New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Version 0.19.0 #1641
Version 0.19.0 #1641
Conversation
@Kludex httptools 5.0.0 just got released with the CVE fixes in llhttp. It seems it will get included in uvicorn automatically when you create a release, but i'm not sure. Perhaps, it's best to bump the version explicitly... thanks for checking it. |
|
I'd like to make a release soon. 🙏 |
note. I made a PR in the httptools project for the latest llhttp (v6.0.10) update.. but guess it's wise to first proceed with this httptools 0.5.0 in uvicorn 0.19.0 and when we get a new httptools version, queue it for the following uvicorn... |
Would you mind sharing the link? |
But there's nothing uvicorn needs to do... Unless the bump solved any CVE. |
httptools v5.0.0 contains llhttp release/v6.0.9, this included some fixes for the 3 CVE's that where done in llhttp release/v6.0.7 llhttp release/v6.0.10 seems to update a resolution for CVE-2022-32213: nodejs https://github.com/nodejs/node/releases/tag/v18.9.1 has a paragraph about llhttp that mentions a bit more: There are 3 change's in src/llhttp/http.ts: So without reverse engineering the entire llhttp release/v6.0.10 commit it seemed to me there's actual improvements made for the CVE in relation to obs-fold's .. that i guess where missed in the patch for the same CVE. If you want to know more, please check the patch or ask ShokunPanda who makes the patches for the llhttp project. I'm just a random user that's trying to be instrumental to get fixes into uvicorn asap. |
This is the link I wanted: MagicStack/httptools#86 🙏
|
@nlsj1985 I can confirm folks. All OBS fold CVEs are fixed in 6.0.10 Next week I plan to release llhttp 7 with more features about passable callbacks and chunked encoding parsing, just FYI. |
Thanks for coming here, and let us know. Much appreciated! 🙏 |
You're welcome! 😉 |
|
Ready for release. GitHub release draft ready as well. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great. 🌟
I'll release it tonight. Thanks @tomchristie 🙏 |
Checklist
--debug
flag #1640httptools
version to 0.5.0 #1645Diff: 0.18.3...master
Draft: https://github.com/encode/uvicorn/releases/tag/untagged-8b346412076c82a9e8cc