8:08 p.m.
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2021-917e89c036
2021-06-18 01:07:19.135408
--------------------------------------------------------------------------------
Name : python-fastapi
Product : Fedora 34
Version : 0.65.2
Release : 1.fc34
URL : https://github.com/tiangolo/fastapi
Summary : FastAPI framework
Description :
FastAPI is a modern, fast (high-performance), web framework for building APIs
with Python 3.6+ based on standard Python type hints.
The key features are:
��� Fast: Very high performance, on par with NodeJS and Go (thanks to Starlette
and Pydantic). One of the fastest Python frameworks available.
��� Fast to code: Increase the speed to develop features by about 200% to 300%.*
��� Fewer bugs: Reduce about 40% of human (developer) induced errors.*
��� Intuitive: Great editor support. Completion everywhere. Less time
debugging.
��� Easy: Designed to be easy to use and learn. Less time reading docs.
��� Short: Minimize code duplication. Multiple features from each parameter
declaration. Fewer bugs.
��� Robust: Get production-ready code. With automatic interactive
documentation.
��� Standards-based: Based on (and fully compatible with) the open standards
for APIs: OpenAPI (previously known as Swagger) and JSON Schema.
* estimation based on tests on an internal development team, building production
applications.
--------------------------------------------------------------------------------
Update Information:
**Security fixes** - ���� Check Content-Type request header before assuming JSON.
Initial PR [#2118](https://github.com/tiangolo/fastapi/pull/2118) by
[@patrickkwang](https://github.com/patrickkwang). This change fixes a
[CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery) security
vulnerability when using cookies for authentication in path operations with JSON
payloads sent by browsers. In versions lower than `0.65.2`, FastAPI would try
to read the request payload as JSON even if the `content-type` header sent was
not set to `application/json` or a compatible JSON media type (e.g.
`application/geo+json`). So, a request with a content type of `text/plain`
containing JSON data would be accepted and the JSON data would be extracted.
But requests with content type `text/plain` are exempt from
[CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) preflights, for
being considered [Simple requests](https://developer.mozilla.org/en-
US/docs/Web/HTTP/CORS#simple_requests). So, the browser would execute them right
away including cookies, and the text content could be a JSON string that would
be parsed and accepted by the FastAPI application. See [CVE-2021-32677](https:/
/github.com/tiangolo/fastapi/security/advisories/GHSA-8h2j-cgx8-6xv7) for more
details. Thanks to [Dima Boger](https://twitter.com/b0g3r) for the security
report! �������� **Internal** - ���� Update sponsors badge, course bundle. PR
[#3340](https://github.com/tiangolo/fastapi/pull/3340) by
[@tiangolo](https://github.com/tiangolo). - ���� Add new gold sponsor Jina ����. PR
[#3291](https://github.com/tiangolo/fastapi/pull/3291) by
[@tiangolo](https://github.com/tiangolo). - ���� Add new banner sponsor badge for
FastAPI courses bundle. PR
[#3288](https://github.com/tiangolo/fastapi/pull/3288) by
[@tiangolo](https://github.com/tiangolo). - ���� Upgrade Issue Manager GitHub
Action. PR [#3236](https://github.com/tiangolo/fastapi/pull/3236) by
[@tiangolo](https://github.com/tiangolo).
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jun 9 2021 Benjamin A. Beasley <code(a)musicinmybrain.net> - 0.65.2-1
- Update to 0.65.2 (fixes RHBZ#1969758, fixes CVE-2021-32677)
* Fri Jun 4 2021 Python Maint <python-maint(a)redhat.com> - 0.65.1-5
- Rebuilt for Python 3.10
* Fri May 28 2021 Benjamin A. Beasley <code(a)musicinmybrain.net> - 0.65.1-4
- Start successfully building the documentation (without typer-cli, and using
the base mkdocs theme instead of mkdocs-material)
* Tue May 25 2021 Benjamin A. Beasley <code(a)musicinmybrain.net> - 0.65.1-3
- De-conditionalize databases[sqlite] BR
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1969758 - python-fastapi-0.65.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1969758
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2021-917e89c036' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------