Skip to content

Bump bundled llhttp to 9.2.1 #113

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 16, 2024
Merged

Bump bundled llhttp to 9.2.1 #113

merged 1 commit into from
Oct 16, 2024

Conversation

elprans
Copy link
Member

@elprans elprans commented Oct 16, 2024

CVE-2024-27982

Adjust tests that relied on header folding.

Fixes: #111

@elprans elprans requested a review from fantix October 16, 2024 17:36
@elprans elprans mentioned this pull request Oct 16, 2024
Closed
@elprans
Bump bundled llhttp to 9.2.1
381aaef 
CVE-2024-27982

Expose leniency flags via the new `set_dangerous_leniencies` parser
method if somebody needs to opt into the old vulnerable behavior.

Fixes: #111
@elprans elprans requested a review from fantix October 16, 2024 18:26
@elprans elprans merged commit 560bd9e into master Oct 16, 2024
18 checks passed
elprans added a commit that referenced this pull request Oct 16, 2024
@elprans
httptools 0.6.3
5e720bf 
Fixes
=====

* Fix missing CR is some tests
  (by @mgorny in 21a199d for #112)

* Bump bundled llhttp to 9.2.1
  Fixes CVE-2024-27982
  (by @elprans in 560bd9e for #113)
@elprans elprans mentioned this pull request Oct 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fantix fantix fantix approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vendored llhttp 8.1.1 is vulnerable
2 participants
@elprans @fantix