Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-aiohttp for openSUSE:Factory checked in at 2026-06-05 14:55:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-aiohttp (Old) and /work/SRC/openSUSE:Factory/.python-aiohttp.new.2375 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-aiohttp" Fri Jun 5 14:55:35 2026 rev:68 rq:1357009 version:3.14.0 Changes: -------- --- /work/SRC/openSUSE:Factory/python-aiohttp/python-aiohttp.changes 2026-05-21 18:25:04.864996314 +0200 +++ /work/SRC/openSUSE:Factory/.python-aiohttp.new.2375/python-aiohttp.changes 2026-06-05 14:55:37.752716056 +0200 @@ -1,0 +2,119 @@ +Wed Jun 3 13:33:02 UTC 2026 - Nico Krapp <[email protected]> + +- Update to 3.14.0 (fixes CVE-2026-34993, bsc#1267471) + * Added RequestKey and ResponseKey classes, + which enable static type checking for request & response + context storages in the same way that AppKey does for Application + * Added :func:~aiohttp.encode_basic_auth for encoding HTTP Basic + Authentication credentials. Replaces the now-deprecated + :class:~aiohttp.BasicAuth + * Started accepting :term:asynchronous context managers <asynchronous context + manager> for cleanup contexts. Legacy single-yield :term:asynchronous + generator cleanup contexts continue to be supported; async context managers + are adapted internally so they are entered at startup and exited during + cleanup. + * Added :py:attr:~aiohttp.CookieJar.cookies and + :py:attr:~aiohttp.CookieJar.host_only_cookies read-only properties to + :py:class:~aiohttp.CookieJar exposing the stored cookies with their full + attributes + * Added :py:attr:~aiohttp.web.TCPSite.port accessor for dynamic port + allocations in :class:~aiohttp.web.TCPSite + * Added decode_text parameter to :meth:~aiohttp.ClientSession.ws_connect and + :class:~aiohttp.web.WebSocketResponse to receive WebSocket TEXT messages as + raw bytes instead of decoded strings, enabling direct use with + high-performance JSON parsers like orjson + * Large overhaul of parser/decompression code. + The zip bomb security fix in 3.13 stopped highly compressed payloads + from being decompressed, regardless of validity. Now aiohttp will + decompress such payloads in chunks of 256+ KiB, allowing safe decompression + of such payloads. + * Added explicit APIs for bytes-returning JSON serializer: + JSONBytesEncoder type, JsonBytesPayload, + :func:~aiohttp.web.json_bytes_response, + :meth:~aiohttp.web.WebSocketResponse.send_json_bytes and + :meth:~aiohttp.ClientWebSocketResponse.send_json_bytes methods, and + json_serialize_bytes parameter for :class:~aiohttp.ClientSession + * Added :attr:~aiohttp.ClientResponse.output_size and + :attr:~aiohttp.ClientResponse.upload_complete + * Fixed ZLibDecompressor silently dropping data past the first + member when decompressing concatenated gzip/deflate streams. Each subsequent + member is now handed to a fresh decompressor, matching the behaviour already + implemented for ZSTD multi-frame streams. + * Improved the parser error message shown when TLS handshake bytes are + received on an HTTP port + * Fixed the C parser failing to reject a response with a body when none was + expected + * Fixed http parser not rejecting HTTP/1.1 requests that do not have valid + Host header. + * Fixed misleading TLS-in-TLS warning being emitted when sending HTTPS + requests through an HTTP proxy. The warning now only fires when the proxy + itself uses HTTPS, which is the only case where TLS-in-TLS actually applies + * Fixed AssertionError when the transport is None during WebSocket + preparation or file response sending (e.g. when a client disconnects + immediately after connecting). A ConnectionResetError is now raised + instead + * Fixed ad-hoc cookies passed to individual requests not being sent when the + session's cookie jar has unsafe=True and the target URL uses an IP address, + by copying the unsafe setting from the session's cookie jar to the + temporary cookie jar + * Reset the WebSocket heartbeat timer on inbound data to avoid false + ping/pong timeouts while receiving large frames + * Switched :py:meth:~aiohttp.CookieJar.save to use JSON format and + :py:meth:~aiohttp.CookieJar.load to try JSON first with a fallback to + a restricted pickle unpickler + * Fixed redirects with consumed non-rewindable request bodies to raise + :class:aiohttp.ClientPayloadError instead of silently sending an empty body + * Fixed zstd decompression failing with ClientPayloadError when the server + sends a response as multiple zstd frames + * Fixed spurious Future exception was never retrieved warning on disconnect + during back-pressure + * Cookiejar.save() now uses 0x600 permissions to better protect them from + being read by other users + * Fixed a crash (:external+python:exc:~http.cookies.CookieError) in the + cookie parser when receiving cookies containing ASCII control characters on + CPython builds with the :cve:2026-3644 patch. The parser now gracefully + skips cookies whose value contains control characters instead of letting + or response.encoding == "WINDOWS-1252" the exception propagate + * Fixed digest authentication failing for requests whose path or query string + contains percent-encoded reserved characters; the digest signature now uses + the encoded request-target that is sent on the wire instead of the decoded + form + * Fixed :func:aiohttp.web.run_app losing inner traceback frames when an + exception is raised during application startup (e.g. inside + cleanup_ctx or on_startup). Regression since 3.10.6. + * Fixed per-request cookies not being dropped on cross-origin redirects + * Fixed invalid bytes being allowed in multipart/payload headers + * Fixed :py:meth:~aiohttp.FormData.add_field accepting invalid bytes in name + or response.encoding == "WINDOWS-1252" and filename + * Fixed websocket upgrade occurring when header contained a value like + notupgrade + * Deprecated :class:~aiohttp.BasicAuth and the auth / proxy_auth + parameters. They will be removed in aiohttp 4.0. Use the new + :func:~aiohttp.encode_basic_auth helper together with + headers={"Authorization": ...} (or + proxy_headers={"Proxy-Authorization": ...} for proxies) instead. + Note that encode_basic_auth() defaults to utf-8, not latin1 + * Added deprecation warning to aiohttp.pytest_plugin, please switch to + pytest-aiohttp + * Stopped calling :func:socket.getfqdn as the fallback for + :attr:aiohttp.web.BaseRequest.host. :func:socket.getfqdn + performs blocking reverse DNS resolution on the event loop + thread and can stall a worker for many seconds when the system + resolver is slow, and could be triggered remotely by an HTTP/1.0 + request that omits the Host header. The fallback when no + Host header is present is now the local socket address the + request arrived on (transport sockname), or an empty string + if no transport information is available. Code that relied on + the FQDN being returned must now read it from + :func:socket.getfqdn directly, off the event loop + * Dropped support for Python 3.9 + * Tightened outbound header serialization to reject all ASCII control + characters forbidden by :rfc:9110#section-5.5 and :rfc:9112#section-4 + (0x00-0x08, 0x0A-0x1F, 0x7F) in status lines, + header field-names, and field-values. Previously only CR, LF and NUL were + rejected. HTAB (0x09) remains permitted in field values. Applications + that placed bare control characters in outbound headers will now raise + :exc:ValueError instead of emitting non-RFC-compliant bytes + * full changelog: https://github.com/aio-libs/aiohttp/releases/tag/v3.14.0 + +------------------------------------------------------------------- Old: ---- aiohttp-3.13.5.tar.gz New: ---- aiohttp-3.14.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-aiohttp.spec ++++++ --- /var/tmp/diff_new_pack.wYhxSD/_old 2026-06-05 14:55:38.792759067 +0200 +++ /var/tmp/diff_new_pack.wYhxSD/_new 2026-06-05 14:55:38.792759067 +0200 @@ -19,7 +19,7 @@ %bcond_with docs %{?sle15_python_module_pythons} Name: python-aiohttp -Version: 3.13.5 +Version: 3.14.0 Release: 0 Summary: Asynchronous HTTP client/server framework License: Apache-2.0 ++++++ aiohttp-3.13.5.tar.gz -> aiohttp-3.14.0.tar.gz ++++++ /work/SRC/openSUSE:Factory/python-aiohttp/aiohttp-3.13.5.tar.gz /work/SRC/openSUSE:Factory/.python-aiohttp.new.2375/aiohttp-3.14.0.tar.gz differ: char 5, line 1 ++++++ fix-vendoring.patch ++++++ --- /var/tmp/diff_new_pack.wYhxSD/_old 2026-06-05 14:55:38.852761549 +0200 +++ /var/tmp/diff_new_pack.wYhxSD/_new 2026-06-05 14:55:38.856761714 +0200 @@ -1,35 +1,44 @@ -Index: aiohttp-3.13.3/Makefile +Index: aiohttp-3.14.0/Makefile =================================================================== ---- aiohttp-3.13.3.orig/Makefile -+++ aiohttp-3.13.3/Makefile -@@ -47,10 +47,8 @@ endif +--- aiohttp-3.14.0.orig/Makefile ++++ aiohttp-3.14.0/Makefile +@@ -4,7 +4,7 @@ to-hash-one = $(dir $1).hash/$(addsuffix + to-hash = $(foreach fname,$1,$(call to-hash-one,$(fname))) + + CYTHON_EXTRA ?= +-PIP ?= python -m pip ++PIP ?= python3 -m pip + CYS := $(wildcard aiohttp/*.pyx) $(wildcard aiohttp/*.pyi) $(wildcard aiohttp/*.pxd) $(wildcard aiohttp/_websocket/*.pyx) $(wildcard aiohttp/_websocket/*.pyi) $(wildcard aiohttp/_websocket/*.pxd) + PYXS := $(wildcard aiohttp/*.pyx) $(wildcard aiohttp/_websocket/*.pyx) + CS := $(wildcard aiohttp/*.c) $(wildcard aiohttp/_websocket/*.c) +@@ -49,10 +49,8 @@ endif .SECONDARY: $(call to-hash,$(ALLS)) .update-pip: -- @python -m pip install --upgrade pip +- @$(PIP) install --upgrade pip .install-cython: .update-pip $(call to-hash,requirements/cython.txt) -- @python -m pip install -r requirements/cython.in -c requirements/cython.txt +- @$(PIP) install -r requirements/cython.in -c requirements/cython.txt @touch .install-cython aiohttp/_find_header.c: $(call to-hash,aiohttp/hdrs.py ./tools/gen.py) -@@ -85,7 +83,6 @@ cythonize: .install-cython $(PYXS:.pyx=. +@@ -87,7 +85,6 @@ cythonize: .install-cython $(PYXS:.pyx=. cythonize-nodeps: $(PYXS:.pyx=.c) aiohttp/_websocket/reader_c.c .install-deps: .install-cython $(PYXS:.pyx=.c) aiohttp/_websocket/reader_c.c $(call to-hash,$(CYS) $(REQS)) -- @python -m pip install -r requirements/dev.in -c requirements/dev.txt +- @$(PIP) install -r requirements/dev.in -c requirements/dev.txt @touch .install-deps .PHONY: lint -@@ -100,7 +97,6 @@ mypy: +@@ -102,7 +99,6 @@ mypy: mypy .develop: .install-deps generate-llhttp $(call to-hash,$(PYS) $(CYS) $(CS)) -- python -m pip install -e . -c requirements/runtime-deps.txt +- $(PIP) install -e . -c requirements/runtime-deps.txt @touch .develop .PHONY: test -@@ -110,12 +106,12 @@ test: .develop +@@ -112,12 +108,12 @@ test: .develop .PHONY: vtest vtest: .develop @pytest -s -v @@ -44,7 +53,7 @@ define run_tests_in_docker -@@ -151,7 +147,7 @@ clean: +@@ -143,7 +139,7 @@ clean: @rm -rf build @rm -rf cover @make -C docs clean @@ -53,24 +62,24 @@ @rm -f aiohttp/*.so @rm -f aiohttp/*.pyd @rm -f aiohttp/*.html -@@ -182,7 +178,6 @@ doc-spelling: +@@ -174,7 +170,6 @@ doc-spelling: .PHONY: install install: .update-pip -- @python -m pip install -r requirements/dev.in -c requirements/dev.txt +- @$(PIP) install -r requirements/dev.in -c requirements/dev.txt .PHONY: install-dev install-dev: .develop -@@ -190,4 +185,4 @@ install-dev: .develop +@@ -182,4 +177,4 @@ install-dev: .develop .PHONY: sync-direct-runtime-deps sync-direct-runtime-deps: @echo Updating 'requirements/runtime-deps.in' from 'pyproject.toml'... >&2 - @python requirements/sync-direct-runtime-deps.py + python3 requirements/sync-direct-runtime-deps.py -Index: aiohttp-3.13.3/tools/gen.py +Index: aiohttp-3.14.0/tools/gen.py =================================================================== ---- aiohttp-3.13.3.orig/tools/gen.py -+++ aiohttp-3.13.3/tools/gen.py +--- aiohttp-3.14.0.orig/tools/gen.py ++++ aiohttp-3.14.0/tools/gen.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/python3
