Re: git: 72eea8b95e0f - main - net/py-h11: Update version 0.14.0=>0.16.0

In reply to: Dima Panov : "Re: git: 72eea8b95e0f - main - net/py-h11: Update version 0.14.0=>0.16.0"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Moin Rahman <bofh_at_freebsd.org>
Date: Tue, 29 Apr 2025 14:51:20 UTC
Yes. I know that and I have also mentioned this in the commit log.

The maintainer of httpcore has been already notified for the update
off the list.

Kind regards,
Moin

> On Apr 29, 2025, at 16:49, Dima Panov <fluffy@FreeBSD.org> wrote:
> 
> Hello!
> 
> This commit breaks www/py-httpcore (and consumers by chain)
> 
> py311-httpcore-1.0.8 depends on package: py311-h11>=0.13<0.15 - not found
> 
> 29.04.2025 16:10, Muhammad Moinur Rahman пишет:
>> The branch main has been updated by bofh:
>> URL: https://cgit.FreeBSD.org/ports/commit/?id=72eea8b95e0f73093217e00f999ff2e17e71db5a
>> commit 72eea8b95e0f73093217e00f999ff2e17e71db5a
>> Author:     Muhammad Moinur Rahman <bofh@FreeBSD.org>
>> AuthorDate: 2025-04-29 12:52:42 +0000
>> Commit:     Muhammad Moinur Rahman <bofh@FreeBSD.org>
>> CommitDate: 2025-04-29 13:10:08 +0000
>>     net/py-h11: Update version 0.14.0=>0.16.0
>>          - This addresses fix for CVE-2025-43859 — a critical vulnerability
>>       affecting HTTP/1.1 connection handling.
>>          - This update may break ports that depend on older h11 APIs, as some
>>       interfaces and behaviors have changed in the new release.
>>          Ports known or suspected to be affected should be tested carefully and
>>     updated accordingly. A heads-up will also be sent to ports@.
>>          Quarterly merge should take place after all the downstream ports have
>>     been fixed for building.
>>          Security: CVE-2025-43859
>>     Changelog: https://github.com/python-hyper/h11/releases/tag/v0.16.0
>>     MFH:    2025Q2
>> ---
>>  net/py-h11/Makefile          |  3 +--
>>  net/py-h11/distinfo          |  6 +++---
>>  security/vuxml/vuln/2025.xml | 29 +++++++++++++++++++++++++++++
>>  3 files changed, 33 insertions(+), 5 deletions(-)
>> diff --git a/net/py-h11/Makefile b/net/py-h11/Makefile
>> index 0772575e8580..ac937d9dc0a4 100644
>> --- a/net/py-h11/Makefile
>> +++ b/net/py-h11/Makefile
>> @@ -1,6 +1,5 @@
>>  PORTNAME= h11
>> -PORTVERSION= 0.14.0
>> -PORTREVISION= 1
>> +DISTVERSION= 0.16.0
>>  CATEGORIES= net python
>>  MASTER_SITES= PYPI
>>  PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX}
>> diff --git a/net/py-h11/distinfo b/net/py-h11/distinfo
>> index a002b81548d6..470f83ddf207 100644
>> --- a/net/py-h11/distinfo
>> +++ b/net/py-h11/distinfo
>> @@ -1,3 +1,3 @@
>> -TIMESTAMP = 1667662218
>> -SHA256 (h11-0.14.0.tar.gz) = 8f19fbbe99e72420ff35c00b27a34cb9937e902a8b810e2c88300c6f0a3b699d
>> -SIZE (h11-0.14.0.tar.gz) = 100418
>> +TIMESTAMP = 1745931106
>> +SHA256 (h11-0.16.0.tar.gz) = 4e35b956cf45792e4caa5885e69fba00bdbc6ffafbfa020300e549b208ee5ff1
>> +SIZE (h11-0.16.0.tar.gz) = 101250
>> diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
>> index d5bbf0fb3f3e..46ce1f46c383 100644
>> --- a/security/vuxml/vuln/2025.xml
>> +++ b/security/vuxml/vuln/2025.xml
>> @@ -1,3 +1,32 @@
>> +  <vuln vid="df126e23-24fa-11f0-ab92-f02f7497ecda">
>> +    <topic>h11 accepts some malformed Chunked-Encoding bodies</topic>
>> +    <affects>
>> +      <package>
>> +    <name>py39-h11</name>
>> +    <name>py310-h11</name>
>> +    <name>py311-h11</name>
>> +    <name>py312-h11</name>
>> +    <range><lt>0.16.0</lt></range>
>> +      </package>
>> +    </affects>
>> +    <description>
>> + <body xmlns="http://www.w3.org/1999/xhtml">
>> +    <p>h11 reports:</p>
>> +    <blockquote cite="https://github.com/python-hyper/h11/security/advisories/GHSA-vqfr-h8mv-ghfj">
>> +      <p>h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line t  erminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issu  e has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy,   fixing either component is sufficient to mitigate this issue.</p>
>> + </blockquote>
>> + </body>
>> +    </description>
>> +    <references>
>> +      <cvename>CVE-2025-43859</cvename>
>> +      <url>https://nvd.nist.gov/vuln/detail/CVE-2025-43859</url>
>> +    </references>
>> +    <dates>
>> +      <discovery>2025-04-24</discovery>
>> +      <entry>2025-04-29</entry>
>> +    </dates>
>> +  </vuln>
>> +
>>    <vuln vid="310f5923-211c-11f0-8ca6-6c3be5272acd">
>>      <topic>Grafana -- Authorization bypass in data source proxy API</topic>
>>      <affects>
> 
> --
> Sincerely,
> Dima (fluffy@FreeBSD.org, https://t.me/FluffyBSD, @fluffy:matrix-dev.freebsd.org)
> (desktop, kde, x11, office, ports-secteam)@FreeBSD team
>