FEDORA-2023-bc1f081ca0
Packages in this update:
llhttp-9.1.3-1.fc38
python-aiohttp-3.8.6-1.fc38
uxplay-1.66-2.fc38
Update description:
Security fix for CVE-2023-47627
https://pagure.io/fesco/issue/3106
python-aiohttp 3.8.6 (2023-10-07)
https://github.com/aio-libs/aiohttp/blob/v3.8.6/CHANGES.rst#386-2023-10-07
Security bugfixes
Upgraded llhttp to v9.1.3: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9
Updated Python parser to comply with RFCs 9110/9112: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg
Deprecation
Added fallback_charset_resolver parameter in ClientSession to allow a user-supplied character set detection function. Character set detection will no longer be included in 3.9 as a default. If this feature is needed, please use fallback_charset_resolver.
Features
Enabled lenient response parsing for more flexible parsing in the client (this should resolve some regressions when dealing with badly formatted HTTP responses).
Bugfixes
Fixed PermissionError when .netrc is unreadable due to permissions.
Fixed output of parsing errors pointing to a n.
Fixed GunicornWebWorker max_requests_jitter not working.
Fixed sorting in filter_cookies to use cookie with longest path.
Fixed display of BadStatusLine messages from llhttp.
llhttp 9.1.3
Fixes
Restart the parser on HTTP 100
Fix chunk extensions quoted-string value parsing
Fix lenient_flags truncated on reset
Fix chunk extensions’ parameters parsing when more then one name-value pair provided
llhttp 9.1.2
What’s Changed
Fix HTTP 1xx handling
llhttp 9.1.1
What’s Changed
feat: Expose new lenient methods
llhttp 9.1.0
What’s Changed
New lenient flag to make CR completely optional
New lenient flag to have spaces after chunk header