Update vyos-http-api-tools for package h11 security advisory
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	jestabro
	Apr 25 2025, 1:52 PM

Description

A leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities in the presence of a buggy reverse proxy.

Though the latter condition is not known to be present, we will upgrade to avoid the possibility.

Regenerate requirements to upgrade h11 to version >= 0.16.0.

Details

Version: -
Is it a breaking change?: Perfectly compatible
Issue type: Bug (incorrect behavior)

Related Objects

Mentioned In: 1.4.3

Event Timeline

jestabro created this task.Apr 25 2025, 1:52 PM

jestabro triaged this task as High priority.

jestabro added projects: VyOS 1.5 Circinus, VyOS 1.4 Sagitta (1.4.3).Apr 25 2025, 1:58 PM

pasik subscribed.Apr 25 2025, 3:06 PM

PR
https://github.com/vyos/vyos-http-api-tools/pull/22
Opt to upgrade h11 package version only; cf. comments there.

Backports:
https://github.com/VyOS-Networks/vyos-http-api-tools/pull/8
https://github.com/VyOS-Networks/vyos-http-api-tools/pull/7

jestabro closed this task as Resolved.May 4 2025, 8:00 PM

jestabro moved this task from Open to Finished on the VyOS 1.5 Circinus board.

jestabro moved this task from Backlog to Finished on the VyOS 1.4 Sagitta (1.4.3) board.

jestabro moved this task from Need Triage to Completed on the VyOS Rolling board.

dmbaturin mentioned this in 1.4.3.Jul 17 2025, 8:18 AM

Update vyos-http-api-tools for package h11 security advisoryClosed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

Update vyos-http-api-tools for package h11 security advisory
Closed, ResolvedPublic
Actions