CVE-2023-37276

Advisory

Line-bot-sdk 3.2.0 updates its dependency 'aiohttp' to version '3.8.5' to include a fix for an HTTP Request Smuggling vulnerability.
https://github.com/line/line-bot-sdk-python/pull/491

Affected package

Affected versions

Fixed versions

Vulnerability changelog

What's Changed
* Replace old liff functions with new ones and keep backward compatibility by Yang-33 in https://github.com/line/line-bot-sdk-python/pull/486
- Some Liff function names are deprecated. Please use new ones defined in https://github.com/line/line-openapi/pull/26.
* Bump version to 3.2.0 by github-actions in https://github.com/line/line-bot-sdk-python/pull/500
- Apply https://github.com/line/line-openapi/pull/28 to code, for fixing https://github.com/line/line-bot-sdk-python/issues/498

Others
* chore(deps): update dependency org.apache.maven.plugins:maven-surefire-plugin to v3 by renovate in https://github.com/line/line-bot-sdk-python/pull/464
* chore(deps): update dependency black to v23.7.0 by renovate in https://github.com/line/line-bot-sdk-python/pull/483
* chore(deps): update line-openapi digest to db2f30d by renovate in https://github.com/line/line-bot-sdk-python/pull/485
* chore(deps): update dependency aiohttp to v3.8.5 [security] by renovate in https://github.com/line/line-bot-sdk-python/pull/491
* Drop python 3.7's CI since it's EOL. by tokuhirom in https://github.com/line/line-bot-sdk-python/pull/495
* drop python 3.7 support by tokuhirom in https://github.com/line/line-bot-sdk-python/pull/494
* chore(deps): update dependency black to v23.7.0 by renovate in https://github.com/line/line-bot-sdk-python/pull/492
* update pydantic from v1 to v2. by tokuhirom in https://github.com/line/line-bot-sdk-python/pull/497
* chore(deps): update line-openapi digest to 5c1f76e by renovate in https://github.com/line/line-bot-sdk-python/pull/501


**Full Changelog**: https://github.com/line/line-bot-sdk-python/compare/3.1.0...3.2.0

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37276