--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2023-bc1f081ca0
2023-12-07 01:56:29.028218
--------------------------------------------------------------------------------
Name : llhttp
Product : Fedora 38
Version : 9.1.3
Release : 1.fc38
URL :
https://github.com/nodejs/llhttp
Summary : Port of http_parser to llparse
Description :
This project is a port of http_parser to TypeScript. llparse is used to
generate the output C source file, which could be compiled and linked with the
embedder's program (like Node.js).
--------------------------------------------------------------------------------
Update Information:
Security fix for CVE-2023-47627
https://pagure.io/fesco/issue/3106 ## python-
aiohttp 3.8.6 (2023-10-07)
https://github.com/aio-
libs/aiohttp/blob/v3.8.6/CHANGES.rst#386-2023-10-07 ### Security bugfixes -
Upgraded `llhttp` to v9.1.3:
https://github.com/aio-
libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9 - Updated Python parser to
comply with RFCs 9110/9112:
https://github.com/aio-
libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg ### Deprecation - Added
`fallback_charset_resolver` parameter in `ClientSession` to allow a user-
supplied character set detection function. Character set detection will no
longer be included in 3.9 as a default. If this feature is needed, please use [`
fallback_charset_resolver`](https://docs.aiohttp.org/en/stable/client_adv...
tml#character-set-detection). ### Features - Enabled lenient response parsing
for more flexible parsing in the client (this should resolve some regressions
when dealing with badly formatted HTTP responses). ### Bugfixes - Fixed
`PermissionError` when `.netrc` is unreadable due to permissions. - Fixed output
of parsing errors pointing to a `\n`. - Fixed `GunicornWebWorker`
max_requests_jitter not working. - Fixed sorting in `filter_cookies` to use
cookie with longest path. - Fixed display of `BadStatusLine` messages from
`llhttp`. ---- ## llhttp 9.1.3 ### Fixes - Restart the parser on HTTP 100 -
Fix chunk extensions quoted-string value parsing - Fix lenient_flags truncated
on reset - Fix chunk extensions��� parameters parsing when more then one name-
value pair provided ## llhttp 9.1.2 ### What's Changed - Fix HTTP 1xx
handling ## llhttp 9.1.1 ### What's Changed - feat: Expose new lenient
methods ## llhttp 9.1.0 ### What's Changed - New lenient flag to make CR
completely optional - New lenient flag to have spaces after chunk header
--------------------------------------------------------------------------------
ChangeLog:
* Thu Oct 5 2023 Benjamin A. Beasley <code(a)musicinmybrain.net> - 9.1.3-1
- Update to 9.1.3 (close RHBZ#2242220)
* Tue Oct 3 2023 Benjamin A. Beasley <code(a)musicinmybrain.net> - 9.1.2-1
- Update to 9.1.2
* Thu Sep 14 2023 Benjamin A. Beasley <code(a)musicinmybrain.net> - 9.1.1-1
- Update to 9.1.1
* Thu Sep 14 2023 Benjamin A. Beasley <code(a)musicinmybrain.net> - 9.1.0-1
- Update to 9.1.0
* Mon Aug 21 2023 Benjamin A. Beasley <code(a)musicinmybrain.net> - 9.0.1-1
- Update to 9.0.1 (close RHBZ#2228290)
* Tue Aug 1 2023 Benjamin A. Beasley <code(a)musicinmybrain.net> - 9.0.0-1
- Update to 9.0.0
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2249825 - CVE-2023-47627 python-aiohttp: numerous issues in HTTP parser with
header parsing
https://bugzilla.redhat.com/show_bug.cgi?id=2249825
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2023-bc1f081ca0' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------