chore(deps): [dataflow-gcs-to-alloydb] Update vulnerabilityAlerts to v3.14.1 [SECURITY]#587
Open
renovate-bot wants to merge 1 commit into
Conversation
forking-renovate
Bot
added
dependencies
renovate-bot
added
dependencies
renovate-bot
force-pushed
the
renovate/dataflow-gcs-to-alloydb-vulnerabilityalerts
branch
2 times, most recently
from
9bdef3d to
5d2e319
Compare
…v3.14.1 [SECURITY]
renovate-bot
force-pushed
the
renovate/dataflow-gcs-to-alloydb-vulnerabilityalerts
branch
from
5d2e319 to
13a2725
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.14.0→3.14.1AIOHTTP is vulnerable to cross-origin redirect with per-request cookies
CVE-2026-47265 / GHSA-hg6j-4rv6-33pg
More information
Details
Summary
Cookies set with the
cookiesparameter on requests are sent after following a cross-origin redirect.Impact
If a developer uses the
cookiesparameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect.Workaround
If unable to upgrade, using a
Cookieheader in theheadersparameter is not vulnerable.Patch: aio-libs/aiohttp@f54c408
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
AIOHTTP is Vulnerable to Deserialization of Untrusted Data
CVE-2026-34993 / GHSA-jg22-mg44-37j8
More information
Details
Summary
Using
CookieJar.load()with untrusted input may allow arbitrary code execution.Impact
Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications.
Workaround
If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitise the files before loading.
Patch: aio-libs/aiohttp@dcf40f3
Severity
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
aio-libs/aiohttp (aiohttp)
v3.14.1: 3.14.1Compare Source
Bug fixes
Fixed a race condition in :py:class:
~aiohttp.TCPConnectorwhere closing the connector while a DNS resolution was in-flight could raise :py:exc:AttributeErrorinstead of :py:exc:~aiohttp.ClientConnectionError-- by :user:goingforstudying-ctrl.Related issues and pull requests on GitHub:
#12497.
Fixed
CancelledErrornot closing a connection -- by :user:aiolibsbot.Related issues and pull requests on GitHub:
#12795.
Tightened up some websocket parser checks -- by :user:
Dreamsorcerer.Related issues and pull requests on GitHub:
#12817.
Fixed :class:
~aiohttp.CookieJardropping the host-only flag of cookies when persisted with :meth:~aiohttp.CookieJar.saveand reloaded with :meth:~aiohttp.CookieJar.load, so a cookie set without aDomainattribute is again scoped to the exact host that set it after a reload; the absolute expiration deadline is now persisted as well, so a reloaded cookie keeps its original lifetime instead of being rescheduled from the load time. :meth:~aiohttp.CookieJar.loadnow replaces the jar contents rather than merging onto prior state, and loaded cookies pass through the same acceptance rules as :meth:~aiohttp.CookieJar.update_cookies, so a cookie for an IP-address host is dropped when loaded into a jar created withoutunsafe=True-- by :user:bdraco.Related issues and pull requests on GitHub:
#12824.
Scoped :class:
~aiohttp.DigestAuthMiddlewarecredentials to the origin of the first request it handles, so a redirect to a different origin no longer triggers a digest response computed from the configured credentials; a challenge from another origin is only answered when that origin falls within a protection space advertised by the anchor origin through the RFC 7616domaindirective -- by :user:bdraco.Related issues and pull requests on GitHub:
#12825.
Fixed the C HTTP parser not enforcing
max_line_sizeon a request target or response reason phrase that is split across multiple reads; each fragment was checked on its own, so an accumulated line could exceed the limit without raisingLineTooLong. The accumulated length is now checked, matching the pure-Python parser -- by :user:bdraco.Related issues and pull requests on GitHub:
#12826.
Changed :class:
~aiohttp.TCPConnectorto reject legacy non-canonical numeric IPv4 host forms such as2130706433,017700000001and127.1with :exc:~aiohttp.InvalidUrlClientError; only canonical dotted-quad IPv4 literals are now treated as IP address literals, while every other host is sent through the configured resolver -- by :user:bdraco.Related issues and pull requests on GitHub:
#12827.
Fixed :meth:
~aiohttp.StreamReader.readanyand :meth:~aiohttp.StreamReader.read_nowaitjoining data fed back into the buffer during the call (when draining below the low water mark resumes reading) into a single unbounded :class:bytes; a call now returns only the chunks that were buffered when it started, keeping the drain of an unread auto-decompressed request body bounded by the read buffer -- by :user:bdraco.Related issues and pull requests on GitHub:
#12828.
Bounded the number of parsed-but-unhandled pipelined HTTP/1 requests buffered per connection on the server; once the queue reaches an internal limit the parser stops emitting and the transport is paused, resuming as the request handler drains the queue, so a client keeping one handler busy can no longer accumulate an unbounded backlog of pipelined requests -- by :user:
bdraco.Related issues and pull requests on GitHub:
#12830.
Fixed :meth:
aiohttp.web.Response.write_eofskippingPayload.close()when the body write was interrupted by an error or cancellation, for example when a client disconnects mid-response; the payload close hook now runs in afinallyso a :class:~aiohttp.payload.Payloadbody always releases its resources -- by :user:bdraco.Related issues and pull requests on GitHub:
#12831.
Fixed the pure-Python HTTP parser not enforcing
max_line_sizeon a chunk-size line when the whole line arrived in a single read; the limit was only applied to chunk-size metadata split across reads. The complete-line case is now checked too, matching the split-line behavior -- by :user:bdraco.Related issues and pull requests on GitHub:
#12832.
Included the per-request
server_hostnameoverride in the :class:~aiohttp.TCPConnectorconnection pool key, so a pooled TLS connection is no longer reused for a request that setsserver_hostnameto a different value -- by :user:bdraco.Related issues and pull requests on GitHub:
#12835.
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.