git: 72eea8b95e0f - main - net/py-h11: Update version 0.14.0=>0.16.0
Date: Tue, 29 Apr 2025 13:10:29 UTC
The branch main has been updated by bofh:
URL: https://cgit.FreeBSD.org/ports/commit/?id=72eea8b95e0f73093217e00f999ff2e17e71db5a
commit 72eea8b95e0f73093217e00f999ff2e17e71db5a
Author: Muhammad Moinur Rahman <bofh@FreeBSD.org>
AuthorDate: 2025-04-29 12:52:42 +0000
Commit: Muhammad Moinur Rahman <bofh@FreeBSD.org>
CommitDate: 2025-04-29 13:10:08 +0000
net/py-h11: Update version 0.14.0=>0.16.0
- This addresses fix for CVE-2025-43859 — a critical vulnerability
affecting HTTP/1.1 connection handling.
- This update may break ports that depend on older h11 APIs, as some
interfaces and behaviors have changed in the new release.
Ports known or suspected to be affected should be tested carefully and
updated accordingly. A heads-up will also be sent to ports@.
Quarterly merge should take place after all the downstream ports have
been fixed for building.
Security: CVE-2025-43859
Changelog: https://github.com/python-hyper/h11/releases/tag/v0.16.0
MFH: 2025Q2
---
net/py-h11/Makefile | 3 +--
net/py-h11/distinfo | 6 +++---
security/vuxml/vuln/2025.xml | 29 +++++++++++++++++++++++++++++
3 files changed, 33 insertions(+), 5 deletions(-)
diff --git a/net/py-h11/Makefile b/net/py-h11/Makefile
index 0772575e8580..ac937d9dc0a4 100644
--- a/net/py-h11/Makefile
+++ b/net/py-h11/Makefile
@@ -1,6 +1,5 @@
PORTNAME= h11
-PORTVERSION= 0.14.0
-PORTREVISION= 1
+DISTVERSION= 0.16.0
CATEGORIES= net python
MASTER_SITES= PYPI
PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX}
diff --git a/net/py-h11/distinfo b/net/py-h11/distinfo
index a002b81548d6..470f83ddf207 100644
--- a/net/py-h11/distinfo
+++ b/net/py-h11/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1667662218
-SHA256 (h11-0.14.0.tar.gz) = 8f19fbbe99e72420ff35c00b27a34cb9937e902a8b810e2c88300c6f0a3b699d
-SIZE (h11-0.14.0.tar.gz) = 100418
+TIMESTAMP = 1745931106
+SHA256 (h11-0.16.0.tar.gz) = 4e35b956cf45792e4caa5885e69fba00bdbc6ffafbfa020300e549b208ee5ff1
+SIZE (h11-0.16.0.tar.gz) = 101250
diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index d5bbf0fb3f3e..46ce1f46c383 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -1,3 +1,32 @@
+ <vuln vid="df126e23-24fa-11f0-ab92-f02f7497ecda">
+ <topic>h11 accepts some malformed Chunked-Encoding bodies</topic>
+ <affects>
+ <package>
+ <name>py39-h11</name>
+ <name>py310-h11</name>
+ <name>py311-h11</name>
+ <name>py312-h11</name>
+ <range><lt>0.16.0</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>h11 reports:</p>
+ <blockquote cite="https://github.com/python-hyper/h11/security/advisories/GHSA-vqfr-h8mv-ghfj">
+ <p>h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line t erminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issu e has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2025-43859</cvename>
+ <url>https://nvd.nist.gov/vuln/detail/CVE-2025-43859</url>
+ </references>
+ <dates>
+ <discovery>2025-04-24</discovery>
+ <entry>2025-04-29</entry>
+ </dates>
+ </vuln>
+
<vuln vid="310f5923-211c-11f0-8ca6-6c3be5272acd">
<topic>Grafana -- Authorization bypass in data source proxy API</topic>
<affects>