I have just submitted for testing https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-4b1b8b8b25, which updates llhttp from 8.1.1 to 9.1.3 in EPEL9. This is an ABI-incompatible update, and the SONAME version changes. There are also some minor API changes.
The only package in EPEL9 that uses llhttp is python-aiohttp, and the update also compatibly updates it from 3.8.5 to its latest release, 3.9.1.
Together, these updates fix a number of security issues, including CVE-2023-47627, CVE-2023-49081, and CVE-2023-49082.
A COPR impact check in https://copr.fedorainfracloud.org/coprs/music/aiohttp-epel9/ indicates there should be no impact on any dependent packages in EPEL9.
If you have software not packaged in EPEL9 that depends directly on llhttp, you will need to rebuild it due to the ABI changes. It is possible that source code changes may be required if (like python-aiohttp) you use almost the entire API of llhttp, or if you have very thorough tests that reveal small changes in llhttp’s behavior. Straightforward uses of llhttp are likely to recompile without modification.
If you have software not packaged in EPEL9 that depends directly on python-aiohttp, you should not need to do anything, but you might choose to review the changelogs for releases 3.8.6, 3.9.0, and 3.9.1 here for full details on the changes included in this update: https://github.com/aio-libs/aiohttp/blob/v3.9.1/CHANGES.rst#391-2023-11-26
I have no plans to attempt a build of llhttp or any update of python-aiohttp in EPEL8.
This is an incompatible update under the EPEL Incompatible Upgrades Policy, https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/. It was approved by the EPEL Steering Committee: https://pagure.io/epel/issue/262.
I have pushed this update to stable.
This is the final announcement prescribed by the EPEL Incompatible Upgrades Policy, https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/
On 12/13/23 08:43, Ben Beasley wrote:
I have just submitted for testing https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-4b1b8b8b25, which updates llhttp from 8.1.1 to 9.1.3 in EPEL9. This is an ABI-incompatible update, and the SONAME version changes. There are also some minor API changes.
The only package in EPEL9 that uses llhttp is python-aiohttp, and the update also compatibly updates it from 3.8.5 to its latest release, 3.9.1.
Together, these updates fix a number of security issues, including CVE-2023-47627, CVE-2023-49081, and CVE-2023-49082.
A COPR impact check in https://copr.fedorainfracloud.org/coprs/music/aiohttp-epel9/ indicates there should be no impact on any dependent packages in EPEL9.
If you have software not packaged in EPEL9 that depends directly on llhttp, you will need to rebuild it due to the ABI changes. It is possible that source code changes may be required if (like python-aiohttp) you use almost the entire API of llhttp, or if you have very thorough tests that reveal small changes in llhttp’s behavior. Straightforward uses of llhttp are likely to recompile without modification.
If you have software not packaged in EPEL9 that depends directly on python-aiohttp, you should not need to do anything, but you might choose to review the changelogs for releases 3.8.6, 3.9.0, and 3.9.1 here for full details on the changes included in this update: https://github.com/aio-libs/aiohttp/blob/v3.9.1/CHANGES.rst#391-2023-11-26
I have no plans to attempt a build of llhttp or any update of python-aiohttp in EPEL8.
This is an incompatible update under the EPEL Incompatible Upgrades Policy, https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/. It was approved by the EPEL Steering Committee: https://pagure.io/epel/issue/262. -- _______________________________________________ epel-announce mailing list -- epel-announce@lists.fedoraproject.org To unsubscribe send an email to epel-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-announce@lists.fedoraproj... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
I have just submitted for testing https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-ce142428af, which updates llhttp in EPEL9 from 9.1.3 to 9.2.1 and fixes CVE-2024-27982[1], an HTTP request smuggling vulnerability. Version 9.2.0 also included a number of bug fixes[2]. This is an ABI-incompatible update, and the SONAME version changes.
Because the EPEL Steering Committee has previously approved a permanent exception for incompatible upgrades of llhttp, I have bypassed the usual proposal and discussion of this update on the epel-devel mailing list. However, I am following the other parts of the incompatible updates process: this announcement, at least one week in testing with auto-push disabled, and a follow-up announcement on this list once I have pushed the update to stable.
The only package in EPEL9 that uses llhttp is python-aiohttp; the update also backports support for llhttp 9.2.1 to the current aiohttp release, 3.9.3. I expect that the aiohttp project will soon release a compatible patch release 3.9.4 that directly supports llhttp 9.2.1.
If you have software not packaged in EPEL9 that depends directly on llhttp, you will need to rebuild it due to the ABI changes. It is possible that source code changes may be required if (like python-aiohttp) you use almost the entire API of llhttp, or if you have very thorough tests that reveal small changes in llhttp’s behavior. Straightforward uses of llhttp are very likely to recompile without modification.
I have no plans to attempt a build of llhttp or any update of python-aiohttp in EPEL8.
[1] https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/#http-...
[2] https://github.com/nodejs/llhttp/releases/tag/release%2Fv9.2.0
I have pushed this update to stable.
On 4/11/24 8:18 PM, Ben Beasley wrote:
I have just submitted for testing https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-ce142428af, which updates llhttp in EPEL9 from 9.1.3 to 9.2.1 and fixes CVE-2024-27982[1], an HTTP request smuggling vulnerability. Version 9.2.0 also included a number of bug fixes[2]. This is an ABI-incompatible update, and the SONAME version changes.
Because the EPEL Steering Committee has previously approved a permanent exception for incompatible upgrades of llhttp, I have bypassed the usual proposal and discussion of this update on the epel-devel mailing list. However, I am following the other parts of the incompatible updates process: this announcement, at least one week in testing with auto-push disabled, and a follow-up announcement on this list once I have pushed the update to stable.
The only package in EPEL9 that uses llhttp is python-aiohttp; the update also backports support for llhttp 9.2.1 to the current aiohttp release, 3.9.3. I expect that the aiohttp project will soon release a compatible patch release 3.9.4 that directly supports llhttp 9.2.1.
If you have software not packaged in EPEL9 that depends directly on llhttp, you will need to rebuild it due to the ABI changes. It is possible that source code changes may be required if (like python-aiohttp) you use almost the entire API of llhttp, or if you have very thorough tests that reveal small changes in llhttp’s behavior. Straightforward uses of llhttp are very likely to recompile without modification.
I have no plans to attempt a build of llhttp or any update of python-aiohttp in EPEL8.
[1] https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/#http-...
[2] https://github.com/nodejs/llhttp/releases/tag/release%2Fv9.2.0
epel-devel@lists.fedoraproject.org