epel-announce August 2023

epel-announce@lists.fedoraproject.org

2 participants
3 discussions

incompatible update of caddy in EPEL 9
by Carl George 01 Sep '23

01 Sep '23

I am performing an incompatible upgrade of the caddy package in EPEL 9. In accordance with the incompatible upgrade policy [0], I proposed this upgrade just over a week ago on the epel-devel mailing list [1]. For reasons detailed in the previous email, it is no longer possible to update the package at the current version, preventing me from resolving known CVEs. Today the EPEL Steering Committee voted to approve this upgrade [2]. This upgrade will take the package from version 2.4.6 to 2.6.4. This includes a few backwards-incompatible changes. I believe these changes are on the milder side, and most users shouldn't notice a difference. Here are the most notable removals/changes: - Reverse proxy: Incoming X-Forwarded-* headers will no longer be automatically trusted, to prevent spoofing. - Logging: Removed the deprecated common_log field from HTTP access logs, and the single_field encoder. - Logging: The remote_addr field has been replaced by remote_ip and remote_port fields in HTTP access logs, which split up the two parts of the remote address. - Caddyfile: The reverse_proxy directive's handle_response subdirective has had its status replacement functionality moved to a new replace_status subdirective. There are also a few additional changes to features labeled as experimental, and some deprecations (not yet removed). For a full list, see the upstream release notes [3][4]. If you are able, please test and provide karma for the update [5]. [0] https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/ [1] https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraprojec… [2] https://meetbot.fedoraproject.org/fedora-meeting/2023-08-23/epel.2023-08-23… [3] https://github.com/caddyserver/caddy/releases/tag/v2.5.0 [4] https://github.com/caddyserver/caddy/releases/tag/v2.6.0 [5] https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-8849a14e7f -- Carl George

1 1

Incompatible security update for llhttp in EPEL9
by Ben Beasley 25 Aug '23

25 Aug '23

This email announces that the llhttp package in EPEL9 will be upgraded from 6.0.10 to 8.1.1[1], which breaks the ABI and bumps the SONAME version, as discussed[2] and approved[3] under the EPEL Incompatible Upgrades Policy[4]. At the same time, python-aiohttp will be upgraded from 3.8.4 to 3.8.5. Currently, only python-aiohttp depends on the llhttp package in EPEL9. This update fixes CVE-2023-30589[5]. Users of the python-aiohttp package, or of the various packages that depend on it, will benefit from this security fix but should not expect any incompatibilities or performance regressions. In the unlikely case that you are maintaining software that depends directly on the llhttp package, you will need to rebuild it due to the SONAME version bump. Breaking changes from 6.0.10 to 8.1.1 include a couple of HTTP parsing changes (“do not allow whitespaces after start line,” “require semicolon to start chunk parameters”) and one API change (“rename status code 509”). Most programs will not require source code changes. [1] https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-e2fcc4af81 [2] https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraprojec… [3] https://pagure.io/epel/issue/241 [4] https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades… [5] https://access.redhat.com/security/cve/CVE-2023-30589 [4] https://github.com/advisories/GHSA-cggh-pq45-6h9x [5] https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w

1 1

retiring caddy in EPEL 7
by Carl George 24 Aug '23

24 Aug '23

I am retiring the caddy package from EPEL 7. In accordance with the retirement policy [0], I proposed this retirement just over a week ago on the epel-devel mailing list [1]. For reasons detailed in the previous email, it is no longer possible to update the package with the same major version, preventing me from resolving known CVEs. Doing an incompatible update to the next major version is not an appealing option with only ten months left until the retirement of EPEL 7 as a whole. Users that wish to keep using caddy on RHEL 7 can use the Copr repo from the upstream project [2][3]. Caddy is also available from EPEL 8 and EPEL 9 for users that are ready to migrate to a newer operating system version. Both of these options will involve the disruptive update from caddy v1 to v2, but users can opt-in to it at their own pace. The upstream project has a migration guide in their documentation to help [4]. [0] https://docs.fedoraproject.org/en-US/epel/epel-policy-retirement/#process_s… [1] https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraprojec… [2] https://caddyserver.com/docs/install#fedora-redhat-centos [3] https://copr.fedorainfracloud.org/coprs/g/caddy/caddy/ [4] https://caddyserver.com/docs/v2-upgrade -- Carl George

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

epel-announce August 2023