pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/www/py-daphne
Module Name: pkgsrc
Committed By: adam
Date: Thu Jun 11 12:44:39 UTC 2026
Modified Files:
pkgsrc/www/py-daphne: Makefile distinfo
Log Message:
py-daphne: updated to 4.2.2
4.2.2 (2026-06-03)
* Fixed a denial of service vulnerability via unbounded WebSocket message sizes.
Daphne previously passed no message or frame size limits to autobahn,
whose defaults are unbounded. This allowed an unauthenticated client
to exhaust server memory by sending a very large WebSocket
messages/frames (CVE-2026-44545).
Both limits now default to 1 MiB and can be configured via the new
``--websocket-max-message-size`` and ``--websocket-max-frame-size`` CLI
flags (or the matching ``Server`` constructor arguments). Pass ``0`` to
restore the previous unlimited behaviour.
Thanks to ParkHyunWoo for the report.
* Fixed a header injection vulnerability on the WebSocket upgrade path
(CVE-2026-44546).
Header values containing ``\x0b``, ``\x0c``, ``\x1c``, ``\x1d``, ``\x1e``,
or ``\x85`` were parsed as a single header by Twisted but split into
multiple headers by autobahn during the WebSocket handshake. An attacker
could exploit this parser differential to smuggle additional headers
(e.g. authentication tokens, ``X-Forwarded-For``, ``Origin``,
``Daphne-Root-Path``) into the ASGI scope passed to the application.
Daphne now rejects requests carrying these bytes in any header value with
a 400 Bad Request response, as required by RFC 9110 §5.5.
Thanks to Rene Henningsen for the report.
To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.36 pkgsrc/www/py-daphne/Makefile
cvs rdiff -u -r1.26 -r1.27 pkgsrc/www/py-daphne/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/www/py-daphne/Makefile
diff -u pkgsrc/www/py-daphne/Makefile:1.35 pkgsrc/www/py-daphne/Makefile:1.36
--- pkgsrc/www/py-daphne/Makefile:1.35 Thu Dec 11 15:14:55 2025
+++ pkgsrc/www/py-daphne/Makefile Thu Jun 11 12:44:39 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.35 2025/12/11 15:14:55 adam Exp $
+# $NetBSD: Makefile,v 1.36 2026/06/11 12:44:39 adam Exp $
-DISTNAME= daphne-4.2.1
+DISTNAME= daphne-4.2.2
PKGNAME= ${PYPKGPREFIX}-${DISTNAME}
CATEGORIES= www python
MASTER_SITES= ${MASTER_SITE_PYPI:=d/daphne/}
@@ -19,15 +19,13 @@ TEST_DEPENDS+= ${PYPKGPREFIX}-test-async
USE_LANGUAGES= # none
+PY_RENAME_BINARIES= daphne
+
PYTHON_VERSIONS_INCOMPATIBLE= 310 # py-autobahn
# test fails with:
# https://github.com/django/daphne/issues/522
# ModuleNotFoundError: No module named 'http_strategies'
-post-install:
- cd ${DESTDIR}${PREFIX}/bin && \
- ${MV} daphne daphne-${PYVERSSUFFIX} || ${TRUE}
-
.include "../../lang/python/wheel.mk"
.include "../../mk/bsd.pkg.mk"
Index: pkgsrc/www/py-daphne/distinfo
diff -u pkgsrc/www/py-daphne/distinfo:1.26 pkgsrc/www/py-daphne/distinfo:1.27
--- pkgsrc/www/py-daphne/distinfo:1.26 Tue Sep 2 14:32:34 2025
+++ pkgsrc/www/py-daphne/distinfo Thu Jun 11 12:44:39 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.26 2025/09/02 14:32:34 adam Exp $
+$NetBSD: distinfo,v 1.27 2026/06/11 12:44:39 adam Exp $
-BLAKE2s (daphne-4.2.1.tar.gz) = cf73cf020c962fdbb20f6d578f13f6cd1250999efd166e35198caa121d3b5c23
-SHA512 (daphne-4.2.1.tar.gz) = 9e3174ef784809ee8a8ea89d1bc71b66517dc90ceb65bba6043687a949eaaf616d7b73f192ad9df9864cb9bb135f4d55ecaf182b1166a52c2f27ac9be1ae9509
-Size (daphne-4.2.1.tar.gz) = 45600 bytes
+BLAKE2s (daphne-4.2.2.tar.gz) = d154eb1958bf520ac034b1624ebb22e4a5415e53682803cbb2db09b6a66c1212
+SHA512 (daphne-4.2.2.tar.gz) = f005bbbd88f5a87967f6ebe744b6cba99df5b7cdd90199ec2375ec985a0317f5f2b75842a00f046208d75979d2dd253d7784dea0868e8805093f493e3bafec77
+Size (daphne-4.2.2.tar.gz) = 47601 bytes
Home |
Main Index |
Thread Index |
Old Index