Skip to content

vulnerability in libuv v1.46.0 #615

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
javaccar opened this issue Aug 13, 2024 · 3 comments
Closed

vulnerability in libuv v1.46.0 #615

javaccar opened this issue Aug 13, 2024 · 3 comments

Comments

@javaccar
Copy link

  • uvloop version: 0.19.0
  • Python version: 3.11
  • Platform: linux
  • Can you reproduce the bug with PYTHONASYNCIODEBUG in env?: n/a
  • Does uvloop behave differently from vanilla asyncio? How?: n/a

uvloop uses libuv v1.46.0, which has a security vulnerability https://nvd.nist.gov/vuln/detail/CVE-2024-24806
the vulnerability was fixed in libuv v1.48.0 but uvloop is still using v1.46.0.
@fantix fantix mentioned this issue Aug 14, 2024
Closed
@fantix
Copy link
Member

fantix commented Aug 14, 2024

#600 would fix this

@javaccar
Copy link
Author

Thanks @fantix ! Appreciate the quick response. I see #600 was just merged. Plans to cut a release and publish to pypi?

@fantix
Copy link
Member

fantix commented Aug 15, 2024

No problem! Yes, I'll cut it tomorrow.

fantix added a commit that referenced this issue Aug 15, 2024
@fantix
uvloop 0.20.0
2d35f10 
Changes
=======

* Upgrade libuv to v1.48.0 (#600)
  (by @niklasr22 @fantix in 7777852 for #596 #615)

Fixes
=====

* Fix test_create_server_4 with Python 3.12.5 (#614)
  (by @shadchin in 62f9239)

* Use len(os.sched_getaffinity(0)) instead of os.cpu_count() (#591)
  (by @avkarenow in c8531c2 for #591)

* Inline _Py_RestoreSignals() from CPython (#604)
  (by @befeleme in 8511ba1 for #603)
@fantix fantix mentioned this issue Aug 15, 2024
Merged
edgarrmondragon pushed a commit to edgarrmondragon/uvloop that referenced this issue Aug 19, 2024
@fantix @edgarrmondragon
uvloop 0.20.0
387b660 
Changes
=======

* Upgrade libuv to v1.48.0 (MagicStack#600)
  (by @niklasr22 @fantix in 7777852 for MagicStack#596 MagicStack#615)

Fixes
=====

* Fix test_create_server_4 with Python 3.12.5 (MagicStack#614)
  (by @shadchin in 62f9239)

* Use len(os.sched_getaffinity(0)) instead of os.cpu_count() (MagicStack#591)
  (by @avkarenow in c8531c2 for MagicStack#591)

* Inline _Py_RestoreSignals() from CPython (MagicStack#604)
  (by @befeleme in 8511ba1 for MagicStack#603)
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump libuv to 1.48 MagicStack/uvloop
2 participants
@fantix @javaccar