[EPEL-devel] Incompatible update of llhttp from 9.1.3 to 9.2.1 in EPEL9

[Ben Beasley]

I have just submitted for testing 
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-ce142428af, 
which updates llhttp in EPEL9 from 9.1.3 to 9.2.1 and fixes 
CVE-2024-27982[1], an HTTP request smuggling vulnerability. Version 
9.2.0 also included a number of bug fixes[2]. This is an 
ABI-incompatible update, and the SONAME version changes.

Because the EPEL Steering Committee has previously approved a permanent 
exception for incompatible upgrades of llhttp, I have bypassed the usual 
proposal and discussion of this update on the epel-devel mailing list. 
However, I am following the other parts of the incompatible updates 
process: this announcement, at least one week in testing with auto-push 
disabled, and a follow-up announcement on this list once I have pushed 
the update to stable.

The only package in EPEL9 that uses llhttp is python-aiohttp; the update 
also backports support for llhttp 9.2.1 to the current aiohttp release, 
3.9.3. I expect that the aiohttp project will soon release a compatible 
patch release 3.9.4 that directly supports llhttp 9.2.1.

If you have software not packaged in EPEL9 that depends directly on 
llhttp, you will need to rebuild it due to the ABI changes. It is 
possible that source code changes may be required if (like 
python-aiohttp) you use almost the entire API of llhttp, or if you have 
very thorough tests that reveal small changes in llhttp’s behavior. 
Straightforward uses of llhttp are very likely to recompile without 
modification.

I have no plans to attempt a build of llhttp or any update of 
python-aiohttp in EPEL8.

[1] 
https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/#http-request-smuggling-via-content-length-obfuscation---cve-2024-27982---medium

[2] https://github.com/nodejs/llhttp/releases/tag/release%2Fv9.2.0
--
_______________________________________________
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue