CVE-2021-41945

Advisory

Connexion 3.0 updates its dependency 'httpx' to include a security fix.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

We are excited to announce the release of Connexion 3.0! 🎉

Connexion 3 fundamentally changes how Connexion is designed and implemented, and how it
fits into the wider Python API ecosystem. We adopted the ASGI interface, which makes Connexion both
modular and well-integrated with most modern Python API tooling.

**It brings some major changes compared to 2.X:**

* The improved ``App`` and new ``AsyncApp`` allow you to use Connexion as a stand-alone framework
* The ``App`` interface was extended so you no longer have to care about the framework used
underneath
* Connexion can now be used as middleware to supercharge any ASGI or WSGI-compatible framework
with its spec-based functionality
* Connexion is now pluggable in many dimensions:
* All Connexion functionality is pluggable by adding or removing middleware from its stack
* Validation is now pluggable by content type, solving longstanding issues regarding endpoints
with multiple content types and making it easy to add validation for additional content types
* Authentication is now pluggable by security scheme, making it easy to customize the behavior or
add support for additional security schemes.
* Aiohttp support has been dropped due to lack of ASGI support
* We spent a lot of effort on extending and improving `our documentation`_

**For further details, check:**
* Our [Connexion 3 documentation page][v3 docs] for a high level overview of the changes
* Our [in-depth blog post][v3 blog] on the redesign for technical details
* Below for a detailed overview of all changes 👇

[v3 blog]: https://medium.com/robbe.sneyders/a5dc17e81ff8?source=friends_link&sk=de5a7a67ccae8a03752f5e8e1dc68d48
[v3 docs]: https://connexion.readthedocs.io/en/stable/v3.html

Full changelog
* Drop aiohttp support by RobbeSneyders in https://github.com/spec-first/connexion/pull/1491
* Add Python 3.10 in favor of 3.6 by RobbeSneyders in https://github.com/spec-first/connexion/pull/1494
* Add empty connexion middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1502
* Extract Swagger UI functionality into middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1496
* Add pre-commit hook by RobbeSneyders in https://github.com/spec-first/connexion/pull/1511
* Add routing middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1497
* Extract security to middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1514
* Remove myself (Rafael Caricio) as maintainer by rafaelcaricio in https://github.com/spec-first/connexion/pull/1517
* Merge V2 to main by RobbeSneyders in https://github.com/spec-first/connexion/pull/1518
* Fix deprecation warning for Validator.iter_errors by jonasboecquaert in https://github.com/spec-first/connexion/pull/1536
* Refactor routing into middleware-api-operation model by RobbeSneyders in https://github.com/spec-first/connexion/pull/1533
* Clean up operation classes by RobbeSneyders in https://github.com/spec-first/connexion/pull/1535
* Removed jsonschema version check by jonasboecquaert in https://github.com/spec-first/connexion/pull/1540
* Remove built-in support for uWSGI by jacobstanly89 in https://github.com/spec-first/connexion/pull/1544
* Fix for bug of the function is_json_mimetype() by jacobstanly89 in https://github.com/spec-first/connexion/pull/1541
* Use resolver in security middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1553
* call as_view in methodresolver by bluebrown in https://github.com/spec-first/connexion/pull/1552
* Fix async tests by Ruwann in https://github.com/spec-first/connexion/pull/1558
* Add test for MethodViewResolver by RobbeSneyders in https://github.com/spec-first/connexion/pull/1559
* debug mode interaction for non-flask server by thvu11 in https://github.com/spec-first/connexion/pull/1556
* Add .git-blame-ignore-revs file with black commit by RobbeSneyders in https://github.com/spec-first/connexion/pull/1561
* Feature/method views args by bluebrown in https://github.com/spec-first/connexion/pull/1564
* Activate mypy check in pre-commit by RobbeSneyders in https://github.com/spec-first/connexion/pull/1560
* Remove "type: ignore" by using list(dict), not dict.keys() by cclauss in https://github.com/spec-first/connexion/pull/1575
* Merge v2 to main by RobbeSneyders in https://github.com/spec-first/connexion/pull/1579
* Resolve $ref referring to another $ref by chibacchie in https://github.com/spec-first/connexion/pull/1584
* Update json for Flask 2.3 by RobbeSneyders in https://github.com/spec-first/connexion/pull/1582
* Use Flask request_ctx instead of _request_ctx_stack by RobbeSneyders in https://github.com/spec-first/connexion/pull/1583
* setup.py: Update url by jayvdb in https://github.com/spec-first/connexion/pull/1586
* Extract JSON request body validation to middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1588
* Remove AbstractSwaggerUIAPI class by RobbeSneyders in https://github.com/spec-first/connexion/pull/1589
* Removed internal variable pass_context_arg_name by leonardofesta in https://github.com/spec-first/connexion/pull/1568
* Explicitly support Flask async routes by RobbeSneyders in https://github.com/spec-first/connexion/pull/1592
* Extract boilerplate code into Routed base classes by RobbeSneyders in https://github.com/spec-first/connexion/pull/1590
* Move JSON response body validation to middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1591
* Remove support for deprecated x-body-name position by RobbeSneyders in https://github.com/spec-first/connexion/pull/1600
* Avoid warning with jsonschema 4.16.0 by gaetano-guerriero in https://github.com/spec-first/connexion/pull/1601
* Add form data validator for validation middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1595
* Flask apps only signal an exception on real server errors by enerqi in https://github.com/spec-first/connexion/pull/1611
* Move parameter validation to middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1610
* Add async app by RobbeSneyders in https://github.com/spec-first/connexion/pull/1613
* Update examples for Connexion 3.0 by RobbeSneyders in https://github.com/spec-first/connexion/pull/1615
* Refactor decorators by RobbeSneyders in https://github.com/spec-first/connexion/pull/1618
* Switch to own maintained version of swagger-ui by RobbeSneyders in https://github.com/spec-first/connexion/pull/1619
* Expose additional context by RobbeSneyders in https://github.com/spec-first/connexion/pull/1620
* Implement user facing interface for ConnexionMiddleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1621
* Enable enforcing defaults by RobbeSneyders in https://github.com/spec-first/connexion/pull/1616
* Cache operation body definition by RobbeSneyders in https://github.com/spec-first/connexion/pull/1626
* Coerce types only in uri parser by RobbeSneyders in https://github.com/spec-first/connexion/pull/1627
* Introduce poetry by RobbeSneyders in https://github.com/spec-first/connexion/pull/1628
* Bump httpx version to 0.23 to mitigate GHSA-h8pj-cxx2-jfg2 by RobbeSneyders in https://github.com/spec-first/connexion/pull/1632
* Refactor tests by RobbeSneyders in https://github.com/spec-first/connexion/pull/1631
* Define request interface and align WSGI and ASGI by RobbeSneyders in https://github.com/spec-first/connexion/pull/1636
* Feature/request context by RobbeSneyders in https://github.com/spec-first/connexion/pull/1639
* Add error handlers for AsyncApp by RobbeSneyders in https://github.com/spec-first/connexion/pull/1640
* Make tests framework agnostic by RobbeSneyders in https://github.com/spec-first/connexion/pull/1634
* Bump starlette version by Ruwann in https://github.com/spec-first/connexion/pull/1641
* Bump a2wsgi and drop monkeypatch by RobbeSneyders in https://github.com/spec-first/connexion/pull/1647
* Update NumberConverter regex to match new Werkzeug behavior (v3) by RobbeSneyders in https://github.com/spec-first/connexion/pull/1644
* Re-add tests for multiple and mixed file uploads by RobbeSneyders in https://github.com/spec-first/connexion/pull/1642
* Add support for relative refs in spec by RobbeSneyders in https://github.com/spec-first/connexion/pull/1648
* Clean up errors and fix hierarchy by RobbeSneyders in https://github.com/spec-first/connexion/pull/1649
* Enforce required RequestBody by RobbeSneyders in https://github.com/spec-first/connexion/pull/1652
* Create abstract validator classes by RobbeSneyders in https://github.com/spec-first/connexion/pull/1653
* Enable response mimetype validation for non-error responses by RobbeSneyders in https://github.com/spec-first/connexion/pull/1654
* Don't return 400 when read-only property is provided by RobbeSneyders in https://github.com/spec-first/connexion/pull/1655
* Add jsonifier as argument to app / api by RobbeSneyders in https://github.com/spec-first/connexion/pull/1656
* Add high-level documentation for 3.0 by RobbeSneyders in https://github.com/spec-first/connexion/pull/1646
* Run release pipeline for pre-releases as well by RobbeSneyders in https://github.com/spec-first/connexion/pull/1658
* Fix filter pattern in release pipeline by RobbeSneyders in https://github.com/spec-first/connexion/pull/1659
* Fix ReadTheDocs config for Poetry by RobbeSneyders in https://github.com/spec-first/connexion/pull/1663
* Update quickstart.rst to include example of passing server arguments by rkrishnasanka in https://github.com/spec-first/connexion/pull/1645
* Fix and extend v3 documentation by RobbeSneyders in https://github.com/spec-first/connexion/pull/1664
* Update docs index page by RobbeSneyders in https://github.com/spec-first/connexion/pull/1665
* Delay import error for optional flask depencendy by RobbeSneyders in https://github.com/spec-first/connexion/pull/1668
* Update Operations to act as wrapper of wrapped view function by RobbeSneyders in https://github.com/spec-first/connexion/pull/1669
* Add explicit asgiref dependency by RobbeSneyders in https://github.com/spec-first/connexion/pull/1667
* Pass through lifespan events by RobbeSneyders in https://github.com/spec-first/connexion/pull/1673
* Add lifespan middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1676
* Fix examples links in security doc page by opheron in https://github.com/spec-first/connexion/pull/1677
* Fix stream replay in validators by RobbeSneyders in https://github.com/spec-first/connexion/pull/1678
* Make security pluggable by Ruwann in https://github.com/spec-first/connexion/pull/1671
* Add tests for strict validation in combination with api key in query by Ruwann in https://github.com/spec-first/connexion/pull/1681
* Update CLI for 3.0 by RobbeSneyders in https://github.com/spec-first/connexion/pull/1687
* Add `add_middleware` interface by RobbeSneyders in https://github.com/spec-first/connexion/pull/1683
* Add test for security_map argument by Ruwann in https://github.com/spec-first/connexion/pull/1691
* Inspect middleware parameters before passing in lifespan by RobbeSneyders in https://github.com/spec-first/connexion/pull/1686
* Remove context keyword from security handlers by Ruwann in https://github.com/spec-first/connexion/pull/1690
* Unpack error handler when registering on middleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1695
* Use logger error instead of exception by Ruwann in https://github.com/spec-first/connexion/pull/1692
* Fix add_middleware enum comparison by RobbeSneyders in https://github.com/spec-first/connexion/pull/1698
* Move from caret to inequality requirements by marcin-lulek-cint in https://github.com/spec-first/connexion/pull/1704
* Improve and fix docs index page by RobbeSneyders in https://github.com/spec-first/connexion/pull/1700
* Update quickstart documentation by RobbeSneyders in https://github.com/spec-first/connexion/pull/1701
* Add traceback info to common error handler by Ruwann in https://github.com/spec-first/connexion/pull/1708
* Add middleware documentation by RobbeSneyders in https://github.com/spec-first/connexion/pull/1706
* Deepcopy only headers in validator by RobbeSneyders in https://github.com/spec-first/connexion/pull/1710
* Use repr for error logging by Ruwann in https://github.com/spec-first/connexion/pull/1711
* Fix typo by julienschuermans in https://github.com/spec-first/connexion/pull/1713
* Bugfix/basepath by Ruwann in https://github.com/spec-first/connexion/pull/1716
* Bump starlette by RobbeSneyders in https://github.com/spec-first/connexion/pull/1734
* Make middleware_app property private by RobbeSneyders in https://github.com/spec-first/connexion/pull/1737
* Update routing documentation by RobbeSneyders in https://github.com/spec-first/connexion/pull/1738
* chore: fix typos by afuetterer in https://github.com/spec-first/connexion/pull/1740
* Add swagger-ui docs and clean up swagger-ui options by RobbeSneyders in https://github.com/spec-first/connexion/pull/1739
* Update request handling documentation by RobbeSneyders in https://github.com/spec-first/connexion/pull/1741
* Update response handling documenation by RobbeSneyders in https://github.com/spec-first/connexion/pull/1742
* Support multiple APIs with same base path by RobbeSneyders in https://github.com/spec-first/connexion/pull/1736
* Add validation documentation by RobbeSneyders in https://github.com/spec-first/connexion/pull/1743
* Remove debug argument from example by RobbeSneyders in https://github.com/spec-first/connexion/pull/1749
* Add context documentation by RobbeSneyders in https://github.com/spec-first/connexion/pull/1747
* Feature/get delete body by Ruwann in https://github.com/spec-first/connexion/pull/1712
* Drop Python 3.7 in favor of 3.11 and 3.12 by RobbeSneyders in https://github.com/spec-first/connexion/pull/1752
* Create FUNDING.yml by RobbeSneyders in https://github.com/spec-first/connexion/pull/1753
* Centralize error handling in ExceptionMiddleware by RobbeSneyders in https://github.com/spec-first/connexion/pull/1754
* Add lifespan documentation by RobbeSneyders in https://github.com/spec-first/connexion/pull/1759
* Add testing documentation by RobbeSneyders in https://github.com/spec-first/connexion/pull/1760
* Update Exceptions documentations by RobbeSneyders in https://github.com/spec-first/connexion/pull/1758
* Fix CLI and drop click dependency by RobbeSneyders in https://github.com/spec-first/connexion/pull/1762
* Update cli docs by RobbeSneyders in https://github.com/spec-first/connexion/pull/1763
* Remove cookbook docs and sort index better by RobbeSneyders in https://github.com/spec-first/connexion/pull/1765
* Update security docs by RobbeSneyders in https://github.com/spec-first/connexion/pull/1764
* Add gunicorn with uvicorn workers to docs by RobbeSneyders in https://github.com/spec-first/connexion/pull/1766
* Import WSGIDecorator under connexion.decorators by RobbeSneyders in https://github.com/spec-first/connexion/pull/1768
* Add new authors' copyright notice by RobbeSneyders in https://github.com/spec-first/connexion/pull/1770
* Improve JSON req error on disallowed empty body by uranusjr in https://github.com/spec-first/connexion/pull/1761
* Update readme by RobbeSneyders in https://github.com/spec-first/connexion/pull/1769
* Update v3 documentation for release by RobbeSneyders in https://github.com/spec-first/connexion/pull/1771
* Switch back from py-swagger-ui to swagger-ui-bundle by RobbeSneyders in https://github.com/spec-first/connexion/pull/1756
* Convert README from rst to md by RobbeSneyders in https://github.com/spec-first/connexion/pull/1772
* Fix images on PyPI by RobbeSneyders in https://github.com/spec-first/connexion/pull/1773

New Contributors
* jacobstanly89 made their first contribution in https://github.com/spec-first/connexion/pull/1544
* bluebrown made their first contribution in https://github.com/spec-first/connexion/pull/1552
* thvu11 made their first contribution in https://github.com/spec-first/connexion/pull/1556
* chibacchie made their first contribution in https://github.com/spec-first/connexion/pull/1584
* jayvdb made their first contribution in https://github.com/spec-first/connexion/pull/1586
* leonardofesta made their first contribution in https://github.com/spec-first/connexion/pull/1568
* gaetano-guerriero made their first contribution in https://github.com/spec-first/connexion/pull/1601
* enerqi made their first contribution in https://github.com/spec-first/connexion/pull/1611
* rkrishnasanka made their first contribution in https://github.com/spec-first/connexion/pull/1645
* opheron made their first contribution in https://github.com/spec-first/connexion/pull/1677
* marcin-lulek-cint made their first contribution in https://github.com/spec-first/connexion/pull/1704
* julienschuermans made their first contribution in https://github.com/spec-first/connexion/pull/1713
* afuetterer made their first contribution in https://github.com/spec-first/connexion/pull/1740
* uranusjr made their first contribution in https://github.com/spec-first/connexion/pull/1761

**Full Changelog**: https://github.com/spec-first/connexion/compare/2.13.0...3.0.0

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41945