Hello community, here is the log from the commit of package python-urllib3 for openSUSE:Factory checked in at 2019-06-18 14:48:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-urllib3 (Old) and /work/SRC/openSUSE:Factory/.python-urllib3.new.4811 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-urllib3" Tue Jun 18 14:48:06 2019 rev:27 rq:708287 version:1.25.3 Changes: -------- --- /work/SRC/openSUSE:Factory/python-urllib3/python-urllib3.changes 2019-04-20 17:12:14.378839722 +0200 +++ /work/SRC/openSUSE:Factory/.python-urllib3.new.4811/python-urllib3.changes 2019-06-18 14:48:07.773702864 +0200 @@ -1,0 +2,64 @@ +Fri Jun 7 11:40:05 UTC 2019 - Tomáš Chvátal <tchva...@suse.com> + +- Skip test_source_address_error as we raise different error with + fixes that we provide in new python2/3 + +------------------------------------------------------------------- +Wed May 29 08:59:29 UTC 2019 - Tomáš Chvátal <tchva...@suse.com> + +- Add more test to skip as with new openssl some behaviour changed + and we can't rely on them anymore + +------------------------------------------------------------------- +Wed May 29 08:20:27 UTC 2019 - Tomáš Chvátal <tchva...@suse.com> + +- Unbundle the six, rfc3986, and backports.ssl_match_hostname + +------------------------------------------------------------------- +Fri May 24 19:16:21 UTC 2019 - Tomáš Chvátal <tchva...@suse.com> + +- Update to 1.25.3: + * Change HTTPSConnection to load system CA certificates when ca_certs, ca_cert_dir, and ssl_context are unspecified. (Pull #1608, Issue #1603) + * Upgrade bundled rfc3986 to v1.3.2. (Pull #1609, Issue #1605) + +------------------------------------------------------------------- +Mon May 6 11:18:36 UTC 2019 - Tomáš Chvátal <tchva...@suse.com> + +- Update to 1.25.2: + * Change is_ipaddress to not detect IPvFuture addresses. (Pull #1583) + * Change parse_url to percent-encode invalid characters within the path, query, and target components. (Pull #1586) + * Add support for Google's Brotli package. (Pull #1572, Pull #1579) + * Upgrade bundled rfc3986 to v1.3.1 (Pull #1578) +- Require all the deps from the secure list rather than Recommend. + This makes the check to be run always and ensure the urls are + "secure". +- Remove ndg-httpsclient as it is not needed since 2015 + +------------------------------------------------------------------- +Tue Apr 23 10:27:36 UTC 2019 - Tomáš Chvátal <tchva...@suse.com> + +- Add missing dependency on brotlipy +- Fix the tests to pass again + +------------------------------------------------------------------- +Tue Apr 23 04:04:50 UTC 2019 - Thomas Bechtold <tbecht...@suse.com> + +- update to 1.25 (bsc#1132663, CVE-2019-11236): + * Require and validate certificates by default when using HTTPS + * Upgraded ``urllib3.utils.parse_url()`` to be RFC 3986 compliant. + * Added support for ``key_password`` for ``HTTPSConnectionPool`` to use + encrypted ``key_file`` without creating your own ``SSLContext`` object. + * Add TLSv1.3 support to CPython, pyOpenSSL, and SecureTransport ``SSLContext`` + implementations. (Pull #1496) + * Switched the default multipart header encoder from RFC 2231 to HTML 5 working draft. + * Fixed issue where OpenSSL would block if an encrypted client private key was + given and no password was given. Instead an ``SSLError`` is raised. + * Added support for Brotli content encoding. It is enabled automatically if + ``brotlipy`` package is installed which can be requested with + ``urllib3[brotli]`` extra. + * Drop ciphers using DSS key exchange from default TLS cipher suites. + Improve default ciphers when using SecureTransport. + * Implemented a more efficient ``HTTPResponse.__iter__()`` method. +- Drop urllib3-test-ssl-drop-sslv3.patch . No longer needed + +------------------------------------------------------------------- Old: ---- urllib3-1.24.2.tar.gz urllib3-test-ssl-drop-sslv3.patch New: ---- ssl_match_hostname_py3.py urllib3-1.25.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-urllib3.spec ++++++ --- /var/tmp/diff_new_pack.1Rcr0C/_old 2019-06-18 14:48:08.533702705 +0200 +++ /var/tmp/diff_new_pack.1Rcr0C/_new 2019-06-18 14:48:08.537702704 +0200 @@ -18,55 +18,62 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} %define oldpython python - %global flavor @BUILD_FLAVOR@%{nil} %if "%{flavor}" == "test" -%define test 1 +%define psuffix -test %bcond_without test %else +%define psuffix %{nil} %bcond_with test %endif -%if %{with test} -Name: python-urllib3-%{flavor} -%else -Name: python-urllib3 -%endif -Version: 1.24.2 +Name: python-urllib3%{psuffix} +Version: 1.25.3 Release: 0 Summary: HTTP library with thread-safe connection pooling, file post, and more License: MIT Group: Development/Languages/Python URL: http://urllib3.readthedocs.org/ Source: https://files.pythonhosted.org/packages/source/u/urllib3/urllib3-%{version}.tar.gz +# Wrapper for ssl to unbundle ssl_match_hostname +Source1: ssl_match_hostname_py3.py # PATCH-FEATURE-UPSTREAM -- use set_default_verify_paths() if no certificate path is supplied # should be removed in the future, see SR#437853 -Patch2: urllib3-ssl-default-context.patch -# PATCH-FIX-OPENSUSE -- do not use unsupported SSLv3 in tests -Patch3: urllib3-test-ssl-drop-sslv3.patch +Patch0: urllib3-ssl-default-context.patch # PATCH-FIX-UPSTREAM python-urllib3-recent-date.patch gh#shazow/urllib3#1303, boo#1074247 dims...@opensuse.org -- Fix test suite, use correct date -Patch4: python-urllib3-recent-date.patch +Patch1: python-urllib3-recent-date.patch +# for SSL module on older distros +BuildRequires: %{oldpython} BuildRequires: %{python_module PySocks} BuildRequires: %{python_module psutil} +BuildRequires: %{python_module rfc3986} BuildRequires: %{python_module setuptools} +BuildRequires: %{python_module six} BuildRequires: fdupes +BuildRequires: python-backports.ssl_match_hostname BuildRequires: python-rpm-macros +BuildRequires: python2-ipaddress +#!BuildIgnore: python-requests +Requires: ca-certificates-mozilla +Requires: python-cryptography +Requires: python-idna +Requires: python-pyOpenSSL +Requires: python-rfc3986 +Requires: python-six +BuildArch: noarch +%ifpython2 +Requires: python-backports.ssl_match_hostname +%endif %if %{with test} +BuildRequires: %{python_module brotlipy} +BuildRequires: %{python_module idna} BuildRequires: %{python_module mock >= 1.3.0} BuildRequires: %{python_module pytest} BuildRequires: %{python_module tornado >= 4.2.1} +BuildRequires: %{python_module urllib3 >= %{version}} %endif -#!BuildIgnore: python-requests -BuildArch: noarch %if 0%{?suse_version} >= 1000 || 0%{?fedora_version} >= 24 -Recommends: ca-certificates-mozilla -Recommends: python-cryptography -Recommends: python-idna -Recommends: python-ndg-httpsclient -Recommends: python-pyOpenSSL +Recommends: python-brotlipy %endif -# for SSL module on older distros -BuildRequires: %{oldpython} -BuildRequires: python2-ipaddress %ifpython2 Requires: python-ipaddress %endif @@ -90,46 +97,85 @@ %prep %setup -q -n urllib3-%{version} -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 +%autopatch -p1 find . -type f -exec chmod a-x '{}' \; +find . -name __pycache__ -type d -exec rm -fr {} + + +# Drop the dummyserver tests, they fail in OBS +rm test/with_dummyserver/test_proxy_poolmanager.py +rm test/with_dummyserver/test_poolmanager.py +# Don't run the Google App Engine tests +rm -r test/appengine/ %build %python_build %install +%if !%{with test} %python_install + %{python_expand \ $python -m compileall -d %{$python_sitelib} %{buildroot}%{$python_sitelib}/urllib3/ $python -O -m compileall -d %{$python_sitelib} %{buildroot}%{$python_sitelib}/urllib3/ -%fdupes %{buildroot}%{$python_sitelib} } +# Unbundle the Python 2 build +rm -rf %{buildroot}/%{python2_sitelib}/urllib3/packages/six.py* +rm -rf %{buildroot}/%{python2_sitelib}/urllib3/packages/ssl_match_hostname/ +rm -rf %{buildroot}/%{python2_sitelib}/urllib3/packages/rfc3986/ + +mkdir -p %{buildroot}/%{python2_sitelib}/urllib3/packages/ +ln -s %{python2_sitelib}/six.py %{buildroot}/%{python2_sitelib}/urllib3/packages/six.py +ln -s %{python2_sitelib}/six.pyc %{buildroot}/%{python2_sitelib}/urllib3/packages/six.pyc +ln -s %{python2_sitelib}/six.pyo %{buildroot}/%{python2_sitelib}/urllib3/packages/six.pyo +ln -s %{python2_sitelib}/backports/ssl_match_hostname \ + %{buildroot}/%{python2_sitelib}/urllib3/packages/ssl_match_hostname +ln -s %{python2_sitelib}/rfc3986/ \ + %{buildroot}/%{python2_sitelib}/urllib3/packages/rfc3986 +# Unbundle the Python 3 build +rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/six.py* +rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/six* +rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/ssl_match_hostname/ +rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/rfc3986/ + +mkdir -p %{buildroot}/%{python3_sitelib}/urllib3/packages/ +cp -a %{SOURCE1} %{buildroot}/%{python3_sitelib}/urllib3/packages/ssl_match_hostname.py +ln -s %{python3_sitelib}/six.py %{buildroot}/%{python3_sitelib}/urllib3/packages/six.py +ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.opt-1.pyc \ + %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/ +ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.pyc \ + %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/ +ln -s %{python3_sitelib}/rfc3986/ \ + %{buildroot}/%{python3_sitelib}/urllib3/packages/rfc3986 + +%python_expand %fdupes %{buildroot}%{$python_sitelib} +%endif + %check %if %{with test} -skiplist='not test_select_interrupt_exception and not test_selector_error and not timeout and not test_request_host_header_ignores_fqdn_dot and not test_dotted_fqdn' +skiplist='not test_select_interrupt_exception and not test_selector_error and not timeout and not test_request_host_header_ignores_fqdn_dot and not test_dotted_fqdn and not TestImportWithoutSSL' case $(uname -m) in ppc*) skiplist="$skiplist and not test_select_timing and not test_select_multiple_interrupts_with_event and not test_interrupt_wait_for_read_with_event and not test_select_interrupt_with_event";; esac +# the tls13 tests are not run in upstream travis and they fail for us +# lets wait for upstream to sort it out first +skiplist="$skiplist and not test_set_ssl_version_to_tls_version" +# the certificate validation is much stricter in new openssl so skip +# tests which would not validate it +skiplist="$skiplist and not test_client_no_intermediate" +# we have patch to fix source address errors in python and raise different +# error than urllib3 expects in its tests +skiplist="$skiplist and not test_source_address_error" -rm -rf build -# pretend to be TRAVIS (this triggers timing tolerance) -export TRAVIS=1 -%{python_expand PYTHONPATH="%{buildroot}%{$python_sitelib}" py.test-%$python_bin_suffix \ - --ignore=test/appengine \ - --ignore=test/with_dummyserver/test_proxy_poolmanager.py \ - --ignore=test/with_dummyserver/test_poolmanager.py \ - -k "${skiplist}" \ - src/urllib3 test} -rm -rf %{buildroot}%{_libexecdir}/python* +export PYTHONDONTWRITEBYTECODE=1 +%pytest -k "${skiplist}" %endif +%if ! %{with test} %files %{python_files} %license LICENSE.txt %doc CHANGES.rst CONTRIBUTORS.txt README.rst -%if ! %{with test} %{python_sitelib}/urllib3 %{python_sitelib}/urllib3-%{version}-py*.egg-info %endif ++++++ ssl_match_hostname_py3.py ++++++ from ssl import match_hostname, CertificateError ++++++ urllib3-1.24.2.tar.gz -> urllib3-1.25.3.tar.gz ++++++ ++++ 6982 lines of diff (skipped) ++++++ urllib3-ssl-default-context.patch ++++++ --- /var/tmp/diff_new_pack.1Rcr0C/_old 2019-06-18 14:48:08.701702670 +0200 +++ /var/tmp/diff_new_pack.1Rcr0C/_new 2019-06-18 14:48:08.701702670 +0200 @@ -1,5 +1,7 @@ ---- a/src/urllib3/util/ssl_.py -+++ b/src/urllib3/util/ssl_.py +Index: urllib3-1.25/src/urllib3/util/ssl_.py +=================================================================== +--- urllib3-1.25.orig/src/urllib3/util/ssl_.py ++++ urllib3-1.25/src/urllib3/util/ssl_.py @@ -333,6 +333,8 @@ def ssl_wrap_socket(sock, keyfile=None, elif ssl_context is None and hasattr(context, 'load_default_certs'): # try to load OS default certs; works well on Windows (require Python3.4+) @@ -7,5 +9,5 @@ + elif cert_reqs != ssl.CERT_NONE and hasattr(context, 'set_default_verify_paths'): + context.set_default_verify_paths() - if certfile: - context.load_cert_chain(certfile, keyfile) + # Attempt to detect if we get the goofy behavior of the + # keyfile being encrypted and OpenSSL asking for the