[EPEL-devel] Incompatible security update for llhttp in EPEL9

Thu, 24 Aug 2023 05:59:49 -0700

This email announces that the llhttp package in EPEL9 will be upgraded from 6.0.10 to 8.1.1[1], which breaks the ABI and bumps the SONAME version, as discussed[2] and approved[3] under the EPEL Incompatible Upgrades Policy[4]. At the same time, python-aiohttp will be upgraded from 3.8.4 to 3.8.5. Currently, only python-aiohttp depends on the llhttp package in EPEL9. This update fixes CVE-2023-30589[5].
Users of the python-aiohttp package, or of the various packages that depend on it, will benefit from this security fix but should not expect any incompatibilities or performance regressions. 


In the unlikely case that you are maintaining software that depends 
directly on the llhttp package, you will need to rebuild it due to the 
SONAME version bump. Breaking changes from 6.0.10 to 8.1.1 include a 
couple of HTTP parsing changes (“do not allow whitespaces after start 
line,” “require semicolon to start chunk parameters”) and one API change 
(“rename status code 509”). Most programs will not require source code 
changes.


[1] https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-e2fcc4af81


[2] 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org/thread/DLJ4ILU6QHXN2YYHTHNTAF2ED6YRP23H/


[3] https://pagure.io/epel/issue/241


[4] 
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/#process_for_incompatible_upgrades


[5] https://access.redhat.com/security/cve/CVE-2023-30589

[4] https://github.com/advisories/GHSA-cggh-pq45-6h9x


[5] 
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w

_______________________________________________
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue






















					Reply via email to