Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vulnerability in libuv v1.46.0 #615

Closed
javaccar opened this issue Aug 13, 2024 · 3 comments
Closed

vulnerability in libuv v1.46.0 #615

javaccar opened this issue Aug 13, 2024 · 3 comments

Comments

@javaccar
Copy link

  • uvloop version: 0.19.0
  • Python version: 3.11
  • Platform: linux
  • Can you reproduce the bug with PYTHONASYNCIODEBUG in env?: n/a
  • Does uvloop behave differently from vanilla asyncio? How?: n/a

uvloop uses libuv v1.46.0, which has a security vulnerability https://nvd.nist.gov/vuln/detail/CVE-2024-24806
the vulnerability was fixed in libuv v1.48.0 but uvloop is still using v1.46.0.
@fantix fantix mentioned this issue Aug 14, 2024
Closed
@fantix
Copy link
Member

fantix commented Aug 14, 2024

#600 would fix this

@javaccar
Copy link
Author

Thanks @fantix ! Appreciate the quick response. I see #600 was just merged. Plans to cut a release and publish to pypi?

@fantix
Copy link
Member

fantix commented Aug 15, 2024

No problem! Yes, I'll cut it tomorrow.

fantix added a commit that referenced this issue Aug 15, 2024
@fantix
uvloop 0.20.0
2d35f10 
Changes
=======

* Upgrade libuv to v1.48.0 (#600)
  (by @niklasr22 @fantix in 7777852 for #596 #615)

Fixes
=====

* Fix test_create_server_4 with Python 3.12.5 (#614)
  (by @shadchin in 62f9239)

* Use len(os.sched_getaffinity(0)) instead of os.cpu_count() (#591)
  (by @avkarenow in c8531c2 for #591)

* Inline _Py_RestoreSignals() from CPython (#604)
  (by @befeleme in 8511ba1 for #603)
@fantix fantix mentioned this issue Aug 15, 2024
Merged
edgarrmondragon pushed a commit to edgarrmondragon/uvloop that referenced this issue Aug 19, 2024
@fantix @edgarrmondragon
uvloop 0.20.0
387b660 
Changes
=======

* Upgrade libuv to v1.48.0 (MagicStack#600)
  (by @niklasr22 @fantix in 7777852 for MagicStack#596 MagicStack#615)

Fixes
=====

* Fix test_create_server_4 with Python 3.12.5 (MagicStack#614)
  (by @shadchin in 62f9239)

* Use len(os.sched_getaffinity(0)) instead of os.cpu_count() (MagicStack#591)
  (by @avkarenow in c8531c2 for MagicStack#591)

* Inline _Py_RestoreSignals() from CPython (MagicStack#604)
  (by @befeleme in 8511ba1 for MagicStack#603)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump libuv to 1.48 MagicStack/uvloop
2 participants
@fantix @javaccar