FEDORA-2023-bc1f081ca0 — security update for llhttp, python-aiohttp, & 1 more

stable

llhttp-9.1.3-1.fc38, python-aiohttp-3.8.6-1.fc38, & 1 more

FEDORA-2023-bc1f081ca0 created by music 2 years ago for Fedora 38

Security fix for CVE-2023-47627

https://pagure.io/fesco/issue/3106

python-aiohttp 3.8.6 (2023-10-07)

https://github.com/aio-libs/aiohttp/blob/v3.8.6/CHANGES.rst#386-2023-10-07

Security bugfixes

Upgraded llhttp to v9.1.3: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9
Updated Python parser to comply with RFCs 9110/9112: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg

Deprecation

Added fallback_charset_resolver parameter in ClientSession to allow a user-supplied character set detection function. Character set detection will no longer be included in 3.9 as a default. If this feature is needed, please use fallback_charset_resolver.

Features

Enabled lenient response parsing for more flexible parsing in the client (this should resolve some regressions when dealing with badly formatted HTTP responses).

Bugfixes

Fixed PermissionError when .netrc is unreadable due to permissions.
Fixed output of parsing errors pointing to a \n.
Fixed GunicornWebWorker max_requests_jitter not working.
Fixed sorting in filter_cookies to use cookie with longest path.
Fixed display of BadStatusLine messages from llhttp.

llhttp 9.1.3

Fixes

Restart the parser on HTTP 100
Fix chunk extensions quoted-string value parsing
Fix lenient_flags truncated on reset
Fix chunk extensions’ parameters parsing when more then one name-value pair provided

llhttp 9.1.2

What's Changed

Fix HTTP 1xx handling

llhttp 9.1.1

What's Changed

feat: Expose new lenient methods

llhttp 9.1.0

What's Changed

New lenient flag to make CR completely optional
New lenient flag to have spaces after chunk header

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2023-bc1f081ca0

This update's test gating status has been changed to 'waiting'.

2 years ago

This update has been submitted for testing by bodhi.

2 years ago

This update's test gating status has been changed to 'ignored'.

2 years ago

This update has been pushed to testing.

2 years ago

filiperosset commented & provided feedback 2 years ago

karma

no regressions noted

This update has been submitted for stable by bodhi.

2 years ago

This update has been pushed to stable.

2 years ago

Please log in to add feedback.

Metadata

Type

security

Severity

medium

Karma

Signed

Content Type

RPM

Test Gating

ignored

Autopush Settings

Unstable by Karma

-3

Stable by Karma

Stable by Time

7 days

Dates

submitted

2 years ago

in testing

2 years ago

in stable

2 years ago

approved

2 years ago

Builds

llhttp-9.1.3-1.fc38

python-aiohttp-3.8.6-1.fc38

uxplay-1.66-2.fc38

BZ#2228290 llhttp-9.0.1 is available

BZ#2238879 llhttp-9.1.2 is available

BZ#2242220 llhttp-9.1.3 is available

BZ#2249825 CVE-2023-47627 python-aiohttp: numerous issues in HTTP parser with header parsing

BZ#2250615 CVE-2023-47627 python-aiohttp: numerous issues in HTTP parser with header parsing [fedora-all]

llhttp-9.1.3-1.fc38

python-aiohttp-3.8.6-1.fc38

uxplay-1.66-2.fc38

Automated Test Results

ignored