Hello,
the http-parser library was updated from 2.9.2 to 2.9.4 in unstable and
testing, the only change upstream worth mentioning was implementing a
protection against "request smuggling" in a rather restrictive
understanding of RFC 7320. The issue is also known as CVE-2019-15605.
As a result, applications using that library may experience errors in
situations that worked in the past. The reverse dependencies in Debian
passed a rebuild, with ruby-http-parser.rb as exception (already fixed
via NMU). Outside that, there was no way of testing, so this heads-up.
After some settling I plan to address the issue in Debian 10
(stable/"buster") as well, with forseeably the same effects. If you
think this will break things in an inacceptable way, let me know.
Aside, http-parser upstream is dead. Debian 11 ("bullseye") will still
ship the package but I'll try to have it removed before 12. If anyone
wishes to package the designated successor "llhttp", that would make
quite a few people happy. RFP is #977716.
Christoph
Attachment:
signature.asc
Description: PGP signature