Hello community, here is the log from the commit of package python3-urllib3 for openSUSE:Factory checked in at 2016-11-17 12:23:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python3-urllib3 (Old) and /work/SRC/openSUSE:Factory/.python3-urllib3.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python3-urllib3" Changes: -------- --- /work/SRC/openSUSE:Factory/python3-urllib3/python3-urllib3.changes 2016-07-01 09:51:56.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.python3-urllib3.new/python3-urllib3.changes 2016-11-17 12:23:23.000000000 +0100 @@ -1,0 +2,68 @@ +Thu Oct 27 16:13:50 UTC 2016 - a...@gmx.de + +- update urllib3-ssl-default-context.patch + +- update to version 1.18.1: + * CVE-2016-9015. Users who are using urllib3 version 1.17 or 1.18 along with + PyOpenSSL injection and OpenSSL 1.1.0 *must* upgrade to this version. This + release fixes a vulnerability whereby urllib3 in the above configuration + would silently fail to validate TLS certificates due to erroneously setting + invalid flags in OpenSSL's ``SSL_CTX_set_verify`` function. These erroneous + flags do not cause a problem in OpenSSL versions before 1.1.0, which + interprets the presence of any flag as requesting certificate validation. + + There is no PR for this patch, as it was prepared for simultaneous disclosure + and release. There will be a PR for the equivalent fix in the master branch. + +------------------------------------------------------------------- +Mon Sep 26 15:39:25 UTC 2016 - a...@gmx.de + +- update to version 1.18: + * Fixed incorrect message for IncompleteRead exception. (PR #973) + * Accept "iPAddress" subject alternative name fields in TLS + certificates. (Issue #258) + * Fixed consistency of "HTTPResponse.closed" between Python 2 and 3. + (Issue #977) + * Fixed handling of wildcard certificates when using + PyOpenSSL. (Issue #979) + +------------------------------------------------------------------- +Sat Sep 10 14:09:40 UTC 2016 - a...@gmx.de + +- specfile: + * update line numbers in urllib3-test-ssl-drop-sslv3.patch + +- update to version 1.17: + * Accept "SSLContext" objects for use in SSL/TLS negotiation. (Issue + #835) + * ConnectionPool debug log now includes scheme, host, and + port. (Issue #897) + * Substantially refactored documentation. (Issue #887) + * Used URLFetch default timeout on AppEngine, rather than hardcoding + our own. (Issue #858) + * Normalize the scheme and host in the URL parser (Issue #833) + * "HTTPResponse" contains the last "Retry" object, which now also + contains retries history. (Issue #848) + * Timeout can no longer be set as boolean, and must be greater than + zero. (PR #924) + * Removed pyasn1 and ndg-httpsclient from dependencies used for + PyOpenSSL. We now use cryptography and idna, both of which are + already dependencies of PyOpenSSL. (PR #930) + * Fixed infinite loop in "stream" when amt=None. (Issue #928) + * Try to use the operating system's certificates when we are using + an "SSLContext". (PR #941) + * Updated cipher suite list to allow ChaCha20+Poly1305. AES-GCM is + preferred to ChaCha20, but ChaCha20 is then preferred to + everything else. (PR #947) + * Updated cipher suite list to remove 3DES-based cipher suites. (PR + #958) + * Removed the cipher suite fallback to allow HIGH ciphers. (PR #958) + * Implemented "length_remaining" to determine remaining content to + be read. (PR #949) + * Implemented "enforce_content_length" to enable exceptions when + incomplete data chunks are received. (PR #949) + * Dropped connection start, dropped connection reset, redirect, + forced retry, and new HTTPS connection log levels to DEBUG, from + INFO. (PR #967) + +------------------------------------------------------------------- Old: ---- urllib3-1.16.tar.gz New: ---- urllib3-1.18.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python3-urllib3.spec ++++++ --- /var/tmp/diff_new_pack.nC4GIh/_old 2016-11-17 12:23:24.000000000 +0100 +++ /var/tmp/diff_new_pack.nC4GIh/_new 2016-11-17 12:23:24.000000000 +0100 @@ -17,7 +17,7 @@ Name: python3-urllib3 -Version: 1.16 +Version: 1.18.1 Release: 0 Summary: HTTP library with thread-safe connection pooling, file post, and more License: MIT @@ -27,6 +27,7 @@ # PATCH-FIX-OPENSUSE speili...@suse.com -- We need no coverage report Patch1: urllib3-test-no-coverage.patch # PATCH-FEATURE-UPSTREAM -- use set_default_verify_paths() if no certificate path is supplied +# should be removed in the future, see SR#437853 Patch2: urllib3-ssl-default-context.patch # PATCH-FIX-OPENSUSE -- do not use unsupported SSLv3 in tests Patch3: urllib3-test-ssl-drop-sslv3.patch ++++++ urllib3-1.16.tar.gz -> urllib3-1.18.1.tar.gz ++++++ ++++ 5795 lines of diff (skipped) ++++++ urllib3-ssl-default-context.patch ++++++ --- /var/tmp/diff_new_pack.nC4GIh/_old 2016-11-17 12:23:24.000000000 +0100 +++ /var/tmp/diff_new_pack.nC4GIh/_new 2016-11-17 12:23:24.000000000 +0100 @@ -2,10 +2,10 @@ =================================================================== --- a/urllib3/util/ssl_.py +++ b/urllib3/util/ssl_.py -@@ -299,6 +299,8 @@ def ssl_wrap_socket(sock, keyfile=None, - if e.errno == errno.ENOENT: - raise SSLError(e) - raise +@@ -317,6 +317,8 @@ def ssl_wrap_socket(sock, keyfile=None, + elif getattr(context, 'load_default_certs', None) is not None: + # try to load OS default certs; works well on Windows (require Python3.4+) + context.load_default_certs() + elif cert_reqs != ssl.CERT_NONE and hasattr(context, 'set_default_verify_paths'): + context.set_default_verify_paths() ++++++ urllib3-test-ssl-drop-sslv3.patch ++++++ --- /var/tmp/diff_new_pack.nC4GIh/_old 2016-11-17 12:23:24.000000000 +0100 +++ /var/tmp/diff_new_pack.nC4GIh/_new 2016-11-17 12:23:24.000000000 +0100 @@ -2,7 +2,7 @@ =================================================================== --- a/test/with_dummyserver/test_https.py +++ b/test/with_dummyserver/test_https.py -@@ -425,21 +425,21 @@ class TestHTTPS(HTTPSDummyServerTestCase +@@ -464,21 +464,21 @@ class TestHTTPS(HTTPSDummyServerTestCase class TestHTTPS_TLSv1(HTTPSDummyServerTestCase): certs = DEFAULT_CERTS.copy()