Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-urllib3 for openSUSE:Factory checked in at 2026-05-16 19:24:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-urllib3 (Old) and /work/SRC/openSUSE:Factory/.python-urllib3.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-urllib3" Sat May 16 19:24:45 2026 rev:75 rq:1353180 version:2.7.0 Changes: -------- --- /work/SRC/openSUSE:Factory/python-urllib3/python-urllib3.changes 2026-01-14 16:20:00.713286331 +0100 +++ /work/SRC/openSUSE:Factory/.python-urllib3.new.1966/python-urllib3.changes 2026-05-16 19:25:47.821162054 +0200 @@ -1,0 +2,42 @@ +Thu May 14 12:56:09 UTC 2026 - Daniel Garcia <[email protected]> + +- Update to 2.7.0 (CVE-2026-44432, bsc#1265266, CVE-2026-44431, bsc#1265267): + ## Security + Addressed high-severity security issues. Impact was limited to + specific use cases detailed in the accompanying advisories; overall + user exposure was estimated to be marginal. + + * Decompression-bomb safeguards of the streaming API were bypassed: + See GHSA-mf9v-mfxr-j63j for details. + + * HTTP pools created using ProxyManager.connection_from_url did not + strip sensitive headers specified in + Retry.remove_headers_on_redirect when redirecting to a different + host. (GHSA-qccp-gfcp-xxvc) + + ## Deprecations and Removals + * Used FutureWarning instead of DeprecationWarning for better + visibility of existing deprecation notices. Rescheduled the + removal of deprecated features to version 3.0. (#3763) + * Removed support for end-of-life Python 3.9. (#3720) + * Removed support for end-of-life PyPy3.10. (#4979) + * Bumped the minimum supported pyOpenSSL version to 19.0.0. (#3777) + + ## Bugfixes + * Fixed a bug where HTTPResponse.read(amt=None) was ignoring + decompressed data buffered from previous partial reads. (#3636) + * Fixed a bug where HTTPResponse.read() could cache only part of the + response after a partial read when cache_content=True. (#4967) + * Fixed HTTPResponse.stream() and HTTPResponse.read_chunked() to + handle amt=0. (#3793) + * Updated _TYPE_BODY type alias to include missing Iterable[str], + matching the documented and runtime behavior of chunked request + bodies. (#3798) + * Fixed LocationParseError when paths resembling schemeless URIs + were passed to HTTPConnectionPool.urlopen(). (#3352) + * Fixed BaseHTTPResponse.readinto() type annotation to accept + memoryview in addition to bytearray, matching the + io.RawIOBase.readinto contract and enabling use with + io.BufferedReader without type errors. (#3764) + +------------------------------------------------------------------- Old: ---- urllib3-2.6.3.tar.gz New: ---- urllib3-2.7.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-urllib3.spec ++++++ --- /var/tmp/diff_new_pack.i3OiYP/_old 2026-05-16 19:25:50.009251772 +0200 +++ /var/tmp/diff_new_pack.i3OiYP/_new 2026-05-16 19:25:50.033252756 +0200 @@ -26,7 +26,7 @@ %endif %{?sle15_python_module_pythons} Name: python-urllib3%{psuffix} -Version: 2.6.3 +Version: 2.7.0 Release: 0 Summary: HTTP library with thread-safe connection pooling, file post, and more License: MIT ++++++ urllib3-2.6.3.tar.gz -> urllib3-2.7.0.tar.gz ++++++ ++++ 5345 lines of diff (skipped)
