Compare commits
	
		
			No commits in common. "c8" and "c9-beta" have entirely different histories.
		
	
	
		
	
		
							
								
								
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -1 +1 @@ | ||||
| SOURCES/urllib3-1.24.2.tar.gz | ||||
| SOURCES/urllib3-1.26.5.tar.gz | ||||
|  | ||||
| @ -1 +1 @@ | ||||
| 02f5f10287e42a0e9d8666bbec9c51c4aec5bfc7 SOURCES/urllib3-1.24.2.tar.gz | ||||
| 2870de19c1a575dab12f5d65080ed65d4957d4b2 SOURCES/urllib3-1.26.5.tar.gz | ||||
|  | ||||
							
								
								
									
										38
									
								
								SOURCES/Add-server_hostname-to-SSL_KEYWORDS.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										38
									
								
								SOURCES/Add-server_hostname-to-SSL_KEYWORDS.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,38 @@ | ||||
| From f1d40fd07f7b5d9cf846a18fb5a920b4be07dfc5 Mon Sep 17 00:00:00 2001 | ||||
| From: Hasan Ramezani <hasan.r67@gmail.com> | ||||
| Date: Thu, 20 Jan 2022 15:56:02 +0100 | ||||
| Subject: [PATCH] [1.26] Add server_hostname to SSL_KEYWORDS | ||||
| 
 | ||||
| ---
 | ||||
|  src/urllib3/poolmanager.py                | 1 + | ||||
|  test/with_dummyserver/test_poolmanager.py | 5 +++++ | ||||
|  2 files changed, 6 insertions(+) | ||||
| 
 | ||||
| diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py
 | ||||
| index 3a31a285bf..ca4ec34118 100644
 | ||||
| --- a/src/urllib3/poolmanager.py
 | ||||
| +++ b/src/urllib3/poolmanager.py
 | ||||
| @@ -34,6 +34,7 @@
 | ||||
|      "ca_cert_dir", | ||||
|      "ssl_context", | ||||
|      "key_password", | ||||
| +    "server_hostname",
 | ||||
|  ) | ||||
|   | ||||
|  # All known keyword arguments that could be provided to the pool manager, its | ||||
| diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py
 | ||||
| index d877cc99ac..fa07a372a9 100644
 | ||||
| --- a/test/with_dummyserver/test_poolmanager.py
 | ||||
| +++ b/test/with_dummyserver/test_poolmanager.py
 | ||||
| @@ -346,6 +346,11 @@ def test_http_with_ssl_keywords(self):
 | ||||
|              r = http.request("GET", "http://%s:%s/" % (self.host, self.port)) | ||||
|              assert r.status == 200 | ||||
|   | ||||
| +    def test_http_with_server_hostname(self):
 | ||||
| +        with PoolManager(server_hostname="example.com") as http:
 | ||||
| +            r = http.request("GET", "http://%s:%s/" % (self.host, self.port))
 | ||||
| +            assert r.status == 200
 | ||||
| +
 | ||||
|      def test_http_with_ca_cert_dir(self): | ||||
|          with PoolManager(ca_certs="REQUIRED", ca_cert_dir="/nosuchdir") as http: | ||||
|              r = http.request("GET", "http://%s:%s/" % (self.host, self.port)) | ||||
| @ -1,162 +0,0 @@ | ||||
| From 9f6aa6b5f06ecfcfea2084d88f377c6e9dba5ce2 Mon Sep 17 00:00:00 2001 | ||||
| From: Ryan Petrello <rpetrell@redhat.com> | ||||
| Date: Tue, 30 Apr 2019 12:36:48 -0400 | ||||
| Subject: [PATCH 1/3] prevent CVE-2019-9740 in 1.24.x | ||||
| 
 | ||||
| adapted from https://github.com/python/cpython/pull/12755 | ||||
| ---
 | ||||
|  test/test_util.py   | 5 +++++ | ||||
|  src/urllib3/util/url.py | 8 ++++++++ | ||||
|  2 files changed, 13 insertions(+) | ||||
| 
 | ||||
| diff --git a/test/test_util.py b/test/test_util.py
 | ||||
| index 73d9452..dc6ffd0 100644
 | ||||
| --- a/test/test_util.py
 | ||||
| +++ b/test/test_util.py
 | ||||
| @@ -200,6 +200,11 @@ class TestUtil(object):
 | ||||
|          with pytest.raises(ValueError): | ||||
|              parse_url('[::1') | ||||
|   | ||||
| +    def test_parse_url_contains_control_characters(self):
 | ||||
| +        # see CVE-2019-9740
 | ||||
| +        with pytest.raises(LocationParseError):
 | ||||
| +            parse_url('http://localhost:8000/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:')
 | ||||
| +
 | ||||
|      def test_Url_str(self): | ||||
|          U = Url('http', host='google.com') | ||||
|          assert str(U) == U.url | ||||
| diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py
 | ||||
| index 6b6f996..e8e1bd7 100644
 | ||||
| --- a/src/urllib3/util/url.py
 | ||||
| +++ b/src/urllib3/util/url.py
 | ||||
| @@ -1,5 +1,6 @@
 | ||||
|  from __future__ import absolute_import | ||||
|  from collections import namedtuple | ||||
| +import re
 | ||||
|   | ||||
|  from ..exceptions import LocationParseError | ||||
|   | ||||
| @@ -10,6 +11,8 @@ url_attrs = ['scheme', 'auth', 'host', 'port', 'path', 'query', 'fragment']
 | ||||
|  # urllib3 infers URLs without a scheme (None) to be http. | ||||
|  NORMALIZABLE_SCHEMES = ('http', 'https', None) | ||||
|   | ||||
| +_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
 | ||||
| +
 | ||||
|   | ||||
|  class Url(namedtuple('Url', url_attrs)): | ||||
|      """ | ||||
| @@ -155,6 +158,11 @@ def parse_url(url):
 | ||||
|          # Empty | ||||
|          return Url() | ||||
|   | ||||
| +    # Prevent CVE-2019-9740.
 | ||||
| +    # adapted from https://github.com/python/cpython/pull/12755
 | ||||
| +    if _contains_disallowed_url_pchar_re.search(url):
 | ||||
| +        raise LocationParseError("URL can't contain control characters. {!r}".format(url))
 | ||||
| +
 | ||||
|      scheme = None | ||||
|      auth = None | ||||
|      host = None | ||||
| -- 
 | ||||
| 2.20.1 | ||||
| 
 | ||||
| 
 | ||||
| From ecc15bd412354ad916712113b0e426f8bc6cf52d Mon Sep 17 00:00:00 2001 | ||||
| From: Ryan Petrello <lists@ryanpetrello.com> | ||||
| Date: Wed, 1 May 2019 16:46:44 -0400 | ||||
| Subject: [PATCH 2/3] avoid CVE-2019-9740 by percent-encoding invalid path | ||||
|  characters | ||||
| 
 | ||||
| this is to avoid breaking changes in downstream libraries like requests | ||||
| ---
 | ||||
|  test/test_util.py   | 4 ++-- | ||||
|  src/urllib3/util/url.py | 4 ++-- | ||||
|  2 files changed, 4 insertions(+), 4 deletions(-) | ||||
| 
 | ||||
| diff --git a/test/test_util.py b/test/test_util.py
 | ||||
| index dc6ffd0..d139329 100644
 | ||||
| --- a/test/test_util.py
 | ||||
| +++ b/test/test_util.py
 | ||||
| @@ -202,8 +202,8 @@ class TestUtil(object):
 | ||||
|   | ||||
|      def test_parse_url_contains_control_characters(self): | ||||
|          # see CVE-2019-9740 | ||||
| -        with pytest.raises(LocationParseError):
 | ||||
| -            parse_url('http://localhost:8000/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:')
 | ||||
| +        url = parse_url('http://localhost:8000/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:')
 | ||||
| +        assert url.path == '/%20HTTP/1.1%0D%0AHEADER:%20INJECTED%0D%0AIgnore:'
 | ||||
|   | ||||
|      def test_Url_str(self): | ||||
|          U = Url('http', host='google.com') | ||||
| diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py
 | ||||
| index e8e1bd7..12b8d55 100644
 | ||||
| --- a/src/urllib3/util/url.py
 | ||||
| +++ b/src/urllib3/util/url.py
 | ||||
| @@ -3,6 +3,7 @@ from collections import namedtuple
 | ||||
|  import re | ||||
|   | ||||
|  from ..exceptions import LocationParseError | ||||
| +from ..packages.six.moves.urllib.parse import quote
 | ||||
|   | ||||
|   | ||||
|  url_attrs = ['scheme', 'auth', 'host', 'port', 'path', 'query', 'fragment'] | ||||
| @@ -160,8 +161,7 @@ def parse_url(url):
 | ||||
|   | ||||
|      # Prevent CVE-2019-9740. | ||||
|      # adapted from https://github.com/python/cpython/pull/12755 | ||||
| -    if _contains_disallowed_url_pchar_re.search(url):
 | ||||
| -        raise LocationParseError("URL can't contain control characters. {!r}".format(url))
 | ||||
| +    url = _contains_disallowed_url_pchar_re.sub(lambda match: quote(match.group()), url)
 | ||||
|   | ||||
|      scheme = None | ||||
|      auth = None | ||||
| -- 
 | ||||
| 2.20.1 | ||||
| 
 | ||||
| 
 | ||||
| From 6cda449df587fd37135ee76a9253dc8e12e53c05 Mon Sep 17 00:00:00 2001 | ||||
| From: Seth Michael Larson <sethmichaellarson@gmail.com> | ||||
| Date: Thu, 2 May 2019 09:02:24 -0500 | ||||
| Subject: [PATCH 3/3] Also test unicode and query | ||||
| 
 | ||||
| ---
 | ||||
|  test/test_util.py | 22 +++++++++++++++++++--- | ||||
|  1 file changed, 19 insertions(+), 3 deletions(-) | ||||
| 
 | ||||
| diff --git a/test/test_util.py b/test/test_util.py
 | ||||
| index d139329..fa53aaf 100644
 | ||||
| --- a/test/test_util.py
 | ||||
| +++ b/test/test_util.py
 | ||||
| @@ -200,10 +200,26 @@ class TestUtil(object):
 | ||||
|          with pytest.raises(ValueError): | ||||
|              parse_url('[::1') | ||||
|   | ||||
| -    def test_parse_url_contains_control_characters(self):
 | ||||
| +    @pytest.mark.parametrize('url, expected_url', [
 | ||||
| +        (
 | ||||
| +            'http://localhost/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:',
 | ||||
| +            Url('http', host='localhost', port=None,
 | ||||
| +                path='/%20HTTP/1.1%0D%0AHEADER:%20INJECTED%0D%0AIgnore:')
 | ||||
| +        ),
 | ||||
| +        (
 | ||||
| +            u'http://localhost/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:',
 | ||||
| +            Url('http', host='localhost', port=None,
 | ||||
| +                path='/%20HTTP/1.1%0D%0AHEADER:%20INJECTED%0D%0AIgnore:')
 | ||||
| +        ),
 | ||||
| +        (
 | ||||
| +            'http://localhost/ ?q=\r\n',
 | ||||
| +            Url('http', host='localhost', path='/%20', query='q=%0D%0A')
 | ||||
| +        ),
 | ||||
| +    ])
 | ||||
| +    def test_parse_url_contains_control_characters(self, url, expected_url):
 | ||||
|          # see CVE-2019-9740 | ||||
| -        url = parse_url('http://localhost:8000/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:')
 | ||||
| -        assert url.path == '/%20HTTP/1.1%0D%0AHEADER:%20INJECTED%0D%0AIgnore:'
 | ||||
| +        url = parse_url(url)
 | ||||
| +        assert url == expected_url
 | ||||
|   | ||||
|      def test_Url_str(self): | ||||
|          U = Url('http', host='google.com') | ||||
| -- 
 | ||||
| 2.20.1 | ||||
| 
 | ||||
| @ -1,37 +0,0 @@ | ||||
| diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
 | ||||
| index 02b3665..1ab1890 100644
 | ||||
| --- a/src/urllib3/connection.py
 | ||||
| +++ b/src/urllib3/connection.py
 | ||||
| @@ -1,4 +1,5 @@
 | ||||
|  from __future__ import absolute_import | ||||
| +import re
 | ||||
|  import datetime | ||||
|  import logging | ||||
|  import os | ||||
| @@ -61,6 +62,8 @@ port_by_scheme = {
 | ||||
|  # after 2016-01-01 (today - 2 years) AND before 2017-07-01 (today - 6 months) | ||||
|  RECENT_DATE = datetime.date(2017, 6, 30) | ||||
|   | ||||
| +_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]")
 | ||||
| +
 | ||||
|   | ||||
|  class DummyConnection(object): | ||||
|      """Used to detect a failed ConnectionCls import.""" | ||||
| @@ -181,6 +184,17 @@ class HTTPConnection(_HTTPConnection, object):
 | ||||
|          conn = self._new_conn() | ||||
|          self._prepare_conn(conn) | ||||
|   | ||||
| +    def putrequest(self, method, url, *args, **kwargs):
 | ||||
| +        """Send a request to the server"""
 | ||||
| +        match = _CONTAINS_CONTROL_CHAR_RE.search(method)
 | ||||
| +        if match:
 | ||||
| +            raise ValueError(
 | ||||
| +                "Method cannot contain non-token characters %r (found at least %r)"
 | ||||
| +                % (method, match.group())
 | ||||
| +            )
 | ||||
| +
 | ||||
| +        return _HTTPConnection.putrequest(self, method, url, *args, **kwargs)
 | ||||
| +
 | ||||
|      def request_chunked(self, method, url, body=None, headers=None): | ||||
|          """ | ||||
|          Alternative to the common request method, which sends the | ||||
| @ -1,39 +1,53 @@ | ||||
| From 24603488c43a7cbaffcff7e69a72ad9bb4604acf Mon Sep 17 00:00:00 2001 | ||||
| From 5fe72b64a10e9cb5c5e2b9de46401b6c7bb226e9 Mon Sep 17 00:00:00 2001 | ||||
| From: Lumir Balhar <lbalhar@redhat.com> | ||||
| Date: Thu, 12 Oct 2023 14:08:31 +0200 | ||||
| Date: Thu, 12 Oct 2023 14:27:36 +0200 | ||||
| Subject: [PATCH] CVE-2023-43804 | ||||
| 
 | ||||
| ---
 | ||||
|  src/urllib3/util/retry.py | 2 +- | ||||
|  test/test_retry.py        | 2 +- | ||||
|  2 files changed, 2 insertions(+), 2 deletions(-) | ||||
|  src/urllib3/util/retry.py     | 2 +- | ||||
|  test/test_retry.py            | 2 +- | ||||
|  test/test_retry_deprecated.py | 2 +- | ||||
|  3 files changed, 3 insertions(+), 3 deletions(-) | ||||
| 
 | ||||
| diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
 | ||||
| index 02429ee..c4a687c 100644
 | ||||
| index 180e82b..63c02ee 100644
 | ||||
| --- a/src/urllib3/util/retry.py
 | ||||
| +++ b/src/urllib3/util/retry.py
 | ||||
| @@ -151,7 +151,7 @@ class Retry(object):
 | ||||
|   | ||||
| @@ -217,7 +217,7 @@ class Retry(object):
 | ||||
|      RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) | ||||
|   | ||||
| -    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Authorization'])
 | ||||
| +    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Cookie', 'Authorization'])
 | ||||
|      #: Default headers to be used for ``remove_headers_on_redirect`` | ||||
| -    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
 | ||||
| +    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
 | ||||
|   | ||||
|      #: Maximum backoff time. | ||||
|      BACKOFF_MAX = 120 | ||||
| diff --git a/test/test_retry.py b/test/test_retry.py
 | ||||
| index 7546c43..b6d52bf 100644
 | ||||
| index 3e71efe..e9270bb 100644
 | ||||
| --- a/test/test_retry.py
 | ||||
| +++ b/test/test_retry.py
 | ||||
| @@ -253,7 +253,7 @@ class TestRetry(object):
 | ||||
| @@ -293,7 +293,7 @@ class TestRetry(object):
 | ||||
|      def test_retry_default_remove_headers_on_redirect(self): | ||||
|          retry = Retry() | ||||
|   | ||||
| -        assert list(retry.remove_headers_on_redirect) == ['authorization']
 | ||||
| +        assert retry.remove_headers_on_redirect == {'authorization', 'cookie'}
 | ||||
| -        assert list(retry.remove_headers_on_redirect) == ["authorization"]
 | ||||
| +        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
 | ||||
|   | ||||
|      def test_retry_set_remove_headers_on_redirect(self): | ||||
|          retry = Retry(remove_headers_on_redirect=['x-api-secret']) | ||||
|          retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) | ||||
| diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py
 | ||||
| index eafecc4..d18f94c 100644
 | ||||
| --- a/test/test_retry_deprecated.py
 | ||||
| +++ b/test/test_retry_deprecated.py
 | ||||
| @@ -295,7 +295,7 @@ class TestRetry(object):
 | ||||
|      def test_retry_default_remove_headers_on_redirect(self): | ||||
|          retry = Retry() | ||||
|   | ||||
| -        assert list(retry.remove_headers_on_redirect) == ["authorization"]
 | ||||
| +        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
 | ||||
|   | ||||
|      def test_retry_set_remove_headers_on_redirect(self): | ||||
|          retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) | ||||
| -- 
 | ||||
| 2.41.0 | ||||
| 
 | ||||
|  | ||||
| @ -1,6 +1,6 @@ | ||||
| From 6f6011442b255b6c135c294500cf4d404f594d8a Mon Sep 17 00:00:00 2001 | ||||
| From d71ab28f104cac824c6036fa9b35cc2e2dd19bf8 Mon Sep 17 00:00:00 2001 | ||||
| From: Lumir Balhar <lbalhar@redhat.com> | ||||
| Date: Tue, 12 Dec 2023 10:21:34 +0100 | ||||
| Date: Tue, 12 Dec 2023 11:06:20 +0100 | ||||
| Subject: [PATCH] Security fix for CVE-2023-45803 | ||||
| 
 | ||||
| ---
 | ||||
| @ -10,10 +10,10 @@ Subject: [PATCH] Security fix for CVE-2023-45803 | ||||
|  3 files changed, 28 insertions(+), 2 deletions(-) | ||||
| 
 | ||||
| diff --git a/src/urllib3/_collections.py b/src/urllib3/_collections.py
 | ||||
| index 34f2381..86fc900 100644
 | ||||
| index da9857e..bceb845 100644
 | ||||
| --- a/src/urllib3/_collections.py
 | ||||
| +++ b/src/urllib3/_collections.py
 | ||||
| @@ -260,6 +260,24 @@ class HTTPHeaderDict(MutableMapping):
 | ||||
| @@ -268,6 +268,24 @@ class HTTPHeaderDict(MutableMapping):
 | ||||
|          else: | ||||
|              return vals[1:] | ||||
|   | ||||
| @ -39,23 +39,23 @@ index 34f2381..86fc900 100644 | ||||
|      getheaders = getlist | ||||
|      getallmatchingheaders = getlist | ||||
| diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py
 | ||||
| index f7a8f19..ad6303c 100644
 | ||||
| index 4018321..8f9ebb5 100644
 | ||||
| --- a/src/urllib3/connectionpool.py
 | ||||
| +++ b/src/urllib3/connectionpool.py
 | ||||
| @@ -32,6 +32,7 @@ from .connection import (
 | ||||
|      HTTPConnection, HTTPSConnection, VerifiedHTTPSConnection, | ||||
|      HTTPException, BaseSSLError, | ||||
|  ) | ||||
| @@ -36,6 +36,7 @@ from .exceptions import (
 | ||||
|  from .packages import six | ||||
|  from .packages.six.moves import queue | ||||
|  from .packages.ssl_match_hostname import CertificateError | ||||
| +from ._collections import HTTPHeaderDict
 | ||||
|  from .request import RequestMethods | ||||
|  from .response import HTTPResponse | ||||
|   | ||||
| @@ -679,7 +680,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
 | ||||
|  from .util.connection import is_connection_dropped | ||||
| @@ -800,7 +801,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
 | ||||
|          redirect_location = redirect and response.get_redirect_location() | ||||
|          if redirect_location: | ||||
|              if response.status == 303: | ||||
| +                # Change the method according to RFC 9110, Section 15.4.4.
 | ||||
|                  method = 'GET' | ||||
|                  method = "GET" | ||||
| +                # And lose the body not to transfer anything sensitive.
 | ||||
| +                body = None
 | ||||
| +                headers = HTTPHeaderDict(headers)._prepare_for_method_change()
 | ||||
| @ -63,31 +63,31 @@ index f7a8f19..ad6303c 100644 | ||||
|              try: | ||||
|                  retries = retries.increment(method, url, response=response, _pool=self) | ||||
| diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py
 | ||||
| index 32bd973..37557f9 100644
 | ||||
| index 3a31a28..7d4c22c 100644
 | ||||
| --- a/src/urllib3/poolmanager.py
 | ||||
| +++ b/src/urllib3/poolmanager.py
 | ||||
| @@ -3,7 +3,7 @@ import collections
 | ||||
| @@ -4,7 +4,7 @@ import collections
 | ||||
|  import functools | ||||
|  import logging | ||||
|   | ||||
| -from ._collections import RecentlyUsedContainer
 | ||||
| +from ._collections import HTTPHeaderDict, RecentlyUsedContainer
 | ||||
|  from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool | ||||
|  from .connectionpool import port_by_scheme | ||||
|  from .exceptions import LocationValueError, MaxRetryError, ProxySchemeUnknown | ||||
| @@ -330,9 +330,12 @@ class PoolManager(RequestMethods):
 | ||||
|  from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool, port_by_scheme | ||||
|  from .exceptions import ( | ||||
|      LocationValueError, | ||||
| @@ -381,9 +381,12 @@ class PoolManager(RequestMethods):
 | ||||
|          # Support relative URLs for redirecting. | ||||
|          redirect_location = urljoin(url, redirect_location) | ||||
|   | ||||
| -        # RFC 7231, Section 6.4.4
 | ||||
|          if response.status == 303: | ||||
| +            # Change the method according to RFC 9110, Section 15.4.4.
 | ||||
|              method = 'GET' | ||||
|              method = "GET" | ||||
| +            # And lose the body not to transfer anything sensitive.
 | ||||
| +            kw["body"] = None
 | ||||
| +            kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
 | ||||
|   | ||||
|          retries = kw.get('retries') | ||||
|          retries = kw.get("retries") | ||||
|          if not isinstance(retries, Retry): | ||||
| -- 
 | ||||
| 2.43.0 | ||||
|  | ||||
| @ -1,39 +1,66 @@ | ||||
| From 584378407efb03cef247320b541388f460cb72a2 Mon Sep 17 00:00:00 2001 | ||||
| From: Lumir Balhar <lbalhar@redhat.com> | ||||
| Date: Mon, 1 Jul 2024 12:40:39 +0200 | ||||
| Subject: [PATCH] CVE-2024-37891 | ||||
| From 3606f6166c000213f1e1e9bace3c12f924dd0132 Mon Sep 17 00:00:00 2001 | ||||
| From: Quentin Pradet <quentin.pradet@gmail.com> | ||||
| Date: Wed, 26 Jun 2024 15:56:34 +0200 | ||||
| Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf | ||||
| 
 | ||||
| * [1.26] Strip Proxy-Authorization header on redirects | ||||
| 
 | ||||
| * Set release date | ||||
| ---
 | ||||
|  src/urllib3/util/retry.py | 2 +- | ||||
|  test/test_retry.py        | 2 +- | ||||
|  2 files changed, 2 insertions(+), 2 deletions(-) | ||||
|  src/urllib3/util/retry.py     | 4 +++- | ||||
|  test/test_retry.py            | 6 +++++- | ||||
|  test/test_retry_deprecated.py | 6 +++++- | ||||
|  3 files changed, 13 insertions(+), 3 deletions(-) | ||||
| 
 | ||||
| diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
 | ||||
| index c4a687c..8b86956 100644
 | ||||
| index 63c02ee..42fa619 100644
 | ||||
| --- a/src/urllib3/util/retry.py
 | ||||
| +++ b/src/urllib3/util/retry.py
 | ||||
| @@ -151,7 +151,7 @@ class Retry(object):
 | ||||
|   | ||||
| @@ -217,7 +217,9 @@ class Retry(object):
 | ||||
|      RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) | ||||
|   | ||||
| -    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Cookie', 'Authorization'])
 | ||||
| +    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Cookie', 'Authorization', 'Proxy-Authorization'])
 | ||||
|      #: Default headers to be used for ``remove_headers_on_redirect`` | ||||
| -    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
 | ||||
| +    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
 | ||||
| +        ["Cookie", "Authorization", "Proxy-Authorization"]
 | ||||
| +    )
 | ||||
|   | ||||
|      #: Maximum backoff time. | ||||
|      BACKOFF_MAX = 120 | ||||
| diff --git a/test/test_retry.py b/test/test_retry.py
 | ||||
| index c6bba74..a525028 100644
 | ||||
| index e9270bb..cf60bf1 100644
 | ||||
| --- a/test/test_retry.py
 | ||||
| +++ b/test/test_retry.py
 | ||||
| @@ -253,7 +253,7 @@ class TestRetry(object):
 | ||||
| @@ -293,7 +293,11 @@ class TestRetry(object):
 | ||||
|      def test_retry_default_remove_headers_on_redirect(self): | ||||
|          retry = Retry() | ||||
|   | ||||
| -        assert retry.remove_headers_on_redirect == {'authorization', 'cookie'}
 | ||||
| +        assert retry.remove_headers_on_redirect == {'authorization', 'proxy-authorization', 'cookie'}
 | ||||
| -        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
 | ||||
| +        assert retry.remove_headers_on_redirect == {
 | ||||
| +            "authorization",
 | ||||
| +            "proxy-authorization",
 | ||||
| +            "cookie",
 | ||||
| +        }
 | ||||
|   | ||||
|      def test_retry_set_remove_headers_on_redirect(self): | ||||
|          retry = Retry(remove_headers_on_redirect=['x-api-secret']) | ||||
|          retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) | ||||
| diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py
 | ||||
| index d18f94c..a107f7b 100644
 | ||||
| --- a/test/test_retry_deprecated.py
 | ||||
| +++ b/test/test_retry_deprecated.py
 | ||||
| @@ -295,7 +295,11 @@ class TestRetry(object):
 | ||||
|      def test_retry_default_remove_headers_on_redirect(self): | ||||
|          retry = Retry() | ||||
|   | ||||
| -        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
 | ||||
| +        assert retry.remove_headers_on_redirect == {
 | ||||
| +            "authorization",
 | ||||
| +            "proxy-authorization",
 | ||||
| +            "cookie",
 | ||||
| +        }
 | ||||
|   | ||||
|      def test_retry_set_remove_headers_on_redirect(self): | ||||
|          retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) | ||||
| -- 
 | ||||
| 2.45.2 | ||||
| 2.44.0 | ||||
| 
 | ||||
|  | ||||
| @ -1,56 +0,0 @@ | ||||
| From c9ed53c284a6747f17366eab71ba8922e33910e2 Mon Sep 17 00:00:00 2001 | ||||
| From: Lumir Balhar <lbalhar@redhat.com> | ||||
| Date: Wed, 28 Aug 2019 14:55:26 +0200 | ||||
| Subject: [PATCH] Backported patch from: | ||||
|  https://github.com/urllib3/urllib3/commit/6a626be4ff623c25270e20db9002705bf4504e4e | ||||
| 
 | ||||
| Enable TLS 1.3 post-handshake authentication | ||||
| ---
 | ||||
|  src/urllib3/util/ssl_.py |  7 +++++++ | ||||
|  test/test_ssl.py         | 15 +++++++++++++++ | ||||
|  2 files changed, 22 insertions(+) | ||||
| 
 | ||||
| diff --git a/src/urllib3/util/ssl_.py b/src/urllib3/util/ssl_.py
 | ||||
| index 5ae4358..7dc4a5a 100644
 | ||||
| --- a/src/urllib3/util/ssl_.py
 | ||||
| +++ b/src/urllib3/util/ssl_.py
 | ||||
| @@ -280,6 +280,13 @@ def create_urllib3_context(ssl_version=None, cert_reqs=None,
 | ||||
|   | ||||
|      context.options |= options | ||||
|   | ||||
| +    # Enable post-handshake authentication for TLS 1.3, see GH #1634. PHA is
 | ||||
| +    # necessary for conditional client cert authentication with TLS 1.3.
 | ||||
| +    # The attribute is None for OpenSSL <= 1.1.0 or does not exist in older
 | ||||
| +    # versions of Python.
 | ||||
| +    if getattr(context, "post_handshake_auth", None) is not None:
 | ||||
| +        context.post_handshake_auth = True
 | ||||
| +
 | ||||
|      context.verify_mode = cert_reqs | ||||
|      if getattr(context, 'check_hostname', None) is not None:  # Platform-specific: Python 3.2 | ||||
|          # We do our own verification, including fingerprints and alternative | ||||
| diff --git a/test/test_ssl.py b/test/test_ssl.py
 | ||||
| index 6a46b4f..3a99522 100644
 | ||||
| --- a/test/test_ssl.py
 | ||||
| +++ b/test/test_ssl.py
 | ||||
| @@ -125,3 +125,18 @@ def test_wrap_socket_default_loads_default_certs(monkeypatch):
 | ||||
|      ssl_.ssl_wrap_socket(sock) | ||||
|   | ||||
|      context.load_default_certs.assert_called_with() | ||||
| +
 | ||||
| +
 | ||||
| +@pytest.mark.parametrize(
 | ||||
| +    ["pha", "expected_pha"], [(None, None), (False, True), (True, True)]
 | ||||
| +)
 | ||||
| +def test_create_urllib3_context_pha(monkeypatch, pha, expected_pha):
 | ||||
| +    context = mock.create_autospec(ssl_.SSLContext)
 | ||||
| +    context.set_ciphers = mock.Mock()
 | ||||
| +    context.options = 0
 | ||||
| +    context.post_handshake_auth = pha
 | ||||
| +    monkeypatch.setattr(ssl_, "SSLContext", lambda *_, **__: context)
 | ||||
| +
 | ||||
| +    assert ssl_.create_urllib3_context() is context
 | ||||
| +
 | ||||
| +    assert context.post_handshake_auth == expected_pha
 | ||||
| -- 
 | ||||
| 2.21.0 | ||||
| 
 | ||||
| @ -1,37 +1,21 @@ | ||||
| %global srcname urllib3 | ||||
| 
 | ||||
| # Tests are disabled to remove the test dependencies | ||||
| # Specify --with tests to run the tests on e.g. EPEL | ||||
| %bcond_with tests | ||||
| 
 | ||||
| Name:           python-%{srcname} | ||||
| Version:        1.24.2 | ||||
| Release:        8%{?dist} | ||||
| Version:        1.26.5 | ||||
| Release:        6%{?dist} | ||||
| Summary:        Python HTTP library with thread-safe connection pooling and file post | ||||
| 
 | ||||
| License:        MIT | ||||
| URL:            https://github.com/shazow/urllib3 | ||||
| URL:            https://github.com/urllib3/urllib3 | ||||
| Source0:        %{url}/archive/%{version}/%{srcname}-%{version}.tar.gz | ||||
| # Used with Python 3.5+ | ||||
| # Unbundle ssl_match_hostname since we depend on it | ||||
| Source1:        ssl_match_hostname_py3.py | ||||
| BuildArch:      noarch | ||||
| 
 | ||||
| # CVE-2019-11236 python-urllib3: | ||||
| #   - CRLF injection due to not encoding the '\r\n' sequence leading to | ||||
| #     possible attack on internal service. | ||||
| #   - Also known as CVE-2019-9740 (duplicate entry) | ||||
| # Backported from: | ||||
| #  * https://github.com/urllib3/urllib3/pull/1591 | ||||
| #    - Superfluous commits were omitted (flake8 checks, travis settings, macos patch) | ||||
| #  * https://github.com/urllib3/urllib3/pull/1593 | ||||
| Patch1:         CVE-2019-11236.patch | ||||
| 
 | ||||
| # Enable post-handshake authentication for TLS 1.3 | ||||
| # - https://github.com/urllib3/urllib3/issues/1634 | ||||
| # - https://bugzilla.redhat.com/show_bug.cgi?id=1726743 | ||||
| Patch2:         Enable_TLS_1.3_post-handshake_authentication.patch | ||||
| 
 | ||||
| # CVE-2020-26137 | ||||
| # CRLF injection via HTTP request method | ||||
| # Resolved upstream: https://github.com/urllib3/urllib3/pull/1800 | ||||
| Patch3: CVE-2020-26137.patch | ||||
| 
 | ||||
| # CVE-2023-43804 | ||||
| # Added the `Cookie` header to the list of headers to strip from | ||||
| # requests when redirecting to a different host. As before, different headers | ||||
| @ -40,37 +24,47 @@ Patch3: CVE-2020-26137.patch | ||||
| # testing with dummyserver. | ||||
| # Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2242493 | ||||
| # Upstream fix: https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb | ||||
| Patch4: CVE-2023-43804.patch | ||||
| Patch1: CVE-2023-43804.patch | ||||
| 
 | ||||
| # CVE-2023-45803 | ||||
| # Remove HTTP request body when request method is changed. | ||||
| # Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-45803 | ||||
| # Upstream fix: https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 | ||||
| Patch5: CVE-2023-45803.patch | ||||
| Patch2: CVE-2023-45803.patch | ||||
| 
 | ||||
| # PoolManager.urlopen fails with TypeError for http connection if the PoolManager is instantiated with server_hostname | ||||
| # Tracking bug: https://issues.redhat.com/browse/RHEL-39285 | ||||
| # Upstream fix: https://github.com/urllib3/urllib3/commit/f1d40fd07f7b5d9cf846a18fb5a920b4be07dfc5 | ||||
| Patch3: Add-server_hostname-to-SSL_KEYWORDS.patch | ||||
| 
 | ||||
| # CVE-2024-37891 | ||||
| # Added the `Proxy-Authorization` header to the list of headers to strip from requests | ||||
| # when redirecting to a different host. | ||||
| # Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-37891 | ||||
| # Proxy-authorization request header is not stripped during cross-origin redirects. | ||||
| # Tracking bug: https://issues.redhat.com/browse/RHEL-43172 | ||||
| # Upstream fix: https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468 | ||||
| Patch6: CVE-2024-37891.patch | ||||
| Patch4: CVE-2024-37891.patch | ||||
| 
 | ||||
| %description | ||||
| Python HTTP module with connection pooling and file POST abilities. | ||||
| 
 | ||||
| 
 | ||||
| %package -n python3-%{srcname} | ||||
| Summary:        Python3 HTTP library with thread-safe connection pooling and file post | ||||
| 
 | ||||
| BuildRequires:  python3-devel | ||||
| # For unittests | ||||
| BuildRequires:  python3-nose | ||||
| BuildRequires:  python3-mock | ||||
| BuildRequires:  python3-setuptools | ||||
| %if %{with tests} | ||||
| BuildRequires:  python3-dateutil | ||||
| BuildRequires:  python3-six | ||||
| BuildRequires:  python3-pysocks | ||||
| BuildRequires:  python3-pytest | ||||
| BuildRequires:  python3-pytest-freezegun | ||||
| BuildRequires:  python3-pytest-timeout | ||||
| BuildRequires:  python3-tornado | ||||
| BuildRequires:  python3-trustme | ||||
| BuildRequires:  python3-idna | ||||
| %endif | ||||
| 
 | ||||
| Requires:       ca-certificates | ||||
| Requires:       python3-idna | ||||
| Requires:       python3-six | ||||
| Requires:       python3-pysocks | ||||
| 
 | ||||
| @ -79,15 +73,7 @@ Python3 HTTP module with connection pooling and file POST abilities. | ||||
| 
 | ||||
| 
 | ||||
| %prep | ||||
| %setup -q -n %{srcname}-%{version} | ||||
| 
 | ||||
| %patch1 -p1 | ||||
| %patch2 -p1 | ||||
| %patch3 -p1 | ||||
| %patch4 -p1 | ||||
| %patch5 -p1 | ||||
| %patch6 -p1 | ||||
| 
 | ||||
| %autosetup -p1 -n %{srcname}-%{version} | ||||
| # Make sure that the RECENT_DATE value doesn't get too far behind what the current date is. | ||||
| # RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date | ||||
| # (from test/test_connection.py) would fail. However, it shouldn't be to close to the build time either, | ||||
| @ -103,26 +89,27 @@ Python3 HTTP module with connection pooling and file POST abilities. | ||||
| # result in false positive), but before at least 6 month ago (so this test could tolerate user's system time being | ||||
| # set to some time in the past, but not to far away from the present). | ||||
| # Next few lines update RECENT_DATE dynamically. | ||||
| 
 | ||||
| recent_date=$(date --date "7 month ago" +"%Y, %_m, %_d") | ||||
| sed -i "s/^RECENT_DATE = datetime.date(.*)/RECENT_DATE = datetime.date($recent_date)/" src/urllib3/connection.py | ||||
| 
 | ||||
| 
 | ||||
| # Drop the dummyserver tests in koji. | ||||
| # These require tornado, a Web framework otherwise unused in the distro. | ||||
| # Drop the dummyserver tests in koji.  They fail there in real builds, but not | ||||
| # in scratch builds (weird). | ||||
| rm -rf test/with_dummyserver/ | ||||
| rm -rf test/test_connectionpool.py | ||||
| rm -rf dummyserver/ | ||||
| # Don't run the Google App Engine tests | ||||
| rm -rf test/appengine/ | ||||
| # Lots of these tests started failing, even for old versions, so it has something | ||||
| # to do with Fedora in particular. They don't fail in upstream build infrastructure | ||||
| rm -rf test/contrib/ | ||||
| 
 | ||||
| # Tests for Python built without SSL, but RHEL builds with SSL. These tests | ||||
| # Tests for Python built without SSL, but Fedora builds with SSL. These tests | ||||
| # fail when combined with the unbundling of backports-ssl_match_hostname | ||||
| rm -f test/test_no_ssl.py | ||||
| 
 | ||||
| # Use the standard library instead of a backport | ||||
| sed -i -e 's/^import mock/from unittest import mock/' \ | ||||
|        -e 's/^from mock import /from unittest.mock import /' \ | ||||
|     test/*.py docs/conf.py | ||||
| 
 | ||||
| %build | ||||
| %py3_build | ||||
| 
 | ||||
| @ -131,89 +118,151 @@ rm -f test/test_no_ssl.py | ||||
| %py3_install | ||||
| 
 | ||||
| # Unbundle the Python 3 build | ||||
| rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/six.py* | ||||
| rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/six* | ||||
| rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/six.py | ||||
| rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/six.* | ||||
| rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/ssl_match_hostname/ | ||||
| 
 | ||||
| mkdir -p %{buildroot}/%{python3_sitelib}/urllib3/packages/ | ||||
| ln -s %{python3_sitelib}/six.py \ | ||||
|       %{buildroot}/%{python3_sitelib}/urllib3/packages/six.py | ||||
| cp -a %{SOURCE1} %{buildroot}/%{python3_sitelib}/urllib3/packages/ssl_match_hostname.py | ||||
| ln -s %{python3_sitelib}/six.py %{buildroot}/%{python3_sitelib}/urllib3/packages/six.py | ||||
| ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.opt-1.pyc \ | ||||
|       %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/ | ||||
| ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.pyc \ | ||||
|       %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/ | ||||
| # urllib3 requires Python 3.5 to use the standard library's match_hostname, | ||||
| # which we ship in RHEL8, so we can safely replace the bundled version with | ||||
| # this stub which imports the necessary objects. | ||||
| cp %{SOURCE1} %{buildroot}/%{python3_sitelib}/urllib3/packages/ssl_match_hostname.py | ||||
| 
 | ||||
| 
 | ||||
| %if %{with tests} | ||||
| %check | ||||
| pushd test | ||||
| PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pytest -v | ||||
| popd | ||||
| %pytest -v | ||||
| %endif | ||||
| 
 | ||||
| 
 | ||||
| %files -n python3-%{srcname} | ||||
| %license LICENSE.txt | ||||
| %doc CHANGES.rst README.rst CONTRIBUTORS.txt | ||||
| %{python3_sitelib}/urllib3/ | ||||
| %{python3_sitelib}/urllib3-*.egg-info | ||||
| %{python3_sitelib}/urllib3-*.egg-info/ | ||||
| 
 | ||||
| 
 | ||||
| %changelog | ||||
| * Mon Jul 01 2024 Lumír Balhar <lbalhar@redhat.com> - 1.24.2-8 | ||||
| * Tue Jun 18 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 1.26.5-6 | ||||
| - Security fix for CVE-2024-37891 | ||||
| Resolves: RHEL-45334 | ||||
| - Backport upstream patch to fix TypeError for http connection if the PoolManager | ||||
| - is instantiated with server_hostname | ||||
| Resolves: RHEL-43172 | ||||
| Resolves: RHEL-39285 | ||||
| 
 | ||||
| * Tue Dec 12 2023 Lumír Balhar <lbalhar@redhat.com> - 1.24.2-7 | ||||
| * Tue Dec 12 2023 Lumír Balhar <lbalhar@redhat.com> - 1.26.5-5 | ||||
| - Security fix for CVE-2023-45803 | ||||
| Resolves: RHEL-16872 | ||||
| Resolves: RHEL-16874 | ||||
| 
 | ||||
| * Thu Oct 12 2023 Lumír Balhar <lbalhar@redhat.com> - 1.24.2-6 | ||||
| * Thu Oct 12 2023 Lumír Balhar <lbalhar@redhat.com> - 1.26.5-4 | ||||
| - Security fix for CVE-2023-43804 | ||||
| Resolves: RHEL-11992 | ||||
| Resolves: RHEL-12001 | ||||
| 
 | ||||
| * Mon Nov 09 2020 Charalampos Stratakis <cstratak@redhat.com> - 1.24.2-5 | ||||
| - Security fix for CVE-2020-26137 | ||||
| Resolves: rhbz#1883889 | ||||
| * Tue Feb 08 2022 Tomáš Hrnčiar <thrnciar@redhat.com> - 1.26.5-3 | ||||
| - Add automatically generated Obsoletes tag with the python39- prefix | ||||
|   for smoother upgrade from RHEL8 | ||||
| - Related: rhbz#1990421 | ||||
| 
 | ||||
| * Wed Oct 30 2019 Anna Khaitovich <akhaitov@redhat.com> - 1.24.2-4 | ||||
| * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.26.5-2 | ||||
| - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags | ||||
|   Related: rhbz#1991688 | ||||
| 
 | ||||
| * Wed Jun 16 2021 Karolina Surma <ksurma@redhat.com> - 1.26.5-1 | ||||
| - Update to 1.26.5 | ||||
| - Fix for CVE-2021-33503 Catastrophic backtracking in URL authority parser | ||||
| Resolves: rhbz#1972639 | ||||
| 
 | ||||
| * Tue May 18 2021 Miro Hrončok <mhroncok@redhat.com> - 1.26.4-1 | ||||
| - Update to 1.26.4 | ||||
| Resolves: rhbz#1935737 | ||||
| 
 | ||||
| * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.25.10-6 | ||||
| - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 | ||||
| 
 | ||||
| * Mon Mar 08 2021 Charalampos Stratakis <cstratak@redhat.com> - 1.25.10-5 | ||||
| - Disable tests on RHEL9 to remove the python-tornado dependency | ||||
| 
 | ||||
| * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.25.10-4 | ||||
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild | ||||
| 
 | ||||
| * Fri Jan 15 2021 Miro Hrončok <mhroncok@redhat.com> - 1.25.10-3 | ||||
| - Drop redundant BuildRequires for nose | ||||
| - Instead of the mock backport, use unittest.mock from the standard library | ||||
| 
 | ||||
| * Tue Jan 05 2021 Anna Khaitovich <akhaitov@redhat.com> - 1.25.10-2 | ||||
| - Update RECENT_DATE dynamically | ||||
| Resolves: rhbz#1761380 | ||||
| 
 | ||||
| * Wed Aug 28 2019 Lumír Balhar <lbalhar@redhat.com> - 1.24.2-3 | ||||
| - Enable TLS 1.3 post-handshake authentication | ||||
| - Adjust RECENT_DATE variable according to rules | ||||
| Resolves: rhbz#1726743 | ||||
| * Sun Sep 27 2020 Kevin Fenzi <kevin@scrye.com> - 1.25.10-1 | ||||
| - Update to 1.25.10. Fixed bug #1824900 | ||||
| 
 | ||||
| * Wed May 22 2019 Tomas Orsava <torsava@redhat.com> - 1.24.2-2 | ||||
| - Rebuilding after gating was enabled | ||||
| - Resolves: rhbz#1703361 rhbz#1706026 | ||||
| * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.25.8-4 | ||||
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild | ||||
| 
 | ||||
| * Fri May 03 2019 Tomas Orsava <torsava@redhat.com> - 1.24.2-1 | ||||
| - Rebased to 1.24.2 to fix CVE-2019-11324 | ||||
| - Added patches for CVE-2019-11236 (AKA CVE-2019-9740) | ||||
| - Resolves: rhbz#1703361 rhbz#1706026 | ||||
| * Sun May 24 2020 Miro Hrončok <mhroncok@redhat.com> - 1.25.8-3 | ||||
| - Rebuilt for Python 3.9 | ||||
| 
 | ||||
| * Wed Jul 11 2018 Petr Viktorin <pviktori@redhat.com> - 1.23-5 | ||||
| - Remove the Python 2 subpackage | ||||
|   https://bugzilla.redhat.com/show_bug.cgi?id=1590400 | ||||
| * Fri May 22 2020 Miro Hrončok <mhroncok@redhat.com> - 1.25.8-2 | ||||
| - Bootstrap for Python 3.9 | ||||
| 
 | ||||
| * Mon Jun 25 2018 Lumír Balhar <lbalhar@redhat.com> - 1.23-4 | ||||
| - Allow build with Python 2 | ||||
| * Sun Mar 22 2020 Carl George <carl@george.computer> - 1.25.8-1 | ||||
| - Latest upstream rhbz#1771186 | ||||
| 
 | ||||
| * Wed Jun 20 2018 Petr Viktorin <pviktori@redhat.com> - 1.23-3 | ||||
| - Skip tests that require tornado | ||||
| * Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.25.7-3 | ||||
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild | ||||
| 
 | ||||
| * Wed Jun 20 2018 Lumír Balhar <lbalhar@redhat.com> - 1.23-2 | ||||
| - Remove unneeded python3-psutil dependency | ||||
| * Mon Nov 18 2019 Miro Hrončok <mhroncok@redhat.com> - 1.25.7-2 | ||||
| - Subpackage python2-urllib3 has been removed | ||||
|   See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal | ||||
| 
 | ||||
| * Tue Oct 15 2019 Jeremy Cline <jcline@redhat.com> - 1.25.6-1 | ||||
| - Update to v1.25.6 | ||||
| 
 | ||||
| * Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 1.25.3-7 | ||||
| - Rebuilt for Python 3.8.0rc1 (#1748018) | ||||
| 
 | ||||
| * Sun Aug 18 2019 Miro Hrončok <mhroncok@redhat.com> - 1.25.3-6 | ||||
| - Rebuilt for Python 3.8 | ||||
| 
 | ||||
| * Thu Aug 15 2019 Miro Hrončok <mhroncok@redhat.com> - 1.25.3-5 | ||||
| - Bootstrap for Python 3.8 | ||||
| 
 | ||||
| * Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.25.3-4 | ||||
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild | ||||
| 
 | ||||
| * Mon Jul 08 2019 Miro Hrončok <mhroncok@redhat.com> - 1.25.3-3 | ||||
| - Set RECENT_DATE not to be older than 2 years (#1727796) | ||||
| 
 | ||||
| * Tue May 28 2019 Jeremy Cline <jcline@redhat.com> - 1.25.3-2 | ||||
| - Drop the Python 2 tests since Tornado is going away | ||||
| 
 | ||||
| * Tue May 28 2019 Jeremy Cline <jcline@redhat.com> - 1.25.3-1 | ||||
| - Update to 1.25.3 | ||||
| 
 | ||||
| * Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.24.1-3 | ||||
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild | ||||
| 
 | ||||
| * Tue Nov 13 2018 Jeremy Cline <jeremy@jcline.org> - 1.24.1-2 | ||||
| - Adjust unbundling of ssl_match_hostname | ||||
| 
 | ||||
| * Mon Oct 29 2018 Jeremy Cline <jeremy@jcline.org> - 1.24.1-1 | ||||
| - Update to v1.24.1 | ||||
| 
 | ||||
| * Wed Jun 20 2018 Lumír Balhar <lbalhar@redhat.com> - 1.23-4 | ||||
| - Removed unneeded dependency python[23]-psutil | ||||
| 
 | ||||
| * Mon Jun 18 2018 Miro Hrončok <mhroncok@redhat.com> - 1.23-3 | ||||
| - Rebuilt for Python 3.7 | ||||
| 
 | ||||
| * Thu Jun 14 2018 Miro Hrončok <mhroncok@redhat.com> - 1.23-2 | ||||
| - Bootstrap for Python 3.7 | ||||
| 
 | ||||
| * Tue Jun 05 2018 Jeremy Cline <jeremy@jcline.org> - 1.23-1 | ||||
| - Update to the latest upstream release (rhbz 1586072) | ||||
| 
 | ||||
| * Tue May 22 2018 Petr Viktorin <pviktori@redhat.com> - 1.22-10 | ||||
| - Skip tests for python2 subpackage, due to missing dependencies (rhbz 1580882) | ||||
| * Wed May 30 2018 Jeremy Cline <jeremy@jcline.org> - 1.22-10 | ||||
| - Backport patch to support Python 3.7 (rhbz 1584112) | ||||
| 
 | ||||
| * Thu May 03 2018 Lukas Slebodnik <lslebodn@fedoraproject.org> - 1.22-9 | ||||
| - Do not lowercase hostnames with custom-protocol (rhbz 1567862) | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user