I have pushed this update to stable.
On 4/11/24 8:18 PM, Ben Beasley wrote:
I have just submitted for testing
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-ce142428af,
which updates llhttp in EPEL9 from 9.1.3 to 9.2.1 and fixes
CVE-2024-27982[1], an HTTP request smuggling vulnerability. Version
9.2.0 also included a number of bug fixes[2]. This is an
ABI-incompatible update, and the SONAME version changes.
Because the EPEL Steering Committee has previously approved a
permanent exception for incompatible upgrades of llhttp, I have
bypassed the usual proposal and discussion of this update on the
epel-devel mailing list. However, I am following the other parts of
the incompatible updates process: this announcement, at least one week
in testing with auto-push disabled, and a follow-up announcement on
this list once I have pushed the update to stable.
The only package in EPEL9 that uses llhttp is python-aiohttp; the
update also backports support for llhttp 9.2.1 to the current aiohttp
release, 3.9.3. I expect that the aiohttp project will soon release a
compatible patch release 3.9.4 that directly supports llhttp 9.2.1.
If you have software not packaged in EPEL9 that depends directly on
llhttp, you will need to rebuild it due to the ABI changes. It is
possible that source code changes may be required if (like
python-aiohttp) you use almost the entire API of llhttp, or if you
have very thorough tests that reveal small changes in llhttp’s
behavior. Straightforward uses of llhttp are very likely to recompile
without modification.
I have no plans to attempt a build of llhttp or any update of
python-aiohttp in EPEL8.
[1]
https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/#http-request-smuggling-via-content-length-obfuscation---cve-2024-27982---medium
[2] https://github.com/nodejs/llhttp/releases/tag/release%2Fv9.2.0
--
_______________________________________________
epel-announce mailing list -- epel-announce@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to epel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/epel-announce@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue