The package rpms/python-aiohttp.git has added or updated architecture specific content in
its
spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s):
https://src.fedoraproject.org/cgit/rpms/python-aiohttp.git/commit/?id=4cf....
Change:
-%ifarch %{arm32}
Thanks.
Full change:
============
commit 4cf3da2c93e0a016c8cd2baeeb69258329474d00
Author: Benjamin A. Beasley <code(a)musicinmybrain.net>
Date: Thu Nov 30 09:16:21 2023 -0500
Update to 3.9.1 (fix RHBZ#2252236, fix RHBZ#2252249)
- Fixes CVE-2023-49081 and CVE-2023-49082
diff --git a/.gitignore b/.gitignore
index cf78870..41d44a0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -75,3 +75,4 @@
/aiohttp-3.8.4.tar.gz
/aiohttp-3.8.5.tar.gz
/aiohttp-3.8.6.tar.gz
+/aiohttp-3.9.1.tar.gz
diff --git a/0001-ignore-DeprecationWarning-set_child_watcher-is-depre.patch
b/0001-ignore-DeprecationWarning-set_child_watcher-is-depre.patch
deleted file mode 100644
index 824766d..0000000
--- a/0001-ignore-DeprecationWarning-set_child_watcher-is-depre.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 21aa104edf799cdda94168a049aed7dfd0254cec Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hrn=C4=8Diar?= <thrnciar(a)redhat.com>
-Date: Mon, 15 May 2023 16:22:25 +0200
-Subject: [PATCH] ignore DeprecationWarning 'set_child_watcher' is deprecated
- as of Python 3.12
-
----
- setup.cfg | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/setup.cfg b/setup.cfg
-index 12cd4124..330b1cb5 100644
---- a/setup.cfg
-+++ b/setup.cfg
-@@ -150,6 +150,7 @@ filterwarnings =
- # can be dropped with the next release of `certify`, specifically
- # `certify > 2022.06.15`.
- ignore:path is deprecated. Use files.. instead. Refer to
https.//importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy for
migration advice.:DeprecationWarning:certifi.core
-+ ignore:'set_child_watcher' is deprecated as of Python 3.12 and will be
removed in Python 3.14.:DeprecationWarning::
- ignore:Automatic charset detection will be removed in 3.9:DeprecationWarning
- junit_suite_name = aiohttp_test_suite
- norecursedirs = dist docs build .tox .eggs
---
-2.41.0
-
diff --git a/Update-update_query-calls-to-work-with-latest-yarl.patch
b/Update-update_query-calls-to-work-with-latest-yarl.patch
deleted file mode 100644
index de0c45d..0000000
--- a/Update-update_query-calls-to-work-with-latest-yarl.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 8afa163fba77b38de1c2356668f08a7c3b9d0b58 Mon Sep 17 00:00:00 2001
-From: danigm <daniel.garcia(a)suse.com>
-Date: Mon, 15 May 2023 15:20:35 +0200
-Subject: [PATCH] Update update_query calls to work with latest yarl
-
----
- aiohttp/client.py | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/aiohttp/client.py b/aiohttp/client.py
-index 0d0f4c1..56ec740 100644
---- a/aiohttp/client.py
-+++ b/aiohttp/client.py
-@@ -414,6 +414,7 @@ class ClientSession:
- redirects = 0
- history = []
- version = self._version
-+ params = params or {}
-
- # Merge with default headers and transform to CIMultiDict
- headers = self._prepare_headers(headers)
-@@ -630,7 +631,7 @@ class ClientSession:
- headers.pop(hdrs.AUTHORIZATION, None)
-
- url = parsed_url
-- params = None
-+ params = {}
- resp.release()
- continue
-
---
-2.40.1
-
diff --git a/python-aiohttp.spec b/python-aiohttp.spec
index c36694d..0a43d04 100644
--- a/python-aiohttp.spec
+++ b/python-aiohttp.spec
@@ -1,7 +1,7 @@
%bcond_without tests
Name: python-aiohttp
-Version: 3.8.6
+Version: 3.9.1
Release: 1%{?dist}
Summary: Python HTTP client/server for asyncio
@@ -14,25 +14,13 @@ Source0: %{url}/archive/v%{version}/aiohttp-%{version}.tar.gz
# downstream only patch
Patch: 0001-Unbundle-llhttp.patch
-# Update update_query calls to work with latest yarl (1.9.2)
-# Patch was inspired by this upstream commit:
-#
https://github.com/aio-libs/aiohttp/commit/2be9318
-Patch: Update-update_query-calls-to-work-with-latest-yarl.patch
-
-# [3.12] Ignore DeprecationWarning: 'set_child_watcher' is deprecated as of
Python 3.12
-# and will be removed in Python 3.14.
-# Upstream report:
https://github.com/aio-libs/aiohttp/issues/7291
-Patch: 0001-ignore-DeprecationWarning-set_child_watcher-is-depre.patch
-
BuildRequires: gcc
-# CVE-2023-30589 requires >= 8.1.1. For 9.1.3:
-# Missing security advisories for release 3.8.6
-#
https://github.com/aio-libs/aiohttp/issues/7711
+# CVE-2023-30589 requires >= 8.1.1. GHSA-pjjw-qhg8-p2p9 requires >= 9.0.0. The
+# actual lower bound is based on the version that upstream bundles/vendors.
BuildRequires: llhttp-devel >= 9.1.3
BuildRequires: python3-devel
-BuildRequires: python3dist(cython)
%global common_description %{expand:
Python HTTP client/server for asyncio which supports both the client and the
@@ -53,47 +41,39 @@ Recommends: python3-aiohttp+speedups
%prep
%autosetup -p 1 -n aiohttp-%{version}
# Remove bundled llhttp
-rm -rvf vendor/llhttp
+rm -rv vendor/llhttp
# Disable test coverage reports
#
https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/#_linters
sed -r -i '/--cov=/d' setup.cfg
-# We don’t use %%tox because it just runs pytest with coverage analysis; rather
-# than patching out the coverage invocation, we can run pytest directly. Still,
-# it is useful to generate test dependencies from tox.ini.
-# Upstream supports both brotlipy and Brotli, in theory; we have the latter.
-sed -r -i \
- -e 's/^[[:blank:]]*coverage$/# &/' \
- -e 's/^[[:blank:]]*-e[[:blank:]]+\.$/# &/' \
- -e 's/brotlipy/Brotli/' \
- tox.ini
-# Unpin dependency versions in requirements files, so we can use them to
-# generate additional dependencies. Comment out a few optional test
-# dependencies that are not yet packaged, as well as coverage dependencies.
-sed -r -i \
- -e 's/==[^#;]+//' \
+# Comment out:
+# - optional test dependencies that are not yet packaged or are useless here
+# - coverage dependnecies
+# - the “-c” constraint, which the pyproject-rpm-macros don’t support
+sed -r \
-e 's/^(proxy[-\.]py|python-on-whales|wait-for-it)/# &/' \
-e 's/^(coverage|pytest-cov|mypy)/# &/' \
-e 's/^(setuptools-git)/# &/' \
- requirements/*.txt
+ -e 's/^-c /# &/' \
+ requirements/test.in |
+%if 0%{?el9}
+ sed -r 's/^time-machine\b/# /' |
+%endif
+ tee requirements/test.in.filtered
%if 0%{?el9}
-# The python-cchardet package, specified for Python 3.9 and older, was never
-# built for EPEL9, and was orphaned and retired in F37. It should be fine to
-# patch this out of the “speedups” extra, as python-charset-normalizer should
-# do the same job anyway.
-sed -r -i 's/^[[:blank:]]*cchardet;/# &/' setup.cfg requirements/*.txt
+# This is normally a hard dependency, but we can still make a usable package
+# without it.
+sed -r -i 's/^uvloop\b/# &/' requirements/base.in
%endif
-# Remove files generated by Cython to regenerate them
+
+# Make sure the source archive does not include any files generated by Cython
grep -rl '/\* Generated by Cython' | xargs -r rm -v
-# async_generator is for Python 3.5/3.6 compatibility and should be deprecated now
-#
https://github.com/python-trio/async_generator/issues/35#issuecomment-124...
-sed -i -e 's/,async_generator//' setup.cfg
-sed -i -e '/async-generator/d' tox.ini requirements/base.txt
requirements/constraints.txt
# don't treat DeprecationWarnings as errors in subprocess based tests
sed -i 's/"-W", "error"/"-W", "error",
"-W", "ignore::DeprecationWarning"/'
tests/test_circular_imports.py
%generate_buildrequires
%{pyproject_buildrequires \
- requirements/base.txt %{?with_tests:requirements/test.txt -t}}
+ requirements/cython.in \
+ requirements/base.in %{?with_tests:requirements/test.in.filtered}}
%build
# Recreate removed Cython files using commands extracted from the Makefile.
@@ -131,16 +111,27 @@ k="${k-}${k+ and }not test_no_warnings"
%endif
# test_proxy_functional.py requires python3dist(proxy-py)
ignore="${ignore-} --ignore=tests/test_proxy_functional.py"
+# These require python-on-whales and a running Docker
+ignore="${ignore-} --ignore=tests/autobahn"
# test_client_session_timeout_zero requires DNS
k="${k-}${k+ and }not test_client_session_timeout_zero"
-# Unexplained flaky error during teardown:
-# E RuntimeError: Event loop is closed
-k="${k-}${k+ and }not test_static_file_if_match"
-k="${k-}${k+ and }not test_static_file_if_none_match"
-%ifarch %{arm32}
-# Unexplained error during teardown:
-# ResourceWarning: unclosed transport <_SelectorSocketTransport fd=15>
-k="${k-}${k+ and }not test_tcp_connector_fingerprint_fail[pyloop]"
+# A slow builder may easily violate an arbitrary bound on how long it should
+# take to import the package. This is not something we need to care about
+# downstream.
+k="${k-}${k+ and }not test_import_time"
+%if 0%{?fc39} || 0%{?fc38}
+# E TypeError: Unsupported destination
+# datetime.timedelta(seconds=1000)
+# This appears to be an incompatibility with older versions of the test
+# dependency time-machine.
+k="${k-}${k+ and }not (TestCookieJarSafe and test_max_age)"
+%endif
+%if 0%{?el9}
+# E TypeError: 'NoneType' object is not callable
+# This is probably due to the absence of the test dependency time-machine.
+k="${k-}${k+ and }not (TestCookieJarSafe and test_expires)"
+k="${k-}${k+ and }not (TestCookieJarSafe and test_max_age)"
+k="${k-}${k+ and }not test_cookie_jar_clear_expired"
%endif
%pytest -Wdefault ${ignore-} -k "${k-}" -m 'not dev_mode'
%else
@@ -153,6 +144,10 @@ k="${k-}${k+ and }not
test_tcp_connector_fingerprint_fail[pyloop]"
%doc README.rst
%changelog
+* Thu Nov 30 2023 Benjamin A. Beasley <code(a)musicinmybrain.net> - 3.9.1-1
+- Update to 3.9.1 (fix RHBZ#2252236, fix RHBZ#2252249)
+- Fixes CVE-2023-49081 and CVE-2023-49082
+
* Mon Oct 16 2023 Benjamin A. Beasley <code(a)musicinmybrain.net> - 3.8.6-1
- Update to 3.8.6
diff --git a/sources b/sources
index b6dfd7f..e80a9d6 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (aiohttp-3.8.6.tar.gz) =
e0b603a9c168bf7613303f32523a145dd8f53c00e5f1549d14bd04ec31847a0ec8f0a9a4630c7a37930f8dda478257fd6f8c67e3c76054a56b6efd6c614b20cd
+SHA512 (aiohttp-3.9.1.tar.gz) =
5f7e5cbdaaebf550ec3b1af5a903f61f5cf43abb0439daf144b872647feacc187e4518531001318ad5e88f1433170053c7ff5ff9215a0b2d4d892223de60a2b4