For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.
Security fixes:
- python-pygments: ReDoS in pygments (CVE-2022-40896)
- python-pycryptodomex: Side-channel leakage for OAEP decryption in PyCryptodome and pycryptodomex (CVE-2023-52323)
- satellite: Arithmetic overflow in satellite (CVE-2023-4320)
- automation-hub: Ansible Automation Hub: insecure galaxy-importer tarfile extraction (CVE-2023-5189)
- jetty: Improper addition of quotation marks to user inputs in CgiServlet (CVE-2023-36479)
- python-aiohttp: HTTP request smuggling via llhttp HTTP request parser (CVE-2023-37276)
- rubygem-activesupport: File Disclosure of Locally Encrypted Files (CVE-2023-38037)
- jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)
- python-django: Potential denial of service vulnerability in
django.utils.encoding.uri_to_iri()
(CVE-2023-41164)
- python-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)
- python-aiohttp: Numerous issues in HTTP parser with header parsing (CVE-2023-47627)
- python-aiohttp: HTTP request modification (CVE-2023-49081)
- python-aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)
- rubygem-puma: HTTP request smuggling when parsing chunked Transfer-Encoding Bodies (CVE-2024-21647)
- rubygem-audited: Race condition can lead to audit logs being incorrectly attributed to the wrong user (CVE-2024-22047)
- python-jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)
- python-aiohttp: Follow_symlinks directory traversal vulnerability (CVE-2024-23334)
- python-aiohttp: HTTP request smuggling (CVE-2024-23829)
Additional Changes:
This update also fixes several bugs and adds various enhancements.
Documentation for these changes is available from the Release Notes document linked to in the References section.