Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2216591
Summary: | llhttp-8.1.1 is available | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Upstream Release Monitoring <upstream-release-monitoring> |
Component: | llhttp | Assignee: | Ben Beasley <code> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | casper, code, jonathan, jstanek, python-packagers-sig, sgallagh, zsvetlik |
Target Milestone: | --- | Keywords: | FutureFeature, Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | llhttp-8.1.1-1.fc39 llhttp-8.1.1-1.fc38 llhttp-8.1.1-1.fc37 llhttp-8.1.1-1.el9 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-07-30 22:06:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2227458 | ||
Bug Blocks: |
Description
Upstream Release Monitoring
2023-06-21 23:58:56 UTC
Existing F39 PR for this release: https://src.fedoraproject.org/rpms/llhttp/pull-request/12 Existing F38 PR for this release: https://src.fedoraproject.org/rpms/llhttp/pull-request/11 Actually doing the update in F39 and F38 should be possible now that aiohttp 3.8.5 has support for llhttp 8.1.1; see https://github.com/aio-libs/aiohttp/issues/7327, which is still open, but is nevertheless fixed according to the release notes, https://github.com/aio-libs/aiohttp/releases/tag/v3.8.5. A coordinated update in a side tag will be required. I expect to have something ready and validated in the next few days. I see that there is a security issue in play, https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w and https://github.com/advisories/GHSA-cggh-pq45-6h9x, AKA CVE-2023-30589. This can be fixed by a compatible update in F38 and F39. F37 and EPEL9 are also affected, but since they use llhttp 6.x, updating llhttp to a current version will break API and ABI and will require an exception to the Updates Policy. (I would rather not attempt to backport the fix.) Given the CVE and the limited impact (only python-aiohttp depends on llhttp), I judge it likely that such a request would be granted. (In reply to Ben Beasley from comment #1) > F37 and EPEL9 are also affected, but since they use llhttp 6.x, updating > llhttp to a current version will break API and ABI and will require an > exception to the Updates Policy. (I would rather not attempt to backport the > fix.) Given the CVE and the limited impact (only python-aiohttp depends on > llhttp), I judge it likely that such a request would be granted. An alternative for these releases would be to convert python-aiohttp to a pure-Python package by building it with AIOHTTP_NO_EXTENSIONS=1, which is a documented mitigation, at the cost of performance. I suppose bundling llhttp 8.1.1 with python-aiohttp in F37 and EPEL9 would also be possible, but that seems silly since the llhttp package currently exists only to support python-aiohttp. FEDORA-2023-ad76deb86e has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-ad76deb86e FEDORA-2023-ad76deb86e has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2023-f75af676f2 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-f75af676f2 FEDORA-2023-f75af676f2 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-f75af676f2` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-f75af676f2 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-f75af676f2 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2023-105880e618 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-105880e618 FEDORA-2023-105880e618 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-105880e618` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-105880e618 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-105880e618 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-EPEL-2023-e2fcc4af81 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-e2fcc4af81 FEDORA-EPEL-2023-e2fcc4af81 has been pushed to the Fedora EPEL 9 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-e2fcc4af81 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-EPEL-2023-e2fcc4af81 has been pushed to the Fedora EPEL 9 stable repository. If problem still persists, please make note of it in this bug report. |