13 changed files with 277 additions and 1963 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/urllib3-1.24.2.tar.gz
+SOURCES/urllib3-1.26.5.tar.gz
--- a/.python-urllib3.metadata
+++ b/.python-urllib3.metadata
@ -1 +1 @@
-02f5f10287e42a0e9d8666bbec9c51c4aec5bfc7 SOURCES/urllib3-1.24.2.tar.gz
+2870de19c1a575dab12f5d65080ed65d4957d4b2 SOURCES/urllib3-1.26.5.tar.gz
--- a/SOURCES/Add-server_hostname-to-SSL_KEYWORDS.patch
+++ b/SOURCES/Add-server_hostname-to-SSL_KEYWORDS.patch
@ -0,0 +1,38 @@
+From f1d40fd07f7b5d9cf846a18fb5a920b4be07dfc5 Mon Sep 17 00:00:00 2001
+From: Hasan Ramezani <hasan.r67@gmail.com>
+Date: Thu, 20 Jan 2022 15:56:02 +0100
+Subject: [PATCH] [1.26] Add server_hostname to SSL_KEYWORDS
+
+---
+ src/urllib3/poolmanager.py                | 1 +
+ test/with_dummyserver/test_poolmanager.py | 5 +++++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py
+index 3a31a285bf..ca4ec34118 100644
+--- a/src/urllib3/poolmanager.py
+++ b/src/urllib3/poolmanager.py
+@@ -34,6 +34,7 @@
+     "ca_cert_dir",
+     "ssl_context",
+     "key_password",
+    "server_hostname",
+ )
+ 
+ # All known keyword arguments that could be provided to the pool manager, its
+diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py
+index d877cc99ac..fa07a372a9 100644
+--- a/test/with_dummyserver/test_poolmanager.py
+++ b/test/with_dummyserver/test_poolmanager.py
+@@ -346,6 +346,11 @@ def test_http_with_ssl_keywords(self):
+             r = http.request("GET", "http://%s:%s/" % (self.host, self.port))
+             assert r.status == 200
+ 
+    def test_http_with_server_hostname(self):
+        with PoolManager(server_hostname="example.com") as http:
+            r = http.request("GET", "http://%s:%s/" % (self.host, self.port))
+            assert r.status == 200
+
+     def test_http_with_ca_cert_dir(self):
+         with PoolManager(ca_certs="REQUIRED", ca_cert_dir="/nosuchdir") as http:
+             r = http.request("GET", "http://%s:%s/" % (self.host, self.port))
--- a/SOURCES/CVE-2019-11236.patch
+++ b/SOURCES/CVE-2019-11236.patch
@ -1,162 +0,0 @@
-From 9f6aa6b5f06ecfcfea2084d88f377c6e9dba5ce2 Mon Sep 17 00:00:00 2001
-From: Ryan Petrello <rpetrell@redhat.com>
-Date: Tue, 30 Apr 2019 12:36:48 -0400
-Subject: [PATCH 1/3] prevent CVE-2019-9740 in 1.24.x
-
-adapted from https://github.com/python/cpython/pull/12755
---
- test/test_util.py   | 5 +++++
- src/urllib3/util/url.py | 8 ++++++++
- 2 files changed, 13 insertions(+)
-
-diff --git a/test/test_util.py b/test/test_util.py
-index 73d9452..dc6ffd0 100644
--- a/test/test_util.py
-+++ b/test/test_util.py
-@@ -200,6 +200,11 @@ class TestUtil(object):
-         with pytest.raises(ValueError):
-             parse_url('[::1')
- 
-+    def test_parse_url_contains_control_characters(self):
-+        # see CVE-2019-9740
-+        with pytest.raises(LocationParseError):
-+            parse_url('http://localhost:8000/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:')
-+
-     def test_Url_str(self):
-         U = Url('http', host='google.com')
-         assert str(U) == U.url
-diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py
-index 6b6f996..e8e1bd7 100644
--- a/src/urllib3/util/url.py
-+++ b/src/urllib3/util/url.py
-@@ -1,5 +1,6 @@
- from __future__ import absolute_import
- from collections import namedtuple
-+import re
- 
- from ..exceptions import LocationParseError
- 
-@@ -10,6 +11,8 @@ url_attrs = ['scheme', 'auth', 'host', 'port', 'path', 'query', 'fragment']
- # urllib3 infers URLs without a scheme (None) to be http.
- NORMALIZABLE_SCHEMES = ('http', 'https', None)
- 
-+_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
-+
- 
- class Url(namedtuple('Url', url_attrs)):
-     """
-@@ -155,6 +158,11 @@ def parse_url(url):
-         # Empty
-         return Url()
- 
-+    # Prevent CVE-2019-9740.
-+    # adapted from https://github.com/python/cpython/pull/12755
-+    if _contains_disallowed_url_pchar_re.search(url):
-+        raise LocationParseError("URL can't contain control characters. {!r}".format(url))
-+
-     scheme = None
-     auth = None
-     host = None
-- 
-2.20.1
-
-
-From ecc15bd412354ad916712113b0e426f8bc6cf52d Mon Sep 17 00:00:00 2001
-From: Ryan Petrello <lists@ryanpetrello.com>
-Date: Wed, 1 May 2019 16:46:44 -0400
-Subject: [PATCH 2/3] avoid CVE-2019-9740 by percent-encoding invalid path
- characters
-
-this is to avoid breaking changes in downstream libraries like requests
---
- test/test_util.py   | 4 ++--
- src/urllib3/util/url.py | 4 ++--
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/test/test_util.py b/test/test_util.py
-index dc6ffd0..d139329 100644
--- a/test/test_util.py
-+++ b/test/test_util.py
-@@ -202,8 +202,8 @@ class TestUtil(object):
- 
-     def test_parse_url_contains_control_characters(self):
-         # see CVE-2019-9740
-        with pytest.raises(LocationParseError):
-            parse_url('http://localhost:8000/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:')
-+        url = parse_url('http://localhost:8000/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:')
-+        assert url.path == '/%20HTTP/1.1%0D%0AHEADER:%20INJECTED%0D%0AIgnore:'
- 
-     def test_Url_str(self):
-         U = Url('http', host='google.com')
-diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py
-index e8e1bd7..12b8d55 100644
--- a/src/urllib3/util/url.py
-+++ b/src/urllib3/util/url.py
-@@ -3,6 +3,7 @@ from collections import namedtuple
- import re
- 
- from ..exceptions import LocationParseError
-+from ..packages.six.moves.urllib.parse import quote
- 
- 
- url_attrs = ['scheme', 'auth', 'host', 'port', 'path', 'query', 'fragment']
-@@ -160,8 +161,7 @@ def parse_url(url):
- 
-     # Prevent CVE-2019-9740.
-     # adapted from https://github.com/python/cpython/pull/12755
-    if _contains_disallowed_url_pchar_re.search(url):
-        raise LocationParseError("URL can't contain control characters. {!r}".format(url))
-+    url = _contains_disallowed_url_pchar_re.sub(lambda match: quote(match.group()), url)
- 
-     scheme = None
-     auth = None
-- 
-2.20.1
-
-
-From 6cda449df587fd37135ee76a9253dc8e12e53c05 Mon Sep 17 00:00:00 2001
-From: Seth Michael Larson <sethmichaellarson@gmail.com>
-Date: Thu, 2 May 2019 09:02:24 -0500
-Subject: [PATCH 3/3] Also test unicode and query
-
---
- test/test_util.py | 22 +++++++++++++++++++---
- 1 file changed, 19 insertions(+), 3 deletions(-)
-
-diff --git a/test/test_util.py b/test/test_util.py
-index d139329..fa53aaf 100644
--- a/test/test_util.py
-+++ b/test/test_util.py
-@@ -200,10 +200,26 @@ class TestUtil(object):
-         with pytest.raises(ValueError):
-             parse_url('[::1')
- 
-    def test_parse_url_contains_control_characters(self):
-+    @pytest.mark.parametrize('url, expected_url', [
-+        (
-+            'http://localhost/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:',
-+            Url('http', host='localhost', port=None,
-+                path='/%20HTTP/1.1%0D%0AHEADER:%20INJECTED%0D%0AIgnore:')
-+        ),
-+        (
-+            u'http://localhost/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:',
-+            Url('http', host='localhost', port=None,
-+                path='/%20HTTP/1.1%0D%0AHEADER:%20INJECTED%0D%0AIgnore:')
-+        ),
-+        (
-+            'http://localhost/ ?q=\r\n',
-+            Url('http', host='localhost', path='/%20', query='q=%0D%0A')
-+        ),
-+    ])
-+    def test_parse_url_contains_control_characters(self, url, expected_url):
-         # see CVE-2019-9740
-        url = parse_url('http://localhost:8000/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:')
-        assert url.path == '/%20HTTP/1.1%0D%0AHEADER:%20INJECTED%0D%0AIgnore:'
-+        url = parse_url(url)
-+        assert url == expected_url
- 
-     def test_Url_str(self):
-         U = Url('http', host='google.com')
-- 
-2.20.1
-
--- a/SOURCES/CVE-2020-26137.patch
+++ b/SOURCES/CVE-2020-26137.patch
@ -1,37 +0,0 @@
-diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
-index 02b3665..1ab1890 100644
--- a/src/urllib3/connection.py
-+++ b/src/urllib3/connection.py
-@@ -1,4 +1,5 @@
- from __future__ import absolute_import
-+import re
- import datetime
- import logging
- import os
-@@ -61,6 +62,8 @@ port_by_scheme = {
- # after 2016-01-01 (today - 2 years) AND before 2017-07-01 (today - 6 months)
- RECENT_DATE = datetime.date(2017, 6, 30)
- 
-+_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]")
-+
- 
- class DummyConnection(object):
-     """Used to detect a failed ConnectionCls import."""
-@@ -181,6 +184,17 @@ class HTTPConnection(_HTTPConnection, object):
-         conn = self._new_conn()
-         self._prepare_conn(conn)
- 
-+    def putrequest(self, method, url, *args, **kwargs):
-+        """Send a request to the server"""
-+        match = _CONTAINS_CONTROL_CHAR_RE.search(method)
-+        if match:
-+            raise ValueError(
-+                "Method cannot contain non-token characters %r (found at least %r)"
-+                % (method, match.group())
-+            )
-+
-+        return _HTTPConnection.putrequest(self, method, url, *args, **kwargs)
-+
-     def request_chunked(self, method, url, body=None, headers=None):
-         """
-         Alternative to the common request method, which sends the
--- a/SOURCES/CVE-2023-43804.patch
+++ b/SOURCES/CVE-2023-43804.patch
@ -1,39 +1,53 @@
-From 24603488c43a7cbaffcff7e69a72ad9bb4604acf Mon Sep 17 00:00:00 2001
+From 5fe72b64a10e9cb5c5e2b9de46401b6c7bb226e9 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
-Date: Thu, 12 Oct 2023 14:08:31 +0200
+Date: Thu, 12 Oct 2023 14:27:36 +0200
 Subject: [PATCH] CVE-2023-43804

 ---
- src/urllib3/util/retry.py | 2 +-
- test/test_retry.py        | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
+ src/urllib3/util/retry.py     | 2 +-
+ test/test_retry.py            | 2 +-
+ test/test_retry_deprecated.py | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)

 diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
-index 02429ee..c4a687c 100644
+index 180e82b..63c02ee 100644
 --- a/src/urllib3/util/retry.py
 +++ b/src/urllib3/util/retry.py
-@@ -151,7 +151,7 @@ class Retry(object):
- 
+@@ -217,7 +217,7 @@ class Retry(object):
     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
 
-    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Authorization'])
-+    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Cookie', 'Authorization'])
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
 
     #: Maximum backoff time.
     BACKOFF_MAX = 120
 diff --git a/test/test_retry.py b/test/test_retry.py
-index 7546c43..b6d52bf 100644
+index 3e71efe..e9270bb 100644
 --- a/test/test_retry.py
 +++ b/test/test_retry.py
-@@ -253,7 +253,7 @@ class TestRetry(object):
+@@ -293,7 +293,7 @@ class TestRetry(object):
     def test_retry_default_remove_headers_on_redirect(self):
         retry = Retry()
 
-        assert list(retry.remove_headers_on_redirect) == ['authorization']
-+        assert retry.remove_headers_on_redirect == {'authorization', 'cookie'}
+-        assert list(retry.remove_headers_on_redirect) == ["authorization"]
+        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
 
     def test_retry_set_remove_headers_on_redirect(self):
-         retry = Retry(remove_headers_on_redirect=['x-api-secret'])
+         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
+diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py
+index eafecc4..d18f94c 100644
+--- a/test/test_retry_deprecated.py
+++ b/test/test_retry_deprecated.py
+@@ -295,7 +295,7 @@ class TestRetry(object):
+     def test_retry_default_remove_headers_on_redirect(self):
+         retry = Retry()
+ 
+-        assert list(retry.remove_headers_on_redirect) == ["authorization"]
+        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
+ 
+     def test_retry_set_remove_headers_on_redirect(self):
+         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
 -- 
 2.41.0

--- a/SOURCES/CVE-2023-45803.patch
+++ b/SOURCES/CVE-2023-45803.patch
@ -1,6 +1,6 @@
-From 6f6011442b255b6c135c294500cf4d404f594d8a Mon Sep 17 00:00:00 2001
+From d71ab28f104cac824c6036fa9b35cc2e2dd19bf8 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
-Date: Tue, 12 Dec 2023 10:21:34 +0100
+Date: Tue, 12 Dec 2023 11:06:20 +0100
 Subject: [PATCH] Security fix for CVE-2023-45803

 ---
@ -10,10 +10,10 @@ Subject: [PATCH] Security fix for CVE-2023-45803
 3 files changed, 28 insertions(+), 2 deletions(-)

 diff --git a/src/urllib3/_collections.py b/src/urllib3/_collections.py
-index 34f2381..86fc900 100644
+index da9857e..bceb845 100644
 --- a/src/urllib3/_collections.py
 +++ b/src/urllib3/_collections.py
-@@ -260,6 +260,24 @@ class HTTPHeaderDict(MutableMapping):
+@@ -268,6 +268,24 @@ class HTTPHeaderDict(MutableMapping):
         else:
             return vals[1:]
 
@ -39,23 +39,23 @@ index 34f2381..86fc900 100644
     getheaders = getlist
     getallmatchingheaders = getlist
 diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py
-index f7a8f19..ad6303c 100644
+index 4018321..8f9ebb5 100644
 --- a/src/urllib3/connectionpool.py
 +++ b/src/urllib3/connectionpool.py
-@@ -32,6 +32,7 @@ from .connection import (
-     HTTPConnection, HTTPSConnection, VerifiedHTTPSConnection,
-     HTTPException, BaseSSLError,
- )
+@@ -36,6 +36,7 @@ from .exceptions import (
+ from .packages import six
+ from .packages.six.moves import queue
+ from .packages.ssl_match_hostname import CertificateError
 +from ._collections import HTTPHeaderDict
 from .request import RequestMethods
 from .response import HTTPResponse
- 
-@@ -679,7 +680,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
+ from .util.connection import is_connection_dropped
+@@ -800,7 +801,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
         redirect_location = redirect and response.get_redirect_location()
         if redirect_location:
             if response.status == 303:
 +                # Change the method according to RFC 9110, Section 15.4.4.
-                 method = 'GET'
+                 method = "GET"
 +                # And lose the body not to transfer anything sensitive.
 +                body = None
 +                headers = HTTPHeaderDict(headers)._prepare_for_method_change()
@ -63,31 +63,31 @@ index f7a8f19..ad6303c 100644
             try:
                 retries = retries.increment(method, url, response=response, _pool=self)
 diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py
-index 32bd973..37557f9 100644
+index 3a31a28..7d4c22c 100644
 --- a/src/urllib3/poolmanager.py
 +++ b/src/urllib3/poolmanager.py
-@@ -3,7 +3,7 @@ import collections
+@@ -4,7 +4,7 @@ import collections
 import functools
 import logging
 
 -from ._collections import RecentlyUsedContainer
 +from ._collections import HTTPHeaderDict, RecentlyUsedContainer
- from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool
- from .connectionpool import port_by_scheme
- from .exceptions import LocationValueError, MaxRetryError, ProxySchemeUnknown
-@@ -330,9 +330,12 @@ class PoolManager(RequestMethods):
+ from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool, port_by_scheme
+ from .exceptions import (
+     LocationValueError,
+@@ -381,9 +381,12 @@ class PoolManager(RequestMethods):
         # Support relative URLs for redirecting.
         redirect_location = urljoin(url, redirect_location)
 
 -        # RFC 7231, Section 6.4.4
         if response.status == 303:
 +            # Change the method according to RFC 9110, Section 15.4.4.
-             method = 'GET'
+             method = "GET"
 +            # And lose the body not to transfer anything sensitive.
 +            kw["body"] = None
 +            kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
 
-         retries = kw.get('retries')
+         retries = kw.get("retries")
         if not isinstance(retries, Retry):
 -- 
 2.43.0
--- a/SOURCES/CVE-2024-37891.patch
+++ b/SOURCES/CVE-2024-37891.patch
@ -1,39 +1,66 @@
-From 584378407efb03cef247320b541388f460cb72a2 Mon Sep 17 00:00:00 2001
-From: Lumir Balhar <lbalhar@redhat.com>
-Date: Mon, 1 Jul 2024 12:40:39 +0200
-Subject: [PATCH] CVE-2024-37891
+From 3606f6166c000213f1e1e9bace3c12f924dd0132 Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Wed, 26 Jun 2024 15:56:34 +0200
+Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf

+* [1.26] Strip Proxy-Authorization header on redirects
+
+* Set release date
 ---
- src/urllib3/util/retry.py | 2 +-
- test/test_retry.py        | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
+ src/urllib3/util/retry.py     | 4 +++-
+ test/test_retry.py            | 6 +++++-
+ test/test_retry_deprecated.py | 6 +++++-
+ 3 files changed, 13 insertions(+), 3 deletions(-)

 diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
-index c4a687c..8b86956 100644
+index 63c02ee..42fa619 100644
 --- a/src/urllib3/util/retry.py
 +++ b/src/urllib3/util/retry.py
-@@ -151,7 +151,7 @@ class Retry(object):
- 
+@@ -217,7 +217,9 @@ class Retry(object):
     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
 
-    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Cookie', 'Authorization'])
-+    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Cookie', 'Authorization', 'Proxy-Authorization'])
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
+        ["Cookie", "Authorization", "Proxy-Authorization"]
+    )
 
     #: Maximum backoff time.
     BACKOFF_MAX = 120
 diff --git a/test/test_retry.py b/test/test_retry.py
-index c6bba74..a525028 100644
+index e9270bb..cf60bf1 100644
 --- a/test/test_retry.py
 +++ b/test/test_retry.py
-@@ -253,7 +253,7 @@ class TestRetry(object):
+@@ -293,7 +293,11 @@ class TestRetry(object):
     def test_retry_default_remove_headers_on_redirect(self):
         retry = Retry()
 
-        assert retry.remove_headers_on_redirect == {'authorization', 'cookie'}
-+        assert retry.remove_headers_on_redirect == {'authorization', 'proxy-authorization', 'cookie'}
+-        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
+        assert retry.remove_headers_on_redirect == {
+            "authorization",
+            "proxy-authorization",
+            "cookie",
+        }
 
     def test_retry_set_remove_headers_on_redirect(self):
-         retry = Retry(remove_headers_on_redirect=['x-api-secret'])
-- 
-2.45.2
+         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
+diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py
+index d18f94c..a107f7b 100644
+--- a/test/test_retry_deprecated.py
+++ b/test/test_retry_deprecated.py
+@@ -295,7 +295,11 @@ class TestRetry(object):
+     def test_retry_default_remove_headers_on_redirect(self):
+         retry = Retry()
+ 
+-        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
+        assert retry.remove_headers_on_redirect == {
+            "authorization",
+            "proxy-authorization",
+            "cookie",
+        }
+ 
+     def test_retry_set_remove_headers_on_redirect(self):
+         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
+-- 
+2.44.0

--- a/SOURCES/CVE-2025-66418.patch
+++ b/SOURCES/CVE-2025-66418.patch
@ -1,75 +0,0 @@
-From dbb1dc2ef9a6c36e7b9139151d4db2ffab69eceb Mon Sep 17 00:00:00 2001
-From: Illia Volochii <illia.volochii@gmail.com>
-Date: Fri, 5 Dec 2025 16:41:33 +0200
-Subject: [PATCH] Security fix for CVE-2025-66418
-
-* Add a hard-coded limit for the decompression chain
-
-* Reuse new list
-
-(cherry picked from commit 24d7b67eac89f94e11003424bcf0d8f7b72222a8)
---
- changelog/GHSA-gm62-xv2j-4w53.security.rst |  4 ++++
- src/urllib3/response.py                    | 12 +++++++++++-
- test/test_response.py                      | 10 ++++++++++
- 3 files changed, 25 insertions(+), 1 deletion(-)
- create mode 100644 changelog/GHSA-gm62-xv2j-4w53.security.rst
-
-diff --git a/changelog/GHSA-gm62-xv2j-4w53.security.rst b/changelog/GHSA-gm62-xv2j-4w53.security.rst
-new file mode 100644
-index 00000000..6646eaa3
--- /dev/null
-+++ b/changelog/GHSA-gm62-xv2j-4w53.security.rst
-@@ -0,0 +1,4 @@
-+Fixed a security issue where an attacker could compose an HTTP response with
-+virtually unlimited links in the ``Content-Encoding`` header, potentially
-+leading to a denial of service (DoS) attack by exhausting system resources
-+during decoding. The number of allowed chained encodings is now limited to 5.
-diff --git a/src/urllib3/response.py b/src/urllib3/response.py
-index 60bd98c9..ba366eef 100644
--- a/src/urllib3/response.py
-+++ b/src/urllib3/response.py
-@@ -163,8 +163,18 @@ class MultiDecoder(object):
-         they were applied.
-     """
- 
-+    # Maximum allowed number of chained HTTP encodings in the
-+    # Content-Encoding header.
-+    max_decode_links = 5
-+
-     def __init__(self, modes):
-        self._decoders = [_get_decoder(m.strip()) for m in modes.split(',')]
-+        encodings = [m.strip() for m in modes.split(",")]
-+        if len(encodings) > self.max_decode_links:
-+            raise DecodeError(
-+                "Too many content encodings in the chain: "
-+                f"{len(encodings)} > {self.max_decode_links}"
-+            )
-+        self._decoders = [_get_decoder(e) for e in encodings]
- 
-     def flush(self):
-         return self._decoders[0].flush()
-diff --git a/test/test_response.py b/test/test_response.py
-index 347276e8..bd083b7f 100644
--- a/test/test_response.py
-+++ b/test/test_response.py
-@@ -467,6 +467,16 @@ class TestResponse(object):
-         assert r.read(9 * 37) == b"foobarbaz" * 37
-         assert r.read() == b""
- 
-+    def test_read_multi_decoding_too_many_links(self):
-+        fp = BytesIO(b"foo")
-+        with pytest.raises(
-+            DecodeError, match="Too many content encodings in the chain: 6 > 5"
-+        ):
-+            HTTPResponse(
-+                fp,
-+                headers={"content-encoding": "gzip, deflate, br, zstd, gzip, deflate"},
-+            )
-+
-     def test_body_blob(self):
-         resp = HTTPResponse(b'foo')
-         assert resp.data == b'foo'
-- 
-2.52.0
-
--- a/SOURCES/CVE-2025-66471.patch
+++ b/SOURCES/CVE-2025-66471.patch
--- a/SOURCES/CVE-2026-21441.patch
+++ b/SOURCES/CVE-2026-21441.patch
@ -1,219 +0,0 @@
-From 5474aa5a56209bf0378201d8305584a0f51f91c7 Mon Sep 17 00:00:00 2001
-From: Ousret <ahmed.tahri@cloudnursery.dev>
-Date: Thu, 17 Nov 2022 01:40:19 +0100
-Subject: [PATCH 1/2] Prevent issue in HTTPResponse().read() when
- decoded_content is True and then False Provided it has initialized eligible
- decoder(decompressor) and did decode once
-
-(cherry picked from commit cefd1dbba6a20ea4f017e6e472f9ada3a8a743e0)
---
- changelog/2800.bugfix.rst |  1 +
- src/urllib3/response.py   | 13 +++++++++++++
- test/test_response.py     | 35 +++++++++++++++++++++++++++++++++++
- 3 files changed, 49 insertions(+)
- create mode 100644 changelog/2800.bugfix.rst
-
-diff --git a/changelog/2800.bugfix.rst b/changelog/2800.bugfix.rst
-new file mode 100644
-index 00000000..9dcf1eec
--- /dev/null
-+++ b/changelog/2800.bugfix.rst
-@@ -0,0 +1 @@
-+Prevented issue in HTTPResponse().read() when decoded_content is True and then False.
-\ No newline at end of file
-diff --git a/src/urllib3/response.py b/src/urllib3/response.py
-index ba366eef..6c8823be 100644
--- a/src/urllib3/response.py
-+++ b/src/urllib3/response.py
-@@ -331,6 +331,7 @@ class HTTPResponse(io.IOBase):
-         self.reason = reason
-         self.strict = strict
-         self.decode_content = decode_content
-+        self._has_decoded_content = False
-         self.retries = retries
-         self.enforce_content_length = enforce_content_length
- 
-@@ -481,12 +482,19 @@ class HTTPResponse(io.IOBase):
-         """
-         Decode the data passed in and potentially flush the decoder.
-         """
-+        if not decode_content and self._has_decoded_content:
-+            raise RuntimeError(
-+                "Calling read(decode_content=False) is not supported after "
-+                "read(decode_content=True) was called."
-+            )
-+
-         if max_length is None or flush_decoder:
-             max_length = -1
- 
-         try:
-             if decode_content and self._decoder:
-                 data = self._decoder.decompress(data, max_length=max_length)
-+                self._has_decoded_content = True
-         except (IOError, zlib.error) as e:
-             content_encoding = self.headers.get('content-encoding', '').lower()
-             raise DecodeError(
-@@ -670,6 +678,11 @@ class HTTPResponse(io.IOBase):
-         else:
-             # do not waste memory on buffer when not decoding
-             if not decode_content:
-+                if self._has_decoded_content:
-+                    raise RuntimeError(
-+                        "Calling read(decode_content=False) is not supported after "
-+                        "read(decode_content=True) was called."
-+                    )
-                 return data
- 
-             decoded_data = self._decode(
-diff --git a/test/test_response.py b/test/test_response.py
-index bd083b7f..4b04e409 100644
--- a/test/test_response.py
-+++ b/test/test_response.py
-@@ -560,6 +560,41 @@ class TestResponse(object):
-         while not br.closed:
-             br.read(5)
- 
-+    def test_read_with_illegal_mix_decode_toggle(self):
-+        compress = zlib.compressobj(6, zlib.DEFLATED, -zlib.MAX_WBITS)
-+        data = compress.compress(b"foo")
-+        data += compress.flush()
-+
-+        fp = BytesIO(data)
-+
-+        resp = HTTPResponse(
-+            fp, headers={"content-encoding": "deflate"}, preload_content=False
-+        )
-+
-+        assert resp.read(1) == b"f"
-+
-+        with pytest.raises(
-+            RuntimeError,
-+            match=(
-+                r"Calling read\(decode_content=False\) is not supported after "
-+                r"read\(decode_content=True\) was called"
-+            ),
-+        ):
-+            resp.read(1, decode_content=False)
-+
-+    def test_read_with_mix_decode_toggle(self):
-+        compress = zlib.compressobj(6, zlib.DEFLATED, -zlib.MAX_WBITS)
-+        data = compress.compress(b"foo")
-+        data += compress.flush()
-+
-+        fp = BytesIO(data)
-+
-+        resp = HTTPResponse(
-+            fp, headers={"content-encoding": "deflate"}, preload_content=False
-+        )
-+        resp.read(1, decode_content=False)
-+        assert resp.read(1, decode_content=True) == b"o"
-+
-     def test_streaming(self):
-         fp = BytesIO(b'foo')
-         resp = HTTPResponse(fp, preload_content=False)
-- 
-2.52.0
-
-
-From 018e71279b1b9ba9319943dbe47762d2dad631d0 Mon Sep 17 00:00:00 2001
-From: Illia Volochii <illia.volochii@gmail.com>
-Date: Wed, 7 Jan 2026 18:07:30 +0200
-Subject: [PATCH 2/2] Security fix for CVE-2026-21441
-
-* Stop decoding response content during redirects needlessly
-* Rename the new query parameter
-* Add a changelog entry
-
-(cherry picked from commit 8864ac407bba8607950025e0979c4c69bc7abc7b)
---
- CHANGES.rst                                  |  3 +++
- dummyserver/handlers.py                      |  8 +++++++-
- src/urllib3/connectionpool.py                |  6 +++++-
- test/with_dummyserver/test_connectionpool.py | 19 +++++++++++++++++++
- 4 files changed, 34 insertions(+), 2 deletions(-)
-
-diff --git a/CHANGES.rst b/CHANGES.rst
-index cf315aaf..5673a58e 100644
--- a/CHANGES.rst
-+++ b/CHANGES.rst
-@@ -8,6 +8,9 @@ Backports
-   compressed HTTP content ("decompression bombs") leading to excessive resource
-   consumption even when a small amount of data was requested. Reading small
-   chunks of compressed data is safer and much more efficient now.
-+- Fixed a high-severity security issue where decompression-bomb safeguards of
-+  the streaming API were bypassed when HTTP redirects were followed.
-+  (`GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>`__)
- 
- 
- 1.24.2 (2019-04-17)
-diff --git a/dummyserver/handlers.py b/dummyserver/handlers.py
-index f570d881..c0dd4e4a 100644
--- a/dummyserver/handlers.py
-+++ b/dummyserver/handlers.py
-@@ -170,9 +170,15 @@ class TestingApp(RequestHandler):
-         status = request.params.get('status', '303 See Other')
-         if len(status) == 3:
-             status = '%s Redirect' % status.decode('latin-1')
-+        compressed = request.params.get('compressed') == b'true'
- 
-         headers = [('Location', target)]
-        return Response(status=status, headers=headers)
-+        if compressed:
-+            headers.append(('Content-Encoding', 'gzip'))
-+            data = gzip.compress(b'foo')
-+        else:
-+            data = b''
-+        return Response(data, status=status, headers=headers)
- 
-     def not_found(self, request):
-         return Response('Not found', status='404 Not Found')
-diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py
-index ad6303c1..5f66cd25 100644
--- a/src/urllib3/connectionpool.py
-+++ b/src/urllib3/connectionpool.py
-@@ -671,7 +671,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
-             try:
-                 # discard any remaining response body, the connection will be
-                 # released back to the pool once the entire response is read
-                response.read()
-+                response.read(
-+                    # Do not spend resources decoding the content unless
-+                    # decoding has already been initiated.
-+                    decode_content=response._has_decoded_content,
-+                )
-             except (TimeoutError, HTTPException, SocketError, ProtocolError,
-                     BaseSSLError, SSLError) as e:
-                 pass
-diff --git a/test/with_dummyserver/test_connectionpool.py b/test/with_dummyserver/test_connectionpool.py
-index 5faa0638..a2673e05 100644
--- a/test/with_dummyserver/test_connectionpool.py
-+++ b/test/with_dummyserver/test_connectionpool.py
-@@ -413,6 +413,25 @@ class TestConnectionPool(HTTPDummyServerTestCase):
-         self.assertEqual(r.status, 200)
-         self.assertEqual(r.data, b'Dummy server!')
- 
-+    @mock.patch("urllib3.response.GzipDecoder.decompress")
-+    def test_no_decoding_with_redirect_when_preload_disabled(
-+        self, gzip_decompress
-+    ):
-+        """
-+        Test that urllib3 does not attempt to decode a gzipped redirect
-+        response when `preload_content` is set to `False`.
-+        """
-+        with HTTPConnectionPool(self.host, self.port) as pool:
-+            # Three requests are expected: two redirects and one final / 200 OK.
-+            response = pool.request(
-+                "GET",
-+                "/redirect",
-+                fields={"target": "/redirect?compressed=true", "compressed": "true"},
-+                preload_content=False,
-+            )
-+        assert response.status == 200
-+        gzip_decompress.assert_not_called()
-+
-     def test_bad_connect(self):
-         pool = HTTPConnectionPool('badhost.invalid', self.port)
-         try:
-- 
-2.52.0
-
--- a/SOURCES/Enable_TLS_1.3_post-handshake_authentication.patch
+++ b/SOURCES/Enable_TLS_1.3_post-handshake_authentication.patch
@ -1,56 +0,0 @@
-From c9ed53c284a6747f17366eab71ba8922e33910e2 Mon Sep 17 00:00:00 2001
-From: Lumir Balhar <lbalhar@redhat.com>
-Date: Wed, 28 Aug 2019 14:55:26 +0200
-Subject: [PATCH] Backported patch from:
- https://github.com/urllib3/urllib3/commit/6a626be4ff623c25270e20db9002705bf4504e4e
-
-Enable TLS 1.3 post-handshake authentication
---
- src/urllib3/util/ssl_.py |  7 +++++++
- test/test_ssl.py         | 15 +++++++++++++++
- 2 files changed, 22 insertions(+)
-
-diff --git a/src/urllib3/util/ssl_.py b/src/urllib3/util/ssl_.py
-index 5ae4358..7dc4a5a 100644
--- a/src/urllib3/util/ssl_.py
-+++ b/src/urllib3/util/ssl_.py
-@@ -280,6 +280,13 @@ def create_urllib3_context(ssl_version=None, cert_reqs=None,
- 
-     context.options |= options
- 
-+    # Enable post-handshake authentication for TLS 1.3, see GH #1634. PHA is
-+    # necessary for conditional client cert authentication with TLS 1.3.
-+    # The attribute is None for OpenSSL <= 1.1.0 or does not exist in older
-+    # versions of Python.
-+    if getattr(context, "post_handshake_auth", None) is not None:
-+        context.post_handshake_auth = True
-+
-     context.verify_mode = cert_reqs
-     if getattr(context, 'check_hostname', None) is not None:  # Platform-specific: Python 3.2
-         # We do our own verification, including fingerprints and alternative
-diff --git a/test/test_ssl.py b/test/test_ssl.py
-index 6a46b4f..3a99522 100644
--- a/test/test_ssl.py
-+++ b/test/test_ssl.py
-@@ -125,3 +125,18 @@ def test_wrap_socket_default_loads_default_certs(monkeypatch):
-     ssl_.ssl_wrap_socket(sock)
- 
-     context.load_default_certs.assert_called_with()
-+
-+
-+@pytest.mark.parametrize(
-+    ["pha", "expected_pha"], [(None, None), (False, True), (True, True)]
-+)
-+def test_create_urllib3_context_pha(monkeypatch, pha, expected_pha):
-+    context = mock.create_autospec(ssl_.SSLContext)
-+    context.set_ciphers = mock.Mock()
-+    context.options = 0
-+    context.post_handshake_auth = pha
-+    monkeypatch.setattr(ssl_, "SSLContext", lambda *_, **__: context)
-+
-+    assert ssl_.create_urllib3_context() is context
-+
-+    assert context.post_handshake_auth == expected_pha
-- 
-2.21.0
-
--- a/SPECS/python-urllib3.spec
+++ b/SPECS/python-urllib3.spec
@ -1,37 +1,21 @@
 %global srcname urllib3

+# Tests are disabled to remove the test dependencies
+# Specify --with tests to run the tests on e.g. EPEL
+%bcond_with tests
+
 Name:           python-%{srcname}
-Version:        1.24.2
-Release:        9%{?dist}
+Version:        1.26.5
+Release:        6%{?dist}
 Summary:        Python HTTP library with thread-safe connection pooling and file post

 License:        MIT
-URL:            https://github.com/shazow/urllib3
+URL:            https://github.com/urllib3/urllib3
 Source0:        %{url}/archive/%{version}/%{srcname}-%{version}.tar.gz
-# Used with Python 3.5+
+# Unbundle ssl_match_hostname since we depend on it
 Source1:        ssl_match_hostname_py3.py
 BuildArch:      noarch

-# CVE-2019-11236 python-urllib3:
-#   - CRLF injection due to not encoding the '\r\n' sequence leading to
-#     possible attack on internal service.
-#   - Also known as CVE-2019-9740 (duplicate entry)
-# Backported from:
-#  * https://github.com/urllib3/urllib3/pull/1591
-#    - Superfluous commits were omitted (flake8 checks, travis settings, macos patch)
-#  * https://github.com/urllib3/urllib3/pull/1593
-Patch1:         CVE-2019-11236.patch
-
-# Enable post-handshake authentication for TLS 1.3
-# - https://github.com/urllib3/urllib3/issues/1634
-# - https://bugzilla.redhat.com/show_bug.cgi?id=1726743
-Patch2:         Enable_TLS_1.3_post-handshake_authentication.patch
-
-# CVE-2020-26137
-# CRLF injection via HTTP request method
-# Resolved upstream: https://github.com/urllib3/urllib3/pull/1800
-Patch3: CVE-2020-26137.patch
-
 # CVE-2023-43804
 # Added the `Cookie` header to the list of headers to strip from
 # requests when redirecting to a different host. As before, different headers
@ -40,41 +24,47 @@ Patch3: CVE-2020-26137.patch
 # testing with dummyserver.
 # Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2242493
 # Upstream fix: https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb
-Patch4: CVE-2023-43804.patch
+Patch1: CVE-2023-43804.patch

 # CVE-2023-45803
 # Remove HTTP request body when request method is changed.
 # Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-45803
 # Upstream fix: https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9
-Patch5: CVE-2023-45803.patch
+Patch2: CVE-2023-45803.patch
+
+# PoolManager.urlopen fails with TypeError for http connection if the PoolManager is instantiated with server_hostname
+# Tracking bug: https://issues.redhat.com/browse/RHEL-39285
+# Upstream fix: https://github.com/urllib3/urllib3/commit/f1d40fd07f7b5d9cf846a18fb5a920b4be07dfc5
+Patch3: Add-server_hostname-to-SSL_KEYWORDS.patch

 # CVE-2024-37891
-# Added the `Proxy-Authorization` header to the list of headers to strip from requests
-# when redirecting to a different host.
-# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-37891
+# Proxy-authorization request header is not stripped during cross-origin redirects.
+# Tracking bug: https://issues.redhat.com/browse/RHEL-43172
 # Upstream fix: https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468
-Patch6: CVE-2024-37891.patch
-
-Patch7: CVE-2025-66471.patch
-Patch8: CVE-2025-66418.patch
-Patch9: CVE-2026-21441.patch
+Patch4: CVE-2024-37891.patch

 %description
 Python HTTP module with connection pooling and file POST abilities.

-
 %package -n python3-%{srcname}
 Summary:        Python3 HTTP library with thread-safe connection pooling and file post

 BuildRequires:  python3-devel
-# For unittests
-BuildRequires:  python3-nose
-BuildRequires:  python3-mock
+BuildRequires:  python3-setuptools
+%if %{with tests}
+BuildRequires:  python3-dateutil
 BuildRequires:  python3-six
 BuildRequires:  python3-pysocks
 BuildRequires:  python3-pytest
+BuildRequires:  python3-pytest-freezegun
+BuildRequires:  python3-pytest-timeout
+BuildRequires:  python3-tornado
+BuildRequires:  python3-trustme
+BuildRequires:  python3-idna
+%endif

 Requires:       ca-certificates
+Requires:       python3-idna
 Requires:       python3-six
 Requires:       python3-pysocks

@ -84,7 +74,6 @@ Python3 HTTP module with connection pooling and file POST abilities.

 %prep
 %autosetup -p1 -n %{srcname}-%{version}
-
 # Make sure that the RECENT_DATE value doesn't get too far behind what the current date is.
 # RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date
 # (from test/test_connection.py) would fail. However, it shouldn't be to close to the build time either,
@ -100,26 +89,27 @@ Python3 HTTP module with connection pooling and file POST abilities.
 # result in false positive), but before at least 6 month ago (so this test could tolerate user's system time being
 # set to some time in the past, but not to far away from the present).
 # Next few lines update RECENT_DATE dynamically.
-
 recent_date=$(date --date "7 month ago" +"%Y, %_m, %_d")
 sed -i "s/^RECENT_DATE = datetime.date(.*)/RECENT_DATE = datetime.date($recent_date)/" src/urllib3/connection.py

-
-# Drop the dummyserver tests in koji.
-# These require tornado, a Web framework otherwise unused in the distro.
+# Drop the dummyserver tests in koji.  They fail there in real builds, but not
+# in scratch builds (weird).
 rm -rf test/with_dummyserver/
-rm -rf test/test_connectionpool.py
-rm -rf dummyserver/
 # Don't run the Google App Engine tests
 rm -rf test/appengine/
 # Lots of these tests started failing, even for old versions, so it has something
 # to do with Fedora in particular. They don't fail in upstream build infrastructure
 rm -rf test/contrib/

-# Tests for Python built without SSL, but RHEL builds with SSL. These tests
+# Tests for Python built without SSL, but Fedora builds with SSL. These tests
 # fail when combined with the unbundling of backports-ssl_match_hostname
 rm -f test/test_no_ssl.py

+# Use the standard library instead of a backport
+sed -i -e 's/^import mock/from unittest import mock/' \
+       -e 's/^from mock import /from unittest.mock import /' \
+    test/*.py docs/conf.py
+
 %build
 %py3_build

@ -128,95 +118,151 @@ rm -f test/test_no_ssl.py
 %py3_install

 # Unbundle the Python 3 build
-rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/six.py*
-rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/six*
+rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/six.py
+rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/six.*
 rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/ssl_match_hostname/

 mkdir -p %{buildroot}/%{python3_sitelib}/urllib3/packages/
-ln -s %{python3_sitelib}/six.py \
-      %{buildroot}/%{python3_sitelib}/urllib3/packages/six.py
+cp -a %{SOURCE1} %{buildroot}/%{python3_sitelib}/urllib3/packages/ssl_match_hostname.py
+ln -s %{python3_sitelib}/six.py %{buildroot}/%{python3_sitelib}/urllib3/packages/six.py
 ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.opt-1.pyc \
      %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/
 ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.pyc \
      %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/
-# urllib3 requires Python 3.5 to use the standard library's match_hostname,
-# which we ship in RHEL8, so we can safely replace the bundled version with
-# this stub which imports the necessary objects.
-cp %{SOURCE1} %{buildroot}/%{python3_sitelib}/urllib3/packages/ssl_match_hostname.py


+%if %{with tests}
 %check
-pushd test
-PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pytest -v
-popd
+%pytest -v
+%endif


 %files -n python3-%{srcname}
 %license LICENSE.txt
 %doc CHANGES.rst README.rst CONTRIBUTORS.txt
 %{python3_sitelib}/urllib3/
-%{python3_sitelib}/urllib3-*.egg-info
+%{python3_sitelib}/urllib3-*.egg-info/


 %changelog
-* Wed Dec 17 2025 Miro Hrončok <mhroncok@redhat.com> - 1.24.2-9
- Security fix for CVE-2025-66471
- Security fix for CVE-2025-66418
- Security fix for CVE-2026-21441
-Resolves: RHEL-139410
-
-* Mon Jul 01 2024 Lumír Balhar <lbalhar@redhat.com> - 1.24.2-8
+* Tue Jun 18 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 1.26.5-6
 - Security fix for CVE-2024-37891
-Resolves: RHEL-45334
+- Backport upstream patch to fix TypeError for http connection if the PoolManager
+- is instantiated with server_hostname
+Resolves: RHEL-43172
+Resolves: RHEL-39285

-* Tue Dec 12 2023 Lumír Balhar <lbalhar@redhat.com> - 1.24.2-7
+* Tue Dec 12 2023 Lumír Balhar <lbalhar@redhat.com> - 1.26.5-5
 - Security fix for CVE-2023-45803
-Resolves: RHEL-16872
+Resolves: RHEL-16874

-* Thu Oct 12 2023 Lumír Balhar <lbalhar@redhat.com> - 1.24.2-6
+* Thu Oct 12 2023 Lumír Balhar <lbalhar@redhat.com> - 1.26.5-4
 - Security fix for CVE-2023-43804
-Resolves: RHEL-11992
+Resolves: RHEL-12001

-* Mon Nov 09 2020 Charalampos Stratakis <cstratak@redhat.com> - 1.24.2-5
- Security fix for CVE-2020-26137
-Resolves: rhbz#1883889
+* Tue Feb 08 2022 Tomáš Hrnčiar <thrnciar@redhat.com> - 1.26.5-3
+- Add automatically generated Obsoletes tag with the python39- prefix
+  for smoother upgrade from RHEL8
+- Related: rhbz#1990421

-* Wed Oct 30 2019 Anna Khaitovich <akhaitov@redhat.com> - 1.24.2-4
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.26.5-2
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Wed Jun 16 2021 Karolina Surma <ksurma@redhat.com> - 1.26.5-1
+- Update to 1.26.5
+- Fix for CVE-2021-33503 Catastrophic backtracking in URL authority parser
+Resolves: rhbz#1972639
+
+* Tue May 18 2021 Miro Hrončok <mhroncok@redhat.com> - 1.26.4-1
+- Update to 1.26.4
+Resolves: rhbz#1935737
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.25.10-6
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Mon Mar 08 2021 Charalampos Stratakis <cstratak@redhat.com> - 1.25.10-5
+- Disable tests on RHEL9 to remove the python-tornado dependency
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.25.10-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Jan 15 2021 Miro Hrončok <mhroncok@redhat.com> - 1.25.10-3
+- Drop redundant BuildRequires for nose
+- Instead of the mock backport, use unittest.mock from the standard library
+
+* Tue Jan 05 2021 Anna Khaitovich <akhaitov@redhat.com> - 1.25.10-2
 - Update RECENT_DATE dynamically
-Resolves: rhbz#1761380

-* Wed Aug 28 2019 Lumír Balhar <lbalhar@redhat.com> - 1.24.2-3
- Enable TLS 1.3 post-handshake authentication
- Adjust RECENT_DATE variable according to rules
-Resolves: rhbz#1726743
+* Sun Sep 27 2020 Kevin Fenzi <kevin@scrye.com> - 1.25.10-1
+- Update to 1.25.10. Fixed bug #1824900

-* Wed May 22 2019 Tomas Orsava <torsava@redhat.com> - 1.24.2-2
- Rebuilding after gating was enabled
- Resolves: rhbz#1703361 rhbz#1706026
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.25.8-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

-* Fri May 03 2019 Tomas Orsava <torsava@redhat.com> - 1.24.2-1
- Rebased to 1.24.2 to fix CVE-2019-11324
- Added patches for CVE-2019-11236 (AKA CVE-2019-9740)
- Resolves: rhbz#1703361 rhbz#1706026
+* Sun May 24 2020 Miro Hrončok <mhroncok@redhat.com> - 1.25.8-3
+- Rebuilt for Python 3.9

-* Wed Jul 11 2018 Petr Viktorin <pviktori@redhat.com> - 1.23-5
- Remove the Python 2 subpackage
-  https://bugzilla.redhat.com/show_bug.cgi?id=1590400
+* Fri May 22 2020 Miro Hrončok <mhroncok@redhat.com> - 1.25.8-2
+- Bootstrap for Python 3.9

-* Mon Jun 25 2018 Lumír Balhar <lbalhar@redhat.com> - 1.23-4
- Allow build with Python 2
+* Sun Mar 22 2020 Carl George <carl@george.computer> - 1.25.8-1
+- Latest upstream rhbz#1771186

-* Wed Jun 20 2018 Petr Viktorin <pviktori@redhat.com> - 1.23-3
- Skip tests that require tornado
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.25.7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild

-* Wed Jun 20 2018 Lumír Balhar <lbalhar@redhat.com> - 1.23-2
- Remove unneeded python3-psutil dependency
+* Mon Nov 18 2019 Miro Hrončok <mhroncok@redhat.com> - 1.25.7-2
+- Subpackage python2-urllib3 has been removed
+  See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal
+
+* Tue Oct 15 2019 Jeremy Cline <jcline@redhat.com> - 1.25.6-1
+- Update to v1.25.6
+
+* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 1.25.3-7
+- Rebuilt for Python 3.8.0rc1 (#1748018)
+
+* Sun Aug 18 2019 Miro Hrončok <mhroncok@redhat.com> - 1.25.3-6
+- Rebuilt for Python 3.8
+
+* Thu Aug 15 2019 Miro Hrončok <mhroncok@redhat.com> - 1.25.3-5
+- Bootstrap for Python 3.8
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.25.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Mon Jul 08 2019 Miro Hrončok <mhroncok@redhat.com> - 1.25.3-3
+- Set RECENT_DATE not to be older than 2 years (#1727796)
+
+* Tue May 28 2019 Jeremy Cline <jcline@redhat.com> - 1.25.3-2
+- Drop the Python 2 tests since Tornado is going away
+
+* Tue May 28 2019 Jeremy Cline <jcline@redhat.com> - 1.25.3-1
+- Update to 1.25.3
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.24.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Tue Nov 13 2018 Jeremy Cline <jeremy@jcline.org> - 1.24.1-2
+- Adjust unbundling of ssl_match_hostname
+
+* Mon Oct 29 2018 Jeremy Cline <jeremy@jcline.org> - 1.24.1-1
+- Update to v1.24.1
+
+* Wed Jun 20 2018 Lumír Balhar <lbalhar@redhat.com> - 1.23-4
+- Removed unneeded dependency python[23]-psutil
+
+* Mon Jun 18 2018 Miro Hrončok <mhroncok@redhat.com> - 1.23-3
+- Rebuilt for Python 3.7
+
+* Thu Jun 14 2018 Miro Hrončok <mhroncok@redhat.com> - 1.23-2
+- Bootstrap for Python 3.7

 * Tue Jun 05 2018 Jeremy Cline <jeremy@jcline.org> - 1.23-1
 - Update to the latest upstream release (rhbz 1586072)

-* Tue May 22 2018 Petr Viktorin <pviktori@redhat.com> - 1.22-10
- Skip tests for python2 subpackage, due to missing dependencies (rhbz 1580882)
+* Wed May 30 2018 Jeremy Cline <jeremy@jcline.org> - 1.22-10
+- Backport patch to support Python 3.7 (rhbz 1584112)

 * Thu May 03 2018 Lukas Slebodnik <lslebodn@fedoraproject.org> - 1.22-9
 - Do not lowercase hostnames with custom-protocol (rhbz 1567862)