-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2023-bc1f081ca0 2023-12-07 01:56:29.028218 --------------------------------------------------------------------------------
Name : llhttp Product : Fedora 38 Version : 9.1.3 Release : 1.fc38 URL : https://github.com/nodejs/llhttp Summary : Port of http_parser to llparse Description : This project is a port of http_parser to TypeScript. llparse is used to generate the output C source file, which could be compiled and linked with the embedder's program (like Node.js).
-------------------------------------------------------------------------------- Update Information:
Security fix for CVE-2023-47627 https://pagure.io/fesco/issue/3106 ## python- aiohttp 3.8.6 (2023-10-07) https://github.com/aio- libs/aiohttp/blob/v3.8.6/CHANGES.rst#386-2023-10-07 ### Security bugfixes - Upgraded `llhttp` to v9.1.3: https://github.com/aio- libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9 - Updated Python parser to comply with RFCs 9110/9112: https://github.com/aio- libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg ### Deprecation - Added `fallback_charset_resolver` parameter in `ClientSession` to allow a user- supplied character set detection function. Character set detection will no longer be included in 3.9 as a default. If this feature is needed, please use [` fallback_charset_resolver`](https://docs.aiohttp.org/en/stable/client_advanced.h tml#character-set-detection). ### Features - Enabled lenient response parsing for more flexible parsing in the client (this should resolve some regressions when dealing with badly formatted HTTP responses). ### Bugfixes - Fixed `PermissionError` when `.netrc` is unreadable due to permissions. - Fixed output of parsing errors pointing to a `\n`. - Fixed `GunicornWebWorker` max_requests_jitter not working. - Fixed sorting in `filter_cookies` to use cookie with longest path. - Fixed display of `BadStatusLine` messages from `llhttp`. ---- ## llhttp 9.1.3 ### Fixes - Restart the parser on HTTP 100 - Fix chunk extensions quoted-string value parsing - Fix lenient_flags truncated on reset - Fix chunk extensions��� parameters parsing when more then one name- value pair provided ## llhttp 9.1.2 ### What's Changed - Fix HTTP 1xx handling ## llhttp 9.1.1 ### What's Changed - feat: Expose new lenient methods ## llhttp 9.1.0 ### What's Changed - New lenient flag to make CR completely optional - New lenient flag to have spaces after chunk header -------------------------------------------------------------------------------- ChangeLog:
* Thu Oct 5 2023 Benjamin A. Beasley code@musicinmybrain.net - 9.1.3-1 - Update to 9.1.3 (close RHBZ#2242220) * Tue Oct 3 2023 Benjamin A. Beasley code@musicinmybrain.net - 9.1.2-1 - Update to 9.1.2 * Thu Sep 14 2023 Benjamin A. Beasley code@musicinmybrain.net - 9.1.1-1 - Update to 9.1.1 * Thu Sep 14 2023 Benjamin A. Beasley code@musicinmybrain.net - 9.1.0-1 - Update to 9.1.0 * Mon Aug 21 2023 Benjamin A. Beasley code@musicinmybrain.net - 9.0.1-1 - Update to 9.0.1 (close RHBZ#2228290) * Tue Aug 1 2023 Benjamin A. Beasley code@musicinmybrain.net - 9.0.0-1 - Update to 9.0.0 -------------------------------------------------------------------------------- References:
[ 1 ] Bug #2249825 - CVE-2023-47627 python-aiohttp: numerous issues in HTTP parser with header parsing https://bugzilla.redhat.com/show_bug.cgi?id=2249825 --------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-bc1f081ca0' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------