From 61d106a577e7c03f1e2e6320885d41d835ae6ac16fcf6c740067e6adc817d6b6 Mon Sep 17 00:00:00 2001 From: OBS User buildservice-autocommit Date: Fri, 22 Sep 2023 19:46:56 +0000 Subject: [PATCH] Updating link to change in openSUSE:Factory/python-gevent revision 45 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-gevent?expand=0&rev=4606ff1e4655d60a2171bc80e74ce243 --- python-gevent.changes | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/python-gevent.changes b/python-gevent.changes index eab47d8..79ba8e8 100644 --- a/python-gevent.changes +++ b/python-gevent.changes @@ -1,6 +1,46 @@ ------------------------------------------------------------------- Mon Sep 18 19:07:56 UTC 2023 - Dirk Müller +- update to 23.9.0 (CVE-2023-41419): + * Make ``gevent.select.select`` accept arbitrary iterables, not + just sequences. That is, you can now pass in a generator of file + descriptors instead of a realized list. Internally, arbitrary + iterables are copied into lists. This better matches what the + standard library does. + * On Python 3.11 and newer, opt out of Cython's fast exception + manipulation, which *may* be causing problems in certain + circumstances when combined with greenlets. + * On all versions of Python, adjust some error handling in the + default * -based loop. This fixes several assertion failures + on debug versions of CPython. Hopefully it has a positive + impact under real conditions. + * Make ``gevent.pywsgi`` comply more closely with the HTTP + specification for chunked transfer encoding. In particular, + we are much stricter about trailers, and trailers that are + invalid (too long or featuring disallowed characters) forcibly + close the connection to the client *after* the results have + been sent. + * Trailers otherwise continue to be ignored and are not + available to the WSGI application. + Previously, carefully crafted invalid trailers in chunked + requests on keep-alive connections might appear as two + requests to ``gevent.pywsgi``. Because this was handled + exactly as a normal keep-alive connection with two requests, + the WSGI application should handle it normally. However, if + you were counting on some upstream server to filter incoming + requests based on paths or header fields, and the upstream + server simply passed trailers through without + validating them, then this embedded second request would + bypass those checks. + (If the upstream server validated that the trailers + meet the* HTTP specification, this could not occur, + because characters that are required in an HTTP request, + like a space, are not allowed in trailers.) CVE-2023-41419 + was reserved for this. + +------------------------------------------------------------------- +Mon Sep 18 19:07:56 UTC 2023 - Dirk Müller + - update to 23.9.0 (bsc#1215469, CVE-2023-41419): * Make ``gevent.select.select`` accept arbitrary iterables, not just sequences. That is, you can now pass in a generator of file