Re: git: 72eea8b95e0f - main - net/py-h11: Update version 0.14.0=>0.16.0
Date: Tue, 29 Apr 2025 14:49:48 UTC
Hello!
This commit breaks www/py-httpcore (and consumers by chain)
py311-httpcore-1.0.8 depends on package: py311-h11>=0.13<0.15 - not found
29.04.2025 16:10, Muhammad Moinur Rahman пишет:
> The branch main has been updated by bofh:
>
> URL: https://cgit.FreeBSD.org/ports/commit/?id=72eea8b95e0f73093217e00f999ff2e17e71db5a
>
> commit 72eea8b95e0f73093217e00f999ff2e17e71db5a
> Author: Muhammad Moinur Rahman <bofh@FreeBSD.org>
> AuthorDate: 2025-04-29 12:52:42 +0000
> Commit: Muhammad Moinur Rahman <bofh@FreeBSD.org>
> CommitDate: 2025-04-29 13:10:08 +0000
>
> net/py-h11: Update version 0.14.0=>0.16.0
>
> - This addresses fix for CVE-2025-43859 — a critical vulnerability
> affecting HTTP/1.1 connection handling.
>
> - This update may break ports that depend on older h11 APIs, as some
> interfaces and behaviors have changed in the new release.
>
> Ports known or suspected to be affected should be tested carefully and
> updated accordingly. A heads-up will also be sent to ports@.
>
> Quarterly merge should take place after all the downstream ports have
> been fixed for building.
>
> Security: CVE-2025-43859
> Changelog: https://github.com/python-hyper/h11/releases/tag/v0.16.0
> MFH: 2025Q2
> ---
> net/py-h11/Makefile | 3 +--
> net/py-h11/distinfo | 6 +++---
> security/vuxml/vuln/2025.xml | 29 +++++++++++++++++++++++++++++
> 3 files changed, 33 insertions(+), 5 deletions(-)
>
> diff --git a/net/py-h11/Makefile b/net/py-h11/Makefile
> index 0772575e8580..ac937d9dc0a4 100644
> --- a/net/py-h11/Makefile
> +++ b/net/py-h11/Makefile
> @@ -1,6 +1,5 @@
> PORTNAME= h11
> -PORTVERSION= 0.14.0
> -PORTREVISION= 1
> +DISTVERSION= 0.16.0
> CATEGORIES= net python
> MASTER_SITES= PYPI
> PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX}
> diff --git a/net/py-h11/distinfo b/net/py-h11/distinfo
> index a002b81548d6..470f83ddf207 100644
> --- a/net/py-h11/distinfo
> +++ b/net/py-h11/distinfo
> @@ -1,3 +1,3 @@
> -TIMESTAMP = 1667662218
> -SHA256 (h11-0.14.0.tar.gz) = 8f19fbbe99e72420ff35c00b27a34cb9937e902a8b810e2c88300c6f0a3b699d
> -SIZE (h11-0.14.0.tar.gz) = 100418
> +TIMESTAMP = 1745931106
> +SHA256 (h11-0.16.0.tar.gz) = 4e35b956cf45792e4caa5885e69fba00bdbc6ffafbfa020300e549b208ee5ff1
> +SIZE (h11-0.16.0.tar.gz) = 101250
> diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
> index d5bbf0fb3f3e..46ce1f46c383 100644
> --- a/security/vuxml/vuln/2025.xml
> +++ b/security/vuxml/vuln/2025.xml
> @@ -1,3 +1,32 @@
> + <vuln vid="df126e23-24fa-11f0-ab92-f02f7497ecda">
> + <topic>h11 accepts some malformed Chunked-Encoding bodies</topic>
> + <affects>
> + <package>
> + <name>py39-h11</name>
> + <name>py310-h11</name>
> + <name>py311-h11</name>
> + <name>py312-h11</name>
> + <range><lt>0.16.0</lt></range>
> + </package>
> + </affects>
> + <description>
> + <body xmlns="http://www.w3.org/1999/xhtml">
> + <p>h11 reports:</p>
> + <blockquote cite="https://github.com/python-hyper/h11/security/advisories/GHSA-vqfr-h8mv-ghfj">
> + <p>h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line t erminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issu e has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue.</p>
> + </blockquote>
> + </body>
> + </description>
> + <references>
> + <cvename>CVE-2025-43859</cvename>
> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-43859</url>
> + </references>
> + <dates>
> + <discovery>2025-04-24</discovery>
> + <entry>2025-04-29</entry>
> + </dates>
> + </vuln>
> +
> <vuln vid="310f5923-211c-11f0-8ca6-6c3be5272acd">
> <topic>Grafana -- Authorization bypass in data source proxy API</topic>
> <affects>
>
--
Sincerely,
Dima (fluffy@FreeBSD.org, https://t.me/FluffyBSD, @fluffy:matrix-dev.freebsd.org)
(desktop, kde, x11, office, ports-secteam)@FreeBSD team