I just pushed this update to stable.
On 8/17/23 9:08 AM, Ben Beasley wrote:
> This email announces that the llhttp package in EPEL9 will be upgraded
> from 6.0.10 to 8.1.1[1], which breaks the ABI and bumps the SONAME
> version, as discussed[2] and approved[3] under the EPEL Incompatible
> Upgrades Policy[4]. At the same time, python-aiohttp will be upgraded
> from 3.8.4 to 3.8.5. Currently, only python-aiohttp depends on the
> llhttp package in EPEL9. This update fixes CVE-2023-30589[5].
>
> Users of the python-aiohttp package, or of the various packages that
> depend on it, will benefit from this security fix but should not
> expect any incompatibilities or performance regressions.
>
> In the unlikely case that you are maintaining software that depends
> directly on the llhttp package, you will need to rebuild it due to the
> SONAME version bump. Breaking changes from 6.0.10 to 8.1.1 include a
> couple of HTTP parsing changes (“do not allow whitespaces after start
> line,” “require semicolon to start chunk parameters”) and one API
> change (“rename status code 509”). Most programs will not require
> source code changes.
>
> [1]
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-e2fcc4af81
>
> [2]
>
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproj...
>
> [3]
https://pagure.io/epel/issue/241
>
> [4]
>
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrad...
>
> [5]
https://access.redhat.com/security/cve/CVE-2023-30589
>
> [4]
https://github.com/advisories/GHSA-cggh-pq45-6h9x
>
> [5]
>
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w
>