Hello community,
here is the log from the commit of package python-urllib3 for openSUSE:Factory
checked in at 2019-06-18 14:48:06
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-urllib3 (Old)
and /work/SRC/openSUSE:Factory/.python-urllib3.new.4811 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-urllib3"
Tue Jun 18 14:48:06 2019 rev:27 rq:708287 version:1.25.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-urllib3/python-urllib3.changes
2019-04-20 17:12:14.378839722 +0200
+++ /work/SRC/openSUSE:Factory/.python-urllib3.new.4811/python-urllib3.changes
2019-06-18 14:48:07.773702864 +0200
@@ -1,0 +2,64 @@
+Fri Jun 7 11:40:05 UTC 2019 - Tomáš Chvátal <tchva...@suse.com>
+
+- Skip test_source_address_error as we raise different error with
+ fixes that we provide in new python2/3
+
+-------------------------------------------------------------------
+Wed May 29 08:59:29 UTC 2019 - Tomáš Chvátal <tchva...@suse.com>
+
+- Add more test to skip as with new openssl some behaviour changed
+ and we can't rely on them anymore
+
+-------------------------------------------------------------------
+Wed May 29 08:20:27 UTC 2019 - Tomáš Chvátal <tchva...@suse.com>
+
+- Unbundle the six, rfc3986, and backports.ssl_match_hostname
+
+-------------------------------------------------------------------
+Fri May 24 19:16:21 UTC 2019 - Tomáš Chvátal <tchva...@suse.com>
+
+- Update to 1.25.3:
+ * Change HTTPSConnection to load system CA certificates when ca_certs,
ca_cert_dir, and ssl_context are unspecified. (Pull #1608, Issue #1603)
+ * Upgrade bundled rfc3986 to v1.3.2. (Pull #1609, Issue #1605)
+
+-------------------------------------------------------------------
+Mon May 6 11:18:36 UTC 2019 - Tomáš Chvátal <tchva...@suse.com>
+
+- Update to 1.25.2:
+ * Change is_ipaddress to not detect IPvFuture addresses. (Pull #1583)
+ * Change parse_url to percent-encode invalid characters within the path,
query, and target components. (Pull #1586)
+ * Add support for Google's Brotli package. (Pull #1572, Pull #1579)
+ * Upgrade bundled rfc3986 to v1.3.1 (Pull #1578)
+- Require all the deps from the secure list rather than Recommend.
+ This makes the check to be run always and ensure the urls are
+ "secure".
+- Remove ndg-httpsclient as it is not needed since 2015
+
+-------------------------------------------------------------------
+Tue Apr 23 10:27:36 UTC 2019 - Tomáš Chvátal <tchva...@suse.com>
+
+- Add missing dependency on brotlipy
+- Fix the tests to pass again
+
+-------------------------------------------------------------------
+Tue Apr 23 04:04:50 UTC 2019 - Thomas Bechtold <tbecht...@suse.com>
+
+- update to 1.25 (bsc#1132663, CVE-2019-11236):
+ * Require and validate certificates by default when using HTTPS
+ * Upgraded ``urllib3.utils.parse_url()`` to be RFC 3986 compliant.
+ * Added support for ``key_password`` for ``HTTPSConnectionPool`` to use
+ encrypted ``key_file`` without creating your own ``SSLContext`` object.
+ * Add TLSv1.3 support to CPython, pyOpenSSL, and SecureTransport
``SSLContext``
+ implementations. (Pull #1496)
+ * Switched the default multipart header encoder from RFC 2231 to HTML 5
working draft.
+ * Fixed issue where OpenSSL would block if an encrypted client private key
was
+ given and no password was given. Instead an ``SSLError`` is raised.
+ * Added support for Brotli content encoding. It is enabled automatically if
+ ``brotlipy`` package is installed which can be requested with
+ ``urllib3[brotli]`` extra.
+ * Drop ciphers using DSS key exchange from default TLS cipher suites.
+ Improve default ciphers when using SecureTransport.
+ * Implemented a more efficient ``HTTPResponse.__iter__()`` method.
+- Drop urllib3-test-ssl-drop-sslv3.patch . No longer needed
+
+-------------------------------------------------------------------
Old:
----
urllib3-1.24.2.tar.gz
urllib3-test-ssl-drop-sslv3.patch
New:
----
ssl_match_hostname_py3.py
urllib3-1.25.3.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-urllib3.spec ++++++
--- /var/tmp/diff_new_pack.1Rcr0C/_old 2019-06-18 14:48:08.533702705 +0200
+++ /var/tmp/diff_new_pack.1Rcr0C/_new 2019-06-18 14:48:08.537702704 +0200
@@ -18,55 +18,62 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
%define oldpython python
-
%global flavor @BUILD_FLAVOR@%{nil}
%if "%{flavor}" == "test"
-%define test 1
+%define psuffix -test
%bcond_without test
%else
+%define psuffix %{nil}
%bcond_with test
%endif
-%if %{with test}
-Name: python-urllib3-%{flavor}
-%else
-Name: python-urllib3
-%endif
-Version: 1.24.2
+Name: python-urllib3%{psuffix}
+Version: 1.25.3
Release: 0
Summary: HTTP library with thread-safe connection pooling, file post,
and more
License: MIT
Group: Development/Languages/Python
URL: http://urllib3.readthedocs.org/
Source:
https://files.pythonhosted.org/packages/source/u/urllib3/urllib3-%{version}.tar.gz
+# Wrapper for ssl to unbundle ssl_match_hostname
+Source1: ssl_match_hostname_py3.py
# PATCH-FEATURE-UPSTREAM -- use set_default_verify_paths() if no certificate
path is supplied
# should be removed in the future, see SR#437853
-Patch2: urllib3-ssl-default-context.patch
-# PATCH-FIX-OPENSUSE -- do not use unsupported SSLv3 in tests
-Patch3: urllib3-test-ssl-drop-sslv3.patch
+Patch0: urllib3-ssl-default-context.patch
# PATCH-FIX-UPSTREAM python-urllib3-recent-date.patch gh#shazow/urllib3#1303,
boo#1074247 dims...@opensuse.org -- Fix test suite, use correct date
-Patch4: python-urllib3-recent-date.patch
+Patch1: python-urllib3-recent-date.patch
+# for SSL module on older distros
+BuildRequires: %{oldpython}
BuildRequires: %{python_module PySocks}
BuildRequires: %{python_module psutil}
+BuildRequires: %{python_module rfc3986}
BuildRequires: %{python_module setuptools}
+BuildRequires: %{python_module six}
BuildRequires: fdupes
+BuildRequires: python-backports.ssl_match_hostname
BuildRequires: python-rpm-macros
+BuildRequires: python2-ipaddress
+#!BuildIgnore: python-requests
+Requires: ca-certificates-mozilla
+Requires: python-cryptography
+Requires: python-idna
+Requires: python-pyOpenSSL
+Requires: python-rfc3986
+Requires: python-six
+BuildArch: noarch
+%ifpython2
+Requires: python-backports.ssl_match_hostname
+%endif
%if %{with test}
+BuildRequires: %{python_module brotlipy}
+BuildRequires: %{python_module idna}
BuildRequires: %{python_module mock >= 1.3.0}
BuildRequires: %{python_module pytest}
BuildRequires: %{python_module tornado >= 4.2.1}
+BuildRequires: %{python_module urllib3 >= %{version}}
%endif
-#!BuildIgnore: python-requests
-BuildArch: noarch
%if 0%{?suse_version} >= 1000 || 0%{?fedora_version} >= 24
-Recommends: ca-certificates-mozilla
-Recommends: python-cryptography
-Recommends: python-idna
-Recommends: python-ndg-httpsclient
-Recommends: python-pyOpenSSL
+Recommends: python-brotlipy
%endif
-# for SSL module on older distros
-BuildRequires: %{oldpython}
-BuildRequires: python2-ipaddress
%ifpython2
Requires: python-ipaddress
%endif
@@ -90,46 +97,85 @@
%prep
%setup -q -n urllib3-%{version}
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
+%autopatch -p1
find . -type f -exec chmod a-x '{}' \;
+find . -name __pycache__ -type d -exec rm -fr {} +
+
+# Drop the dummyserver tests, they fail in OBS
+rm test/with_dummyserver/test_proxy_poolmanager.py
+rm test/with_dummyserver/test_poolmanager.py
+# Don't run the Google App Engine tests
+rm -r test/appengine/
%build
%python_build
%install
+%if !%{with test}
%python_install
+
%{python_expand \
$python -m compileall -d %{$python_sitelib}
%{buildroot}%{$python_sitelib}/urllib3/
$python -O -m compileall -d %{$python_sitelib}
%{buildroot}%{$python_sitelib}/urllib3/
-%fdupes %{buildroot}%{$python_sitelib}
}
+# Unbundle the Python 2 build
+rm -rf %{buildroot}/%{python2_sitelib}/urllib3/packages/six.py*
+rm -rf %{buildroot}/%{python2_sitelib}/urllib3/packages/ssl_match_hostname/
+rm -rf %{buildroot}/%{python2_sitelib}/urllib3/packages/rfc3986/
+
+mkdir -p %{buildroot}/%{python2_sitelib}/urllib3/packages/
+ln -s %{python2_sitelib}/six.py
%{buildroot}/%{python2_sitelib}/urllib3/packages/six.py
+ln -s %{python2_sitelib}/six.pyc
%{buildroot}/%{python2_sitelib}/urllib3/packages/six.pyc
+ln -s %{python2_sitelib}/six.pyo
%{buildroot}/%{python2_sitelib}/urllib3/packages/six.pyo
+ln -s %{python2_sitelib}/backports/ssl_match_hostname \
+ %{buildroot}/%{python2_sitelib}/urllib3/packages/ssl_match_hostname
+ln -s %{python2_sitelib}/rfc3986/ \
+ %{buildroot}/%{python2_sitelib}/urllib3/packages/rfc3986
+# Unbundle the Python 3 build
+rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/six.py*
+rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/six*
+rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/ssl_match_hostname/
+rm -rf %{buildroot}/%{python3_sitelib}/urllib3/packages/rfc3986/
+
+mkdir -p %{buildroot}/%{python3_sitelib}/urllib3/packages/
+cp -a %{SOURCE1}
%{buildroot}/%{python3_sitelib}/urllib3/packages/ssl_match_hostname.py
+ln -s %{python3_sitelib}/six.py
%{buildroot}/%{python3_sitelib}/urllib3/packages/six.py
+ln -s
%{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.opt-1.pyc \
+ %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/
+ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.pyc
\
+ %{buildroot}/%{python3_sitelib}/urllib3/packages/__pycache__/
+ln -s %{python3_sitelib}/rfc3986/ \
+ %{buildroot}/%{python3_sitelib}/urllib3/packages/rfc3986
+
+%python_expand %fdupes %{buildroot}%{$python_sitelib}
+%endif
+
%check
%if %{with test}
-skiplist='not test_select_interrupt_exception and not test_selector_error and
not timeout and not test_request_host_header_ignores_fqdn_dot and not
test_dotted_fqdn'
+skiplist='not test_select_interrupt_exception and not test_selector_error and
not timeout and not test_request_host_header_ignores_fqdn_dot and not
test_dotted_fqdn and not TestImportWithoutSSL'
case $(uname -m) in
ppc*)
skiplist="$skiplist and not test_select_timing and not
test_select_multiple_interrupts_with_event and not
test_interrupt_wait_for_read_with_event and not
test_select_interrupt_with_event";;
esac
+# the tls13 tests are not run in upstream travis and they fail for us
+# lets wait for upstream to sort it out first
+skiplist="$skiplist and not test_set_ssl_version_to_tls_version"
+# the certificate validation is much stricter in new openssl so skip
+# tests which would not validate it
+skiplist="$skiplist and not test_client_no_intermediate"
+# we have patch to fix source address errors in python and raise different
+# error than urllib3 expects in its tests
+skiplist="$skiplist and not test_source_address_error"
-rm -rf build
-# pretend to be TRAVIS (this triggers timing tolerance)
-export TRAVIS=1
-%{python_expand PYTHONPATH="%{buildroot}%{$python_sitelib}"
py.test-%$python_bin_suffix \
- --ignore=test/appengine \
- --ignore=test/with_dummyserver/test_proxy_poolmanager.py \
- --ignore=test/with_dummyserver/test_poolmanager.py \
- -k "${skiplist}" \
- src/urllib3 test}
-rm -rf %{buildroot}%{_libexecdir}/python*
+export PYTHONDONTWRITEBYTECODE=1
+%pytest -k "${skiplist}"
%endif
+%if ! %{with test}
%files %{python_files}
%license LICENSE.txt
%doc CHANGES.rst CONTRIBUTORS.txt README.rst
-%if ! %{with test}
%{python_sitelib}/urllib3
%{python_sitelib}/urllib3-%{version}-py*.egg-info
%endif
++++++ ssl_match_hostname_py3.py ++++++
from ssl import match_hostname, CertificateError
++++++ urllib3-1.24.2.tar.gz -> urllib3-1.25.3.tar.gz ++++++
++++ 6982 lines of diff (skipped)
++++++ urllib3-ssl-default-context.patch ++++++
--- /var/tmp/diff_new_pack.1Rcr0C/_old 2019-06-18 14:48:08.701702670 +0200
+++ /var/tmp/diff_new_pack.1Rcr0C/_new 2019-06-18 14:48:08.701702670 +0200
@@ -1,5 +1,7 @@
---- a/src/urllib3/util/ssl_.py
-+++ b/src/urllib3/util/ssl_.py
+Index: urllib3-1.25/src/urllib3/util/ssl_.py
+===================================================================
+--- urllib3-1.25.orig/src/urllib3/util/ssl_.py
++++ urllib3-1.25/src/urllib3/util/ssl_.py
@@ -333,6 +333,8 @@ def ssl_wrap_socket(sock, keyfile=None,
elif ssl_context is None and hasattr(context, 'load_default_certs'):
# try to load OS default certs; works well on Windows (require
Python3.4+)
@@ -7,5 +9,5 @@
+ elif cert_reqs != ssl.CERT_NONE and hasattr(context,
'set_default_verify_paths'):
+ context.set_default_verify_paths()
- if certfile:
- context.load_cert_chain(certfile, keyfile)
+ # Attempt to detect if we get the goofy behavior of the
+ # keyfile being encrypted and OpenSSL asking for the
