Missing security advisories for release 3.8.6

[musicinmybrain]

Describe the bug

The release notes on https://github.com/aio-libs/aiohttp/releases/tag/v3.8.6 reference security advisories GHSA-pjjw-qhg8-p2p9 and GHSA-gfw2-4jvh-wgfg, but neither seems to have been published.

To Reproduce

Visit https://github.com/aio-libs/aiohttp/releases/tag/v3.8.6 and follow links to security advisories.

Expected behavior

Links are valid.

Logs/tracebacks

N/A

Python Version

N/A

aiohttp Version

N/A

multidict Version

N/A

yarl Version

N/A

OS

N/A

Related component

Server, Client

Additional context

No response

Code of Conduct

• I agree to follow the aio-libs Code of Conduct

[Dreamsorcerer]

@webknjaz @kenballus

[kenballus]

Just added affected/unaffected versions to both advisories. I think that was the missing piece for disclosure.

[musicinmybrain]

I’ll keep an eye on it. At the moment, the links still give 404 errors.

[dirkmueller]

@kenballus can you please publish the advisories?

[kenballus]

I don't think I have permission to. @webknjaz @Dreamsorcerer

[Dreamsorcerer]

@webknjaz Do these look OK to publish now?

[Dreamsorcerer]

@kenballus Actually, they don't appear to have enough information.

[kenballus]

Sorry! was missing severity.

I just added "moderate" to both, so they should be good to go.

[webknjaz]

@Dreamsorcerer thanks for handling this! I emailed it to discuss this topic additionally.

[msmeissn]

one ofthe advisories has a CVE, the other one has not. can you allocate a CVE for the second GHSA-pjjw-qhg8-p2p9 ?

[webknjaz]

@Dreamsorcerer could you confirm receipt of my email?

@msmeissn I just requested a CVE from GitHub.

[webknjaz]

@msmeissn GH rejected the request with the following message:

GitHub cannot issue a CVE for this Security Advisory because it doesn't comply with one or more of the CVE rules. You can move forward in one of two ways:

• Review the counting rules and update your Security Advisory to meet the criteria specified in the rules.
  • Specifically for this advisory, make the following change(s):
  • Indicate what code in your project is vulnerable
• Publish your GitHub Security Advisory as-is.

Thank you for making the open source ecosystem more secure by fixing and responsibly disclosing this vulnerability.

@kenballus @Dreamsorcerer could you look into making the requested changes there?
Here's past examples of more comprehensive descriptions:

• GHSA-v6wp-4m6f-gcjg
• GHSA-45c4-8wx5-qw6w