-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2021-917e89c036 2021-06-18 01:07:19.135408 --------------------------------------------------------------------------------
Name : python-fastapi Product : Fedora 34 Version : 0.65.2 Release : 1.fc34 URL : https://github.com/tiangolo/fastapi Summary : FastAPI framework Description : FastAPI is a modern, fast (high-performance), web framework for building APIs with Python 3.6+ based on standard Python type hints.
The key features are:
��� Fast: Very high performance, on par with NodeJS and Go (thanks to Starlette and Pydantic). One of the fastest Python frameworks available.
��� Fast to code: Increase the speed to develop features by about 200% to 300%.* ��� Fewer bugs: Reduce about 40% of human (developer) induced errors.* ��� Intuitive: Great editor support. Completion everywhere. Less time debugging. ��� Easy: Designed to be easy to use and learn. Less time reading docs. ��� Short: Minimize code duplication. Multiple features from each parameter declaration. Fewer bugs. ��� Robust: Get production-ready code. With automatic interactive documentation. ��� Standards-based: Based on (and fully compatible with) the open standards for APIs: OpenAPI (previously known as Swagger) and JSON Schema.
* estimation based on tests on an internal development team, building production applications.
-------------------------------------------------------------------------------- Update Information:
**Security fixes** - ���� Check Content-Type request header before assuming JSON. Initial PR [#2118](https://github.com/tiangolo/fastapi/pull/2118) by [@patrickkwang](https://github.com/patrickkwang). This change fixes a [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery) security vulnerability when using cookies for authentication in path operations with JSON payloads sent by browsers. In versions lower than `0.65.2`, FastAPI would try to read the request payload as JSON even if the `content-type` header sent was not set to `application/json` or a compatible JSON media type (e.g. `application/geo+json`). So, a request with a content type of `text/plain` containing JSON data would be accepted and the JSON data would be extracted. But requests with content type `text/plain` are exempt from [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) preflights, for being considered [Simple requests](https://developer.mozilla.org/en- US/docs/Web/HTTP/CORS#simple_requests). So, the browser would execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application. See [CVE-2021-32677](https:/ /github.com/tiangolo/fastapi/security/advisories/GHSA-8h2j-cgx8-6xv7) for more details. Thanks to [Dima Boger](https://twitter.com/b0g3r) for the security report! �������� **Internal** - ���� Update sponsors badge, course bundle. PR [#3340](https://github.com/tiangolo/fastapi/pull/3340) by [@tiangolo](https://github.com/tiangolo). - ���� Add new gold sponsor Jina ����. PR [#3291](https://github.com/tiangolo/fastapi/pull/3291) by [@tiangolo](https://github.com/tiangolo). - ���� Add new banner sponsor badge for FastAPI courses bundle. PR [#3288](https://github.com/tiangolo/fastapi/pull/3288) by [@tiangolo](https://github.com/tiangolo). - ���� Upgrade Issue Manager GitHub Action. PR [#3236](https://github.com/tiangolo/fastapi/pull/3236) by [@tiangolo](https://github.com/tiangolo). -------------------------------------------------------------------------------- ChangeLog:
* Wed Jun 9 2021 Benjamin A. Beasley code@musicinmybrain.net - 0.65.2-1 - Update to 0.65.2 (fixes RHBZ#1969758, fixes CVE-2021-32677) * Fri Jun 4 2021 Python Maint python-maint@redhat.com - 0.65.1-5 - Rebuilt for Python 3.10 * Fri May 28 2021 Benjamin A. Beasley code@musicinmybrain.net - 0.65.1-4 - Start successfully building the documentation (without typer-cli, and using the base mkdocs theme instead of mkdocs-material) * Tue May 25 2021 Benjamin A. Beasley code@musicinmybrain.net - 0.65.1-3 - De-conditionalize databases[sqlite] BR -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1969758 - python-fastapi-0.65.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=1969758 --------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-917e89c036' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------