I just pushed this update to stable.
On 8/17/23 9:08 AM, Ben Beasley wrote:
This email announces that the llhttp package in EPEL9 will be upgraded
from 6.0.10 to 8.1.1[1], which breaks the ABI and bumps the SONAME
version, as discussed[2] and approved[3] under the EPEL Incompatible
Upgrades Policy[4]. At the same time, python-aiohttp will be upgraded
from 3.8.4 to 3.8.5. Currently, only python-aiohttp depends on the
llhttp package in EPEL9. This update fixes CVE-2023-30589[5].
Users of the python-aiohttp package, or of the various packages that
depend on it, will benefit from this security fix but should not
expect any incompatibilities or performance regressions.
In the unlikely case that you are maintaining software that depends
directly on the llhttp package, you will need to rebuild it due to the
SONAME version bump. Breaking changes from 6.0.10 to 8.1.1 include a
couple of HTTP parsing changes (“do not allow whitespaces after start
line,” “require semicolon to start chunk parameters”) and one API
change (“rename status code 509”). Most programs will not require
source code changes.
[1] https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-e2fcc4af81
[2]
https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/DLJ4ILU6QHXN2YYHTHNTAF2ED6YRP23H/
[3] https://pagure.io/epel/issue/241
[4]
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/#process_for_incompatible_upgrades
[5] https://access.redhat.com/security/cve/CVE-2023-30589
[4] https://github.com/advisories/GHSA-cggh-pq45-6h9x
[5]
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w
_______________________________________________
epel-announce mailing list -- epel-announce@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to epel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/epel-announce@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue