Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: er...@debian.org
Please unblock package python-urllib3 This is a upstream point release, that fixes a security issue (CVE-2021-28363). All the changes are either inconsequential documentation noise or targeted bug fixes. The diff is small enough that I'll immediately upload to unstable. [ Reason ] Pick up an upstream security fix, and bug fixes in a point release. [ Impact ] Known security issue. [ Tests ] Upstream unit test suite covers the changes. [ Risks ] Minimal. It's a popular Python package, the point release is over a month old and hasn't had regressions reported. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] I'll follow-up with a security update to pip that will update its bundled urllib3. unblock python-urllib3/1.26.4-1
diff -Nru python-urllib3-1.26.2/CHANGES.rst python-urllib3-1.26.4/CHANGES.rst --- python-urllib3-1.26.2/CHANGES.rst 2020-11-12 18:16:30.000000000 -0400 +++ python-urllib3-1.26.4/CHANGES.rst 2021-03-15 11:03:47.000000000 -0400 @@ -1,6 +1,23 @@ Changes ======= +1.26.4 (2021-03-15) +------------------- + +* Changed behavior of the default ``SSLContext`` when connecting to HTTPS proxy + during HTTPS requests. The default ``SSLContext`` now sets ``check_hostname=True``. + + +1.26.3 (2021-01-26) +------------------- + +* Fixed bytes and string comparison issue with headers (Pull #2141) + +* Changed ``ProxySchemeUnknown`` error message to be + more actionable if the user supplies a proxy URL without + a scheme. (Pull #2107) + + 1.26.2 (2020-11-12) ------------------- diff -Nru python-urllib3-1.26.2/debian/changelog python-urllib3-1.26.4/debian/changelog --- python-urllib3-1.26.2/debian/changelog 2020-12-30 21:22:32.000000000 -0400 +++ python-urllib3-1.26.4/debian/changelog 2021-05-11 20:30:00.000000000 -0400 @@ -1,3 +1,12 @@ +python-urllib3 (1.26.4-1) unstable; urgency=medium + + * Team upload. + * New upstream release. + - Enforces certificate validation in some cases involving HTTPS to HTTPS + proxies CVE-2021-28363. + + -- Stefano Rivera <stefa...@debian.org> Tue, 11 May 2021 20:30:00 -0400 + python-urllib3 (1.26.2-1) unstable; urgency=medium * New upstream version 1.26.2 diff -Nru python-urllib3-1.26.2/debian/patches/01_do-not-use-embedded-python-six.patch python-urllib3-1.26.4/debian/patches/01_do-not-use-embedded-python-six.patch --- python-urllib3-1.26.2/debian/patches/01_do-not-use-embedded-python-six.patch 2020-12-30 21:22:32.000000000 -0400 +++ python-urllib3-1.26.4/debian/patches/01_do-not-use-embedded-python-six.patch 2021-05-11 20:30:00.000000000 -0400 @@ -76,7 +76,7 @@ __all__ = ["RecentlyUsedContainer", "HTTPHeaderDict"] diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py -index 660d679..826f8d7 100644 +index 45580b7..1cddda4 100644 --- a/src/urllib3/connection.py +++ b/src/urllib3/connection.py @@ -9,9 +9,9 @@ import warnings @@ -160,7 +160,7 @@ __all__ = ["inject_into_urllib3", "extract_from_urllib3"] diff --git a/src/urllib3/exceptions.py b/src/urllib3/exceptions.py -index d69958d..31a779b 100644 +index cba6f3f..053758e 100644 --- a/src/urllib3/exceptions.py +++ b/src/urllib3/exceptions.py @@ -1,6 +1,6 @@ @@ -294,7 +294,7 @@ def is_fp_closed(obj): diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py -index ee51f92..8c275a8 100644 +index d25a41b..e11f585 100644 --- a/src/urllib3/util/retry.py +++ b/src/urllib3/util/retry.py @@ -17,7 +17,7 @@ from ..exceptions import ( diff -Nru python-urllib3-1.26.2/docs/conf.py python-urllib3-1.26.4/docs/conf.py --- python-urllib3-1.26.2/docs/conf.py 2020-11-12 18:16:30.000000000 -0400 +++ python-urllib3-1.26.4/docs/conf.py 2021-03-15 11:03:47.000000000 -0400 @@ -78,8 +78,8 @@ html_theme_options = { "announcement": """ <a style=\"text-decoration: none; color: white;\" - href=\"https://opencollective.com/urllib3\"> - <img src=\"/en/latest/_static/favicon.png\"/> Sponsor urllib3 v2.0 on Open Collective + href=\"https://github.com/sponsors/urllib3\"> + <img src=\"/en/latest/_static/favicon.png\"/> Support urllib3 on GitHub Sponsors </a> """, "sidebar_hide_name": True, diff -Nru python-urllib3-1.26.2/docs/sponsors.rst python-urllib3-1.26.4/docs/sponsors.rst --- python-urllib3-1.26.2/docs/sponsors.rst 2020-11-12 18:16:30.000000000 -0400 +++ python-urllib3-1.26.4/docs/sponsors.rst 2021-03-15 11:03:33.000000000 -0400 @@ -15,7 +15,7 @@ `Get in contact <mailto:sethmichaellar...@gmail.com>`_ for additional details on sponsorship and perks before making a contribution - through `Open Collective <https://opencollective.com/urllib3>`_ if you have questions. + through `GitHub Sponsors <https://github.com/sponsors/urllib3>`_ if you have questions. Silver v2.0 Sponsor Perks @@ -76,12 +76,3 @@ `@Lukasa <https://github.com/Lukasa>`_ * `Stripe <https://stripe.com>`_ (June 23, 2014) - - -Open Collective Supporters --------------------------- - -All donations are currently going towards the development of new features for urllib3 v2.0. -Donate $5 or more as an individual or $50 or more as an organization to be added to the list of supporters below (coming soon). - -`Thanks to all our supporters on Open Collective <https://opencollective.com/urllib3#section-contributors>`_! diff -Nru python-urllib3-1.26.2/docs/v2-roadmap.rst python-urllib3-1.26.4/docs/v2-roadmap.rst --- python-urllib3-1.26.2/docs/v2-roadmap.rst 2020-11-12 18:16:30.000000000 -0400 +++ python-urllib3-1.26.4/docs/v2-roadmap.rst 2021-03-15 11:03:33.000000000 -0400 @@ -3,7 +3,7 @@ .. important:: - We're seeking `sponsors and supporters for urllib3 v2.0 on Open Collective <https://opencollective.com/urllib3>`_. + We're seeking `sponsors and supporters for urllib3 v2.0 on Open Collective <https://github.com/sponsors/urllib3>`_. There's a lot of work to be done for our small team and we want to make sure development can get completed on-time while also fairly compensating contributors for the additional effort required for a large release like ``v2.0``. diff -Nru python-urllib3-1.26.2/PKG-INFO python-urllib3-1.26.4/PKG-INFO --- python-urllib3-1.26.2/PKG-INFO 2020-11-12 18:16:39.000000000 -0400 +++ python-urllib3-1.26.4/PKG-INFO 2021-03-15 11:03:55.002221800 -0400 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: urllib3 -Version: 1.26.2 +Version: 1.26.4 Summary: HTTP library with thread-safe connection pooling, file post, and more. Home-page: https://urllib3.readthedocs.io/ Author: Andrey Petrov @@ -116,6 +116,23 @@ Changes ======= + 1.26.4 (2021-03-15) + ------------------- + + * Changed behavior of the default ``SSLContext`` when connecting to HTTPS proxy + during HTTPS requests. The default ``SSLContext`` now sets ``check_hostname=True``. + + + 1.26.3 (2021-01-26) + ------------------- + + * Fixed bytes and string comparison issue with headers (Pull #2141) + + * Changed ``ProxySchemeUnknown`` error message to be + more actionable if the user supplies a proxy URL without + a scheme. (Pull #2107) + + 1.26.2 (2020-11-12) ------------------- diff -Nru python-urllib3-1.26.2/src/urllib3/connection.py python-urllib3-1.26.4/src/urllib3/connection.py --- python-urllib3-1.26.2/src/urllib3/connection.py 2020-11-12 18:16:34.000000000 -0400 +++ python-urllib3-1.26.4/src/urllib3/connection.py 2021-03-15 11:03:47.000000000 -0400 @@ -67,7 +67,7 @@ # When it comes time to update this value as a part of regular maintenance # (ie test_recent_date is failing) update it to ~6 months before the current date. -RECENT_DATE = datetime.date(2019, 1, 1) +RECENT_DATE = datetime.date(2020, 7, 1) _CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]") @@ -215,7 +215,7 @@ def putheader(self, header, *values): """""" - if SKIP_HEADER not in values: + if not any(isinstance(v, str) and v == SKIP_HEADER for v in values): _HTTPConnection.putheader(self, header, *values) elif six.ensure_str(header.lower()) not in SKIPPABLE_HEADERS: raise ValueError( @@ -490,6 +490,10 @@ self.ca_cert_dir, self.ca_cert_data, ) + # By default urllib3's SSLContext disables `check_hostname` and uses + # a custom check. For proxies we're good with relying on the default + # verification. + ssl_context.check_hostname = True # If no cert was provided, use only the default options for server # certificate validation diff -Nru python-urllib3-1.26.2/src/urllib3/exceptions.py python-urllib3-1.26.4/src/urllib3/exceptions.py --- python-urllib3-1.26.2/src/urllib3/exceptions.py 2020-11-12 18:16:30.000000000 -0400 +++ python-urllib3-1.26.4/src/urllib3/exceptions.py 2021-03-15 11:03:47.000000000 -0400 @@ -289,7 +289,17 @@ # TODO(t-8ch): Stop inheriting from AssertionError in v2.0. def __init__(self, scheme): - message = "Not supported proxy scheme %s" % scheme + # 'localhost' is here because our URL parser parses + # localhost:8080 -> scheme=localhost, remove if we fix this. + if scheme == "localhost": + scheme = None + if scheme is None: + message = "Proxy URL had no scheme, should start with http:// or https://" + else: + message = ( + "Proxy URL had unsupported scheme %s, should use http:// or https://" + % scheme + ) super(ProxySchemeUnknown, self).__init__(message) diff -Nru python-urllib3-1.26.2/src/urllib3/util/retry.py python-urllib3-1.26.4/src/urllib3/util/retry.py --- python-urllib3-1.26.2/src/urllib3/util/retry.py 2020-11-12 18:16:30.000000000 -0400 +++ python-urllib3-1.26.4/src/urllib3/util/retry.py 2021-03-15 11:03:47.000000000 -0400 @@ -253,6 +253,7 @@ "Using 'method_whitelist' with Retry is deprecated and " "will be removed in v2.0. Use 'allowed_methods' instead", DeprecationWarning, + stacklevel=2, ) allowed_methods = method_whitelist if allowed_methods is _Default: diff -Nru python-urllib3-1.26.2/src/urllib3/_version.py python-urllib3-1.26.4/src/urllib3/_version.py --- python-urllib3-1.26.2/src/urllib3/_version.py 2020-11-12 18:16:34.000000000 -0400 +++ python-urllib3-1.26.4/src/urllib3/_version.py 2021-03-15 11:03:47.000000000 -0400 @@ -1,2 +1,2 @@ # This file is protected via CODEOWNERS -__version__ = "1.26.2" +__version__ = "1.26.4" diff -Nru python-urllib3-1.26.2/src/urllib3.egg-info/PKG-INFO python-urllib3-1.26.4/src/urllib3.egg-info/PKG-INFO --- python-urllib3-1.26.2/src/urllib3.egg-info/PKG-INFO 2020-11-12 18:16:39.000000000 -0400 +++ python-urllib3-1.26.4/src/urllib3.egg-info/PKG-INFO 2021-03-15 11:03:54.000000000 -0400 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: urllib3 -Version: 1.26.2 +Version: 1.26.4 Summary: HTTP library with thread-safe connection pooling, file post, and more. Home-page: https://urllib3.readthedocs.io/ Author: Andrey Petrov @@ -116,6 +116,23 @@ Changes ======= + 1.26.4 (2021-03-15) + ------------------- + + * Changed behavior of the default ``SSLContext`` when connecting to HTTPS proxy + during HTTPS requests. The default ``SSLContext`` now sets ``check_hostname=True``. + + + 1.26.3 (2021-01-26) + ------------------- + + * Fixed bytes and string comparison issue with headers (Pull #2141) + + * Changed ``ProxySchemeUnknown`` error message to be + more actionable if the user supplies a proxy URL without + a scheme. (Pull #2107) + + 1.26.2 (2020-11-12) ------------------- diff -Nru python-urllib3-1.26.2/test/conftest.py python-urllib3-1.26.4/test/conftest.py --- python-urllib3-1.26.2/test/conftest.py 2020-11-12 18:16:30.000000000 -0400 +++ python-urllib3-1.26.4/test/conftest.py 2021-03-15 11:03:47.000000000 -0400 @@ -65,6 +65,17 @@ @pytest.fixture +def no_localhost_san_server(tmp_path_factory): + tmpdir = tmp_path_factory.mktemp("certs") + ca = trustme.CA() + # non localhost common name + server_cert = ca.issue_cert(u"example.com") + + with run_server_in_thread("https", "localhost", tmpdir, ca, server_cert) as cfg: + yield cfg + + +@pytest.fixture def ip_san_server(tmp_path_factory): tmpdir = tmp_path_factory.mktemp("certs") ca = trustme.CA() diff -Nru python-urllib3-1.26.2/test/with_dummyserver/test_proxy_poolmanager.py python-urllib3-1.26.4/test/with_dummyserver/test_proxy_poolmanager.py --- python-urllib3-1.26.2/test/with_dummyserver/test_proxy_poolmanager.py 2020-11-12 18:16:30.000000000 -0400 +++ python-urllib3-1.26.4/test/with_dummyserver/test_proxy_poolmanager.py 2021-03-15 11:03:47.000000000 -0400 @@ -23,6 +23,7 @@ ConnectTimeoutError, MaxRetryError, ProxyError, + ProxySchemeUnknown, ProxySchemeUnsupported, SSLError, ) @@ -502,6 +503,27 @@ r = http.request("GET", "%s/" % self.https_url.upper()) assert r.status == 200 + @pytest.mark.parametrize( + "url, error_msg", + [ + ( + "127.0.0.1", + "Proxy URL had no scheme, should start with http:// or https://", + ), + ( + "localhost:8080", + "Proxy URL had no scheme, should start with http:// or https://", + ), + ( + "ftp://google.com", + "Proxy URL had unsupported scheme ftp, should use http:// or https://", + ), + ], + ) + def test_invalid_schema(self, url, error_msg): + with pytest.raises(ProxySchemeUnknown, match=error_msg): + proxy_from_url(url) + @pytest.mark.skipif(not HAS_IPV6, reason="Only runs on IPv6 systems") class TestIPv6HTTPProxyManager(IPv6HTTPDummyProxyTestCase): @@ -521,3 +543,25 @@ r = http.request("GET", "%s/" % self.https_url) assert r.status == 200 + + +class TestHTTPSProxyVerification: + @onlyPy3 + def test_https_proxy_hostname_verification(self, no_localhost_san_server): + bad_server = no_localhost_san_server + bad_proxy_url = "https://%s:%s" % (bad_server.host, bad_server.port) + + # An exception will be raised before we contact the destination domain. + test_url = "testing.com" + with proxy_from_url(bad_proxy_url, ca_certs=bad_server.ca_certs) as https: + with pytest.raises(MaxRetryError) as e: + https.request("GET", "http://%s/" % test_url) + assert isinstance(e.value.reason, SSLError) + assert "hostname 'localhost' doesn't match" in str(e.value.reason) + + with pytest.raises(MaxRetryError) as e: + https.request("GET", "https://%s/" % test_url) + assert isinstance(e.value.reason, SSLError) + assert "hostname 'localhost' doesn't match" in str( + e.value.reason + ) or "Hostname mismatch" in str(e.value.reason)