Bump aiohttp to v3.7.4 for a security release

aio-libs · Feb 25, 2021 · 0a26acc · 0a26acc
1 parent 021c416
commit 0a26acc
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 16 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -14,6 +14,34 @@ Changelog
 
 .. towncrier release notes start
 
+3.7.3 (2021-02-25)
+==================
+
+Bugfixes
+--------
+
+- **(SECURITY BUG)** Started preventing open redirects in the
+  ``aiohttp.web.normalize_path_middleware`` middleware. For
+  more details, see
+  https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg.
+
+  Thanks to `Beast Glatisant <https://github.com/g147>`__ for
+  finding the first instance of this issue and `Jelmer Vernooĳ
+  <https://jelmer.uk/>`__ for reporting and tracking it down
+  in aiohttp.
+  `#5497 <https://github.com/aio-libs/aiohttp/issues/5497>`_
+- Fix interpretation difference of the pure-Python and the Cython-based
+  HTTP parsers construct a ``yarl.URL`` object for HTTP request-target.
+
+  Before this fix, the Python parser would turn the URI's absolute-path
+  for ``//some-path`` into ``/`` while the Cython code preserved it as
+  ``//some-path``. Now, both do the latter.
+  `#5498 <https://github.com/aio-libs/aiohttp/issues/5498>`_
+
+
+----
+
+
 3.7.3 (2020-11-18)
 ==================
 

diff --git a/CHANGES/5497.bugfix b/CHANGES/5497.bugfix
diff --git a/CHANGES/5498.bugfix b/CHANGES/5498.bugfix
diff --git a/aiohttp/__init__.py b/aiohttp/__init__.py
@@ -1,4 +1,4 @@
-__version__ = "3.7.3"
+__version__ = "3.7.4"
 
 from typing import Tuple