Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: er...@debian.org
Please unblock package python-urllib3
This is a upstream point release, that fixes a security issue
(CVE-2021-28363).
All the changes are either inconsequential documentation noise or
targeted bug fixes.
The diff is small enough that I'll immediately upload to unstable.
[ Reason ]
Pick up an upstream security fix, and bug fixes in a point release.
[ Impact ]
Known security issue.
[ Tests ]
Upstream unit test suite covers the changes.
[ Risks ]
Minimal. It's a popular Python package, the point release is over a
month old and hasn't had regressions reported.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
I'll follow-up with a security update to pip that will update its
bundled urllib3.
unblock python-urllib3/1.26.4-1
diff -Nru python-urllib3-1.26.2/CHANGES.rst python-urllib3-1.26.4/CHANGES.rst
--- python-urllib3-1.26.2/CHANGES.rst 2020-11-12 18:16:30.000000000 -0400
+++ python-urllib3-1.26.4/CHANGES.rst 2021-03-15 11:03:47.000000000 -0400
@@ -1,6 +1,23 @@
Changes
=======
+1.26.4 (2021-03-15)
+-------------------
+
+* Changed behavior of the default ``SSLContext`` when connecting to HTTPS proxy
+ during HTTPS requests. The default ``SSLContext`` now sets
``check_hostname=True``.
+
+
+1.26.3 (2021-01-26)
+-------------------
+
+* Fixed bytes and string comparison issue with headers (Pull #2141)
+
+* Changed ``ProxySchemeUnknown`` error message to be
+ more actionable if the user supplies a proxy URL without
+ a scheme. (Pull #2107)
+
+
1.26.2 (2020-11-12)
-------------------
diff -Nru python-urllib3-1.26.2/debian/changelog
python-urllib3-1.26.4/debian/changelog
--- python-urllib3-1.26.2/debian/changelog 2020-12-30 21:22:32.000000000
-0400
+++ python-urllib3-1.26.4/debian/changelog 2021-05-11 20:30:00.000000000
-0400
@@ -1,3 +1,12 @@
+python-urllib3 (1.26.4-1) unstable; urgency=medium
+
+ * Team upload.
+ * New upstream release.
+ - Enforces certificate validation in some cases involving HTTPS to HTTPS
+ proxies CVE-2021-28363.
+
+ -- Stefano Rivera <stefa...@debian.org> Tue, 11 May 2021 20:30:00 -0400
+
python-urllib3 (1.26.2-1) unstable; urgency=medium
* New upstream version 1.26.2
diff -Nru
python-urllib3-1.26.2/debian/patches/01_do-not-use-embedded-python-six.patch
python-urllib3-1.26.4/debian/patches/01_do-not-use-embedded-python-six.patch
---
python-urllib3-1.26.2/debian/patches/01_do-not-use-embedded-python-six.patch
2020-12-30 21:22:32.000000000 -0400
+++
python-urllib3-1.26.4/debian/patches/01_do-not-use-embedded-python-six.patch
2021-05-11 20:30:00.000000000 -0400
@@ -76,7 +76,7 @@
__all__ = ["RecentlyUsedContainer", "HTTPHeaderDict"]
diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py
-index 660d679..826f8d7 100644
+index 45580b7..1cddda4 100644
--- a/src/urllib3/connection.py
+++ b/src/urllib3/connection.py
@@ -9,9 +9,9 @@ import warnings
@@ -160,7 +160,7 @@
__all__ = ["inject_into_urllib3", "extract_from_urllib3"]
diff --git a/src/urllib3/exceptions.py b/src/urllib3/exceptions.py
-index d69958d..31a779b 100644
+index cba6f3f..053758e 100644
--- a/src/urllib3/exceptions.py
+++ b/src/urllib3/exceptions.py
@@ -1,6 +1,6 @@
@@ -294,7 +294,7 @@
def is_fp_closed(obj):
diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
-index ee51f92..8c275a8 100644
+index d25a41b..e11f585 100644
--- a/src/urllib3/util/retry.py
+++ b/src/urllib3/util/retry.py
@@ -17,7 +17,7 @@ from ..exceptions import (
diff -Nru python-urllib3-1.26.2/docs/conf.py python-urllib3-1.26.4/docs/conf.py
--- python-urllib3-1.26.2/docs/conf.py 2020-11-12 18:16:30.000000000 -0400
+++ python-urllib3-1.26.4/docs/conf.py 2021-03-15 11:03:47.000000000 -0400
@@ -78,8 +78,8 @@
html_theme_options = {
"announcement": """
<a style=\"text-decoration: none; color: white;\"
- href=\"https://opencollective.com/urllib3\";>
- <img src=\"/en/latest/_static/favicon.png\"/> Sponsor urllib3 v2.0
on Open Collective
+ href=\"https://github.com/sponsors/urllib3\";>
+ <img src=\"/en/latest/_static/favicon.png\"/> Support urllib3 on
GitHub Sponsors
</a>
""",
"sidebar_hide_name": True,
diff -Nru python-urllib3-1.26.2/docs/sponsors.rst
python-urllib3-1.26.4/docs/sponsors.rst
--- python-urllib3-1.26.2/docs/sponsors.rst 2020-11-12 18:16:30.000000000
-0400
+++ python-urllib3-1.26.4/docs/sponsors.rst 2021-03-15 11:03:33.000000000
-0400
@@ -15,7 +15,7 @@
`Get in contact <mailto:sethmichaellar...@gmail.com>`_ for additional
details on sponsorship and perks before making a contribution
- through `Open Collective <https://opencollective.com/urllib3>`_ if you have
questions.
+ through `GitHub Sponsors <https://github.com/sponsors/urllib3>`_ if you
have questions.
Silver v2.0 Sponsor Perks
@@ -76,12 +76,3 @@
`@Lukasa <https://github.com/Lukasa>`_
* `Stripe <https://stripe.com>`_ (June 23, 2014)
-
-
-Open Collective Supporters
---------------------------
-
-All donations are currently going towards the development of new features for
urllib3 v2.0.
-Donate $5 or more as an individual or $50 or more as an organization to be
added to the list of supporters below (coming soon).
-
-`Thanks to all our supporters on Open Collective
<https://opencollective.com/urllib3#section-contributors>`_!
diff -Nru python-urllib3-1.26.2/docs/v2-roadmap.rst
python-urllib3-1.26.4/docs/v2-roadmap.rst
--- python-urllib3-1.26.2/docs/v2-roadmap.rst 2020-11-12 18:16:30.000000000
-0400
+++ python-urllib3-1.26.4/docs/v2-roadmap.rst 2021-03-15 11:03:33.000000000
-0400
@@ -3,7 +3,7 @@
.. important::
- We're seeking `sponsors and supporters for urllib3 v2.0 on Open Collective
<https://opencollective.com/urllib3>`_.
+ We're seeking `sponsors and supporters for urllib3 v2.0 on Open Collective
<https://github.com/sponsors/urllib3>`_.
There's a lot of work to be done for our small team and we want to make sure
development can get completed on-time while also fairly compensating
contributors
for the additional effort required for a large release like ``v2.0``.
diff -Nru python-urllib3-1.26.2/PKG-INFO python-urllib3-1.26.4/PKG-INFO
--- python-urllib3-1.26.2/PKG-INFO 2020-11-12 18:16:39.000000000 -0400
+++ python-urllib3-1.26.4/PKG-INFO 2021-03-15 11:03:55.002221800 -0400
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: urllib3
-Version: 1.26.2
+Version: 1.26.4
Summary: HTTP library with thread-safe connection pooling, file post, and more.
Home-page: https://urllib3.readthedocs.io/
Author: Andrey Petrov
@@ -116,6 +116,23 @@
Changes
=======
+ 1.26.4 (2021-03-15)
+ -------------------
+
+ * Changed behavior of the default ``SSLContext`` when connecting to
HTTPS proxy
+ during HTTPS requests. The default ``SSLContext`` now sets
``check_hostname=True``.
+
+
+ 1.26.3 (2021-01-26)
+ -------------------
+
+ * Fixed bytes and string comparison issue with headers (Pull #2141)
+
+ * Changed ``ProxySchemeUnknown`` error message to be
+ more actionable if the user supplies a proxy URL without
+ a scheme. (Pull #2107)
+
+
1.26.2 (2020-11-12)
-------------------
diff -Nru python-urllib3-1.26.2/src/urllib3/connection.py
python-urllib3-1.26.4/src/urllib3/connection.py
--- python-urllib3-1.26.2/src/urllib3/connection.py 2020-11-12
18:16:34.000000000 -0400
+++ python-urllib3-1.26.4/src/urllib3/connection.py 2021-03-15
11:03:47.000000000 -0400
@@ -67,7 +67,7 @@
# When it comes time to update this value as a part of regular maintenance
# (ie test_recent_date is failing) update it to ~6 months before the current
date.
-RECENT_DATE = datetime.date(2019, 1, 1)
+RECENT_DATE = datetime.date(2020, 7, 1)
_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]")
@@ -215,7 +215,7 @@
def putheader(self, header, *values):
""""""
- if SKIP_HEADER not in values:
+ if not any(isinstance(v, str) and v == SKIP_HEADER for v in values):
_HTTPConnection.putheader(self, header, *values)
elif six.ensure_str(header.lower()) not in SKIPPABLE_HEADERS:
raise ValueError(
@@ -490,6 +490,10 @@
self.ca_cert_dir,
self.ca_cert_data,
)
+ # By default urllib3's SSLContext disables `check_hostname` and uses
+ # a custom check. For proxies we're good with relying on the default
+ # verification.
+ ssl_context.check_hostname = True
# If no cert was provided, use only the default options for server
# certificate validation
diff -Nru python-urllib3-1.26.2/src/urllib3/exceptions.py
python-urllib3-1.26.4/src/urllib3/exceptions.py
--- python-urllib3-1.26.2/src/urllib3/exceptions.py 2020-11-12
18:16:30.000000000 -0400
+++ python-urllib3-1.26.4/src/urllib3/exceptions.py 2021-03-15
11:03:47.000000000 -0400
@@ -289,7 +289,17 @@
# TODO(t-8ch): Stop inheriting from AssertionError in v2.0.
def __init__(self, scheme):
- message = "Not supported proxy scheme %s" % scheme
+ # 'localhost' is here because our URL parser parses
+ # localhost:8080 -> scheme=localhost, remove if we fix this.
+ if scheme == "localhost":
+ scheme = None
+ if scheme is None:
+ message = "Proxy URL had no scheme, should start with http:// or
https://";
+ else:
+ message = (
+ "Proxy URL had unsupported scheme %s, should use http:// or
https://";
+ % scheme
+ )
super(ProxySchemeUnknown, self).__init__(message)
diff -Nru python-urllib3-1.26.2/src/urllib3/util/retry.py
python-urllib3-1.26.4/src/urllib3/util/retry.py
--- python-urllib3-1.26.2/src/urllib3/util/retry.py 2020-11-12
18:16:30.000000000 -0400
+++ python-urllib3-1.26.4/src/urllib3/util/retry.py 2021-03-15
11:03:47.000000000 -0400
@@ -253,6 +253,7 @@
"Using 'method_whitelist' with Retry is deprecated and "
"will be removed in v2.0. Use 'allowed_methods' instead",
DeprecationWarning,
+ stacklevel=2,
)
allowed_methods = method_whitelist
if allowed_methods is _Default:
diff -Nru python-urllib3-1.26.2/src/urllib3/_version.py
python-urllib3-1.26.4/src/urllib3/_version.py
--- python-urllib3-1.26.2/src/urllib3/_version.py 2020-11-12
18:16:34.000000000 -0400
+++ python-urllib3-1.26.4/src/urllib3/_version.py 2021-03-15
11:03:47.000000000 -0400
@@ -1,2 +1,2 @@
# This file is protected via CODEOWNERS
-__version__ = "1.26.2"
+__version__ = "1.26.4"
diff -Nru python-urllib3-1.26.2/src/urllib3.egg-info/PKG-INFO
python-urllib3-1.26.4/src/urllib3.egg-info/PKG-INFO
--- python-urllib3-1.26.2/src/urllib3.egg-info/PKG-INFO 2020-11-12
18:16:39.000000000 -0400
+++ python-urllib3-1.26.4/src/urllib3.egg-info/PKG-INFO 2021-03-15
11:03:54.000000000 -0400
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: urllib3
-Version: 1.26.2
+Version: 1.26.4
Summary: HTTP library with thread-safe connection pooling, file post, and more.
Home-page: https://urllib3.readthedocs.io/
Author: Andrey Petrov
@@ -116,6 +116,23 @@
Changes
=======
+ 1.26.4 (2021-03-15)
+ -------------------
+
+ * Changed behavior of the default ``SSLContext`` when connecting to
HTTPS proxy
+ during HTTPS requests. The default ``SSLContext`` now sets
``check_hostname=True``.
+
+
+ 1.26.3 (2021-01-26)
+ -------------------
+
+ * Fixed bytes and string comparison issue with headers (Pull #2141)
+
+ * Changed ``ProxySchemeUnknown`` error message to be
+ more actionable if the user supplies a proxy URL without
+ a scheme. (Pull #2107)
+
+
1.26.2 (2020-11-12)
-------------------
diff -Nru python-urllib3-1.26.2/test/conftest.py
python-urllib3-1.26.4/test/conftest.py
--- python-urllib3-1.26.2/test/conftest.py 2020-11-12 18:16:30.000000000
-0400
+++ python-urllib3-1.26.4/test/conftest.py 2021-03-15 11:03:47.000000000
-0400
@@ -65,6 +65,17 @@
@pytest.fixture
+def no_localhost_san_server(tmp_path_factory):
+ tmpdir = tmp_path_factory.mktemp("certs")
+ ca = trustme.CA()
+ # non localhost common name
+ server_cert = ca.issue_cert(u"example.com")
+
+ with run_server_in_thread("https", "localhost", tmpdir, ca, server_cert)
as cfg:
+ yield cfg
+
+
+@pytest.fixture
def ip_san_server(tmp_path_factory):
tmpdir = tmp_path_factory.mktemp("certs")
ca = trustme.CA()
diff -Nru python-urllib3-1.26.2/test/with_dummyserver/test_proxy_poolmanager.py
python-urllib3-1.26.4/test/with_dummyserver/test_proxy_poolmanager.py
--- python-urllib3-1.26.2/test/with_dummyserver/test_proxy_poolmanager.py
2020-11-12 18:16:30.000000000 -0400
+++ python-urllib3-1.26.4/test/with_dummyserver/test_proxy_poolmanager.py
2021-03-15 11:03:47.000000000 -0400
@@ -23,6 +23,7 @@
ConnectTimeoutError,
MaxRetryError,
ProxyError,
+ ProxySchemeUnknown,
ProxySchemeUnsupported,
SSLError,
)
@@ -502,6 +503,27 @@
r = http.request("GET", "%s/" % self.https_url.upper())
assert r.status == 200
+ @pytest.mark.parametrize(
+ "url, error_msg",
+ [
+ (
+ "127.0.0.1",
+ "Proxy URL had no scheme, should start with http:// or
https://";,
+ ),
+ (
+ "localhost:8080",
+ "Proxy URL had no scheme, should start with http:// or
https://";,
+ ),
+ (
+ "ftp://google.com";,
+ "Proxy URL had unsupported scheme ftp, should use http:// or
https://";,
+ ),
+ ],
+ )
+ def test_invalid_schema(self, url, error_msg):
+ with pytest.raises(ProxySchemeUnknown, match=error_msg):
+ proxy_from_url(url)
+
@pytest.mark.skipif(not HAS_IPV6, reason="Only runs on IPv6 systems")
class TestIPv6HTTPProxyManager(IPv6HTTPDummyProxyTestCase):
@@ -521,3 +543,25 @@
r = http.request("GET", "%s/" % self.https_url)
assert r.status == 200
+
+
+class TestHTTPSProxyVerification:
+ @onlyPy3
+ def test_https_proxy_hostname_verification(self, no_localhost_san_server):
+ bad_server = no_localhost_san_server
+ bad_proxy_url = "https://%s:%s"; % (bad_server.host, bad_server.port)
+
+ # An exception will be raised before we contact the destination domain.
+ test_url = "testing.com"
+ with proxy_from_url(bad_proxy_url, ca_certs=bad_server.ca_certs) as
https:
+ with pytest.raises(MaxRetryError) as e:
+ https.request("GET", "http://%s/"; % test_url)
+ assert isinstance(e.value.reason, SSLError)
+ assert "hostname 'localhost' doesn't match" in str(e.value.reason)
+
+ with pytest.raises(MaxRetryError) as e:
+ https.request("GET", "https://%s/"; % test_url)
+ assert isinstance(e.value.reason, SSLError)
+ assert "hostname 'localhost' doesn't match" in str(
+ e.value.reason
+ ) or "Hostname mismatch" in str(e.value.reason)
