#3106 Updates policy exception request for llhttp in F39 and F38
Closed: Accepted 5 months ago by zbyszek. Opened 6 months ago by music.

This issue requests an updates policy exception to update the llhttp package from 8.1.1 to 9.1.3 in Fedora 39 and Fedora 38, which would break the ABI and bump the SONAME version.

The llhttp package is a C library (transpiled from TypeScript) that provides the low-level HTTP support for NodeJS (which currently bundles it, although the maintainers have discussed unbundling it), and for python-aiohttp.

Currently, only python-aiohttp and uxplay depend on the llhttp package in Fedora.

Versions of python-aiohttp prior to 3.8.6 are affected by CVE-2023-30589, an HTTP request/response smuggling vulnerability rated 5.3 in CVSS v3 and rated Moderate by Red Hat. This was reported as RHBZ#2249825. Since the flaw is only in the pure-Python parser, and we compile the llhttp-based parser, this affects only code using the AIOHTTP_NO_EXTENSIONS environment variable. Updating aiohttp from 3.8.5 to 3.8.6 to fix that still requires updating llhttp from 8.x to 9.x. Additionally, according to the release notes this includes an llhttp-related security fix that upstream has not yet successfully disclosed, which provides added motivation to update.

The ABI break in llhttp would only affect python-aiohttp and uxplay. The python-aiohttp update itself is compatible (by upstream intent, and as already demonstrated in Rawhide); and a large list of packages that depend on python-aiohttp would benefit from the fix. For uxplay, a simple rebuild would suffice; it is already working with llhttp 9.1.3 in Rawhide. All necessary rebuilds would be conducted in side tags.

If this exception request is not approved, my fallback plan is to attempt to backport the pure-Python parser fix to 3.8.5. There is no fallback plan for fixing the mysterious llhttp-related security issue in 3.8.5, since the upstream fix was to update llhttp.

The situation in EPEL9 is similar, and I plan to request an exception there as well.

Metadata Update from @churchyard:
- Issue tagged with: updates policy exception

6 months ago

Am I experiencing déjà-vu or is this the second time this is happening?

Either way, +1

Am I experiencing déjà-vu or is this the second time this is happening?

With slightly different details, yes: https://pagure.io/fesco/issue/3049

Fingers crossed that this is the last one for a while… 🤞

How about applying for a permanent updates policy exception for this package?

After a week:
APPROVED (+4, 0, 0)

Metadata Update from @zbyszek:
- Issue tagged with: pending announcement

6 months ago

This is just a minor correction for posterity: the link to CVE-2023-47627 in the original issue text has the correct URL but the wrong CVE number in the link text.

Metadata Update from @zbyszek:
- Issue untagged with: pending announcement
- Issue close_status updated to: Accepted
- Issue status updated to: Closed (was: Open)

5 months ago

Login to comment on this ticket.