 5f7e5cbdaaebf550ec3b1af5a903f61f5cf43abb0439daf144b872647feacc187e4518531001318ad5e88f1433170053c7ff5ff9215a0b2d4d892223de60a2b4