Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 2216591

Summary: llhttp-8.1.1 is available
Product: [Fedora] Fedora Reporter: Upstream Release Monitoring <upstream-release-monitoring>
Component: llhttpAssignee: Ben Beasley <code>
Status: CLOSED ERRATA QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: casper, code, jonathan, jstanek, python-packagers-sig, sgallagh, zsvetlik
Target Milestone: ---Keywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: llhttp-8.1.1-1.fc39 llhttp-8.1.1-1.fc38 llhttp-8.1.1-1.fc37 llhttp-8.1.1-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-30 22:06:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2227458    
Bug Blocks:    

Description Upstream Release Monitoring 2023-06-21 23:58:56 UTC
Releases retrieved: 6.0.11, 6.0.11, 8.1.1, 8.1.1
Upstream release that is considered latest: 8.1.1
Current version/release in rawhide: 8.1.0-5.fc39
URL: https://github.com/nodejs/llhttp

Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/


More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring


Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.


Based on the information from Anitya: https://release-monitoring.org/project/241543/


To change the monitoring settings for the project, please visit:
https://src.fedoraproject.org/rpms/llhttp

Comment 1 Ben Beasley 2023-07-29 22:36:27 UTC
Existing F39 PR for this release: https://src.fedoraproject.org/rpms/llhttp/pull-request/12
Existing F38 PR for this release: https://src.fedoraproject.org/rpms/llhttp/pull-request/11

Actually doing the update in F39 and F38 should be possible now that aiohttp 3.8.5 has support for llhttp 8.1.1; see https://github.com/aio-libs/aiohttp/issues/7327, which is still open, but is nevertheless fixed according to the release notes, https://github.com/aio-libs/aiohttp/releases/tag/v3.8.5.

A coordinated update in a side tag will be required. I expect to have something ready and validated in the next few days.

I see that there is a security issue in play, https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w and https://github.com/advisories/GHSA-cggh-pq45-6h9x, AKA CVE-2023-30589. This can be fixed by a compatible update in F38 and F39.

F37 and EPEL9 are also affected, but since they use llhttp 6.x, updating llhttp to a current version will break API and ABI and will require an exception to the Updates Policy. (I would rather not attempt to backport the fix.) Given the CVE and the limited impact (only python-aiohttp depends on llhttp), I judge it likely that such a request would be granted.

Comment 2 Ben Beasley 2023-07-29 22:39:10 UTC
(In reply to Ben Beasley from comment #1)
> F37 and EPEL9 are also affected, but since they use llhttp 6.x, updating
> llhttp to a current version will break API and ABI and will require an
> exception to the Updates Policy. (I would rather not attempt to backport the
> fix.) Given the CVE and the limited impact (only python-aiohttp depends on
> llhttp), I judge it likely that such a request would be granted.

An alternative for these releases would be to convert python-aiohttp to a pure-Python package by building it with AIOHTTP_NO_EXTENSIONS=1, which is a documented mitigation, at the cost of performance.

Comment 3 Ben Beasley 2023-07-29 22:47:07 UTC
I suppose bundling llhttp 8.1.1 with python-aiohttp in F37 and EPEL9 would also be possible, but that seems silly since the llhttp package currently exists only to support python-aiohttp.

Comment 4 Fedora Update System 2023-07-30 22:01:38 UTC
FEDORA-2023-ad76deb86e has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-ad76deb86e

Comment 5 Fedora Update System 2023-07-30 22:06:14 UTC
FEDORA-2023-ad76deb86e has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 6 Fedora Update System 2023-07-31 16:10:03 UTC
FEDORA-2023-f75af676f2 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-f75af676f2

Comment 7 Fedora Update System 2023-08-01 01:41:55 UTC
FEDORA-2023-f75af676f2 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-f75af676f2`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-f75af676f2

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2023-08-07 01:26:14 UTC
FEDORA-2023-f75af676f2 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 9 Fedora Update System 2023-08-08 23:15:43 UTC
FEDORA-2023-105880e618 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-105880e618

Comment 10 Fedora Update System 2023-08-09 02:34:28 UTC
FEDORA-2023-105880e618 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-105880e618`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-105880e618

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2023-08-17 00:34:07 UTC
FEDORA-2023-105880e618 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 12 Fedora Update System 2023-08-17 13:06:54 UTC
FEDORA-EPEL-2023-e2fcc4af81 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-e2fcc4af81

Comment 13 Fedora Update System 2023-08-18 00:24:00 UTC
FEDORA-EPEL-2023-e2fcc4af81 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-e2fcc4af81

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 14 Fedora Update System 2023-08-26 00:33:26 UTC
FEDORA-EPEL-2023-e2fcc4af81 has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.