#3049 Updates policy exception request for llhttp in F37
Closed: Accepted a year ago by decathorpe. Opened a year ago by music.

This issue requests an updates policy exception to update the llhttp package from 6.0.10 to 8.1.0 in Fedora 37, which would break the ABI and bump the SONAME version.

The llhttp package is a C library (transpiled from TypeScript) that provides the low-level HTTP support for NodeJS (which currently bundles it, although the maintainers have discussed unbundling it), and for python-aiohttp. Currently, only python-aiohttp depends on the llhttp package in Fedora.

Versions of llhttp prior to 8.1.1 are affected by CVE-2023-30589, an HTTP request smuggling vulnerability rated 7.7 HIGH in CVSS v3 and rated Moderate by Red Hat. The GitHub advisory for llhttp is GHSA-cggh-pq45-6h9x; the advisory for python-aiohttp is GHSA-45c4-8wx5-qw6w. Upstream for python-aiohttp fixed this by updating llhttp (which they bundle, but we unbundle) in release 3.8.5.

I am not comfortable attempting to backport the fix to an older release of llhttp. My preferred solution would be to update llhttp to 8.1.1 and (in the same side tag) update python-aiohttp to 3.8.5. The ABI break in llhttp would only affect python-aiohttp; the python-aiohttp update itself is compatible (by upstream intent, and verified in COPR); and a large list of packages that depend on python-aiohttp would benefit from the fix.

If this exception request is not approved, my fallback plan is to propose rebuilding python-aiohttp in F37 with AIOHTTP_NO_EXTENSIONS=1, which would convert it to a pure-Python package. This is a documented mitigation, but comes with potentially serious performance regressions, again affecting a fairly large list of dependent packages. The llhttp package would become a leaf package and would remain unpatched.

The situation in EPEL9 is similar, and I plan to request an exception there as well.


+1 to the exception, also requesting to fast-track this

I forgot to mention that this update is already done in F39 and in F38, since the llhttp update was ABI-compatible in those releases.

Metadata Update from @music:
- Issue tagged with: fast track

a year ago

+1

Thanks for the detailed writeup!

Also, for the record, I'll happily unbundle it from Node.js as soon as https://github.com/nodejs/node/issues/44000 gets resolved (which will include a configure flag supporting use of a native llhttp shared object).

Also, for the record, I'll happily unbundle it from Node.js as soon as https://github.com/nodejs/node/issues/44000 gets resolved (which will include a configure flag supporting use of a native llhttp shared object).

Nice, thanks for the update!

The fast track route did not help speed this up, but after a week, this is APPROVED (+4,0,-0).

Metadata Update from @churchyard:
- Issue tagged with: pending announcement

a year ago

Thank you all for your time. I have submitted the update as https://bodhi.fedoraproject.org/updates/FEDORA-2023-105880e618.

Metadata Update from @decathorpe:
- Issue untagged with: pending announcement
- Issue close_status updated to: Accepted
- Issue status updated to: Closed (was: Open)

a year ago

Log in to comment on this ticket.

Metadata