FEDORA-2023-bc1f081ca0

Packages in this update:

llhttp-9.1.3-1.fc38
python-aiohttp-3.8.6-1.fc38
uxplay-1.66-2.fc38

Update description:

Security fix for CVE-2023-47627

https://pagure.io/fesco/issue/3106

python-aiohttp 3.8.6 (2023-10-07)

https://github.com/aio-libs/aiohttp/blob/v3.8.6/CHANGES.rst#386-2023-10-07

Security bugfixes

Upgraded llhttp to v9.1.3: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9
Updated Python parser to comply with RFCs 9110/9112: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg

Deprecation

Added fallback_charset_resolver parameter in ClientSession to allow a user-supplied character set detection function. Character set detection will no longer be included in 3.9 as a default. If this feature is needed, please use fallback_charset_resolver.

Features

Enabled lenient response parsing for more flexible parsing in the client (this should resolve some regressions when dealing with badly formatted HTTP responses).

Bugfixes

Fixed PermissionError when .netrc is unreadable due to permissions.
Fixed output of parsing errors pointing to a n.
Fixed GunicornWebWorker max_requests_jitter not working.
Fixed sorting in filter_cookies to use cookie with longest path.
Fixed display of BadStatusLine messages from llhttp.

llhttp 9.1.3

Fixes

Restart the parser on HTTP 100
Fix chunk extensions quoted-string value parsing
Fix lenient_flags truncated on reset
Fix chunk extensions’ parameters parsing when more then one name-value pair provided

llhttp 9.1.2

What’s Changed

Fix HTTP 1xx handling

llhttp 9.1.1

What’s Changed

feat: Expose new lenient methods

llhttp 9.1.0

What’s Changed

New lenient flag to make CR completely optional
New lenient flag to have spaces after chunk header

Read More