I just pushed this update to stable.
On 8/17/23 9:08 AM, Ben Beasley wrote:
> This email announces that the llhttp package in EPEL9 will be upgraded
> from 6.0.10 to 8.1.1, which breaks the ABI and bumps the SONAME
> version, as discussed and approved under the EPEL Incompatible
> Upgrades Policy. At the same time, python-aiohttp will be upgraded
> from 3.8.4 to 3.8.5. Currently, only python-aiohttp depends on the
> llhttp package in EPEL9. This update fixes CVE-2023-30589.
> Users of the python-aiohttp package, or of the various packages that
> depend on it, will benefit from this security fix but should not
> expect any incompatibilities or performance regressions.
> In the unlikely case that you are maintaining software that depends
> directly on the llhttp package, you will need to rebuild it due to the
> SONAME version bump. Breaking changes from 6.0.10 to 8.1.1 include a
> couple of HTTP parsing changes (“do not allow whitespaces after start
> line,” “require semicolon to start chunk parameters”) and one API
> change (“rename status code 509”). Most programs will not require
> source code changes.
>  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-e2fcc4af81
>  https://pagure.io/epel/issue/241
>  https://access.redhat.com/security/cve/CVE-2023-30589
>  https://github.com/advisories/GHSA-cggh-pq45-6h9x