This email announces that the llhttp package in EPEL9 will be upgraded from 6.0.10 to 8.1.1[1], which breaks the ABI and bumps the SONAME version, as discussed[2] and approved[3] under the EPEL Incompatible Upgrades Policy[4]. At the same time, python-aiohttp will be upgraded from 3.8.4 to 3.8.5. Currently, only python-aiohttp depends on the llhttp package in EPEL9. This update fixes CVE-2023-30589[5].
Users of the python-aiohttp package, or of the various packages that depend on it, will benefit from this security fix but should not expect any incompatibilities or performance regressions.
In the unlikely case that you are maintaining software that depends directly on the llhttp package, you will need to rebuild it due to the SONAME version bump. Breaking changes from 6.0.10 to 8.1.1 include a couple of HTTP parsing changes (“do not allow whitespaces after start line,” “require semicolon to start chunk parameters”) and one API change (“rename status code 509”). Most programs will not require source code changes.
[1] https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-e2fcc4af81
[2] https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject...
[3] https://pagure.io/epel/issue/241
[4] https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/...
[5] https://access.redhat.com/security/cve/CVE-2023-30589
[4] https://github.com/advisories/GHSA-cggh-pq45-6h9x
[5] https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w
I just pushed this update to stable.
On 8/17/23 9:08 AM, Ben Beasley wrote:
This email announces that the llhttp package in EPEL9 will be upgraded from 6.0.10 to 8.1.1[1], which breaks the ABI and bumps the SONAME version, as discussed[2] and approved[3] under the EPEL Incompatible Upgrades Policy[4]. At the same time, python-aiohttp will be upgraded from 3.8.4 to 3.8.5. Currently, only python-aiohttp depends on the llhttp package in EPEL9. This update fixes CVE-2023-30589[5].
Users of the python-aiohttp package, or of the various packages that depend on it, will benefit from this security fix but should not expect any incompatibilities or performance regressions.
In the unlikely case that you are maintaining software that depends directly on the llhttp package, you will need to rebuild it due to the SONAME version bump. Breaking changes from 6.0.10 to 8.1.1 include a couple of HTTP parsing changes (“do not allow whitespaces after start line,” “require semicolon to start chunk parameters”) and one API change (“rename status code 509”). Most programs will not require source code changes.
[1] https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-e2fcc4af81
[2] https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject...
[3] https://pagure.io/epel/issue/241
[4] https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/...
[5] https://access.redhat.com/security/cve/CVE-2023-30589
[4] https://github.com/advisories/GHSA-cggh-pq45-6h9x
[5] https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w
epel-devel@lists.fedoraproject.org