Re: Incompatible security update for llhttp in EPEL9

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I just pushed this update to stable.

On 8/17/23 9:08 AM, Ben Beasley wrote:
This email announces that the llhttp package in EPEL9 will be upgraded from 6.0.10 to 8.1.1[1], which breaks the ABI and bumps the SONAME version, as discussed[2] and approved[3] under the EPEL Incompatible Upgrades Policy[4]. At the same time, python-aiohttp will be upgraded from 3.8.4 to 3.8.5. Currently, only python-aiohttp depends on the llhttp package in EPEL9. This update fixes CVE-2023-30589[5].

Users of the python-aiohttp package, or of the various packages that depend on it, will benefit from this security fix but should not expect any incompatibilities or performance regressions.

In the unlikely case that you are maintaining software that depends directly on the llhttp package, you will need to rebuild it due to the SONAME version bump. Breaking changes from 6.0.10 to 8.1.1 include a couple of HTTP parsing changes (“do not allow whitespaces after start line,” “require semicolon to start chunk parameters”) and one API change (“rename status code 509”). Most programs will not require source code changes.

[1] https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-e2fcc4af81

[2] https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/DLJ4ILU6QHXN2YYHTHNTAF2ED6YRP23H/

[3] https://pagure.io/epel/issue/241

[4] https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/#process_for_incompatible_upgrades

[5] https://access.redhat.com/security/cve/CVE-2023-30589

[4] https://github.com/advisories/GHSA-cggh-pq45-6h9x

[5] https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w

_______________________________________________
epel-announce mailing list -- epel-announce@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to epel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/epel-announce@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Announce]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Linux Apps]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]
  Powered by Linux