----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/36797/#review92989 -----------------------------------------------------------
Ship it! rad - Brian Wickman On July 24, 2015, 9:38 p.m., Kevin Sweeney wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/36797/ > ----------------------------------------------------------- > > (Updated July 24, 2015, 9:38 p.m.) > > > Review request for Aurora, Bill Farner and Brian Wickman. > > > Repository: aurora > > > Description > ------- > > Remove twitter.common.rpc dependency and upgrade requests. > > requests changelog, including a CVE: > > ``` > 2.7.0 (2015-05-03) > This is the first release that follows our new release process. For more, see > [our > documentation](http://docs.python-requests.org/en/latest/community/release-process/). > > Bugfixes > > Updated urllib3 to 1.10.4, resolving several bugs involving chunked transfer > encoding and response framing. > 2.6.2 (2015-04-23) > Bugfixes > > Fix regression where compressed data that was sent as chunked data was not > properly decompressed. (#2561) > 2.6.1 (2015-04-22) > Bugfixes > > Remove VendorAlias import machinery introduced in v2.5.2. > Simplify the PreparedRequest.prepare API: We no longer require the user to > pass an empty list to the hooks keyword argument. (c.f. #2552) > Resolve redirects now receives and forwards all of the original arguments to > the adapter. (#2503) > Handle UnicodeDecodeErrors when trying to deal with a unicode URL that cannot > be encoded in ASCII. (#2540) > Populate the parsed path of the URI field when performing Digest > Authentication. (#2426) > Copy a PreparedRequest’s CookieJar more reliably when it is not an instance > of RequestsCookieJar. (#2527) > 2.6.0 (2015-03-14) > Bugfixes > > CVE-2015-2296: Fix handling of cookies on redirect. Previously a cookie > without a host value set would use the hostname for the redirected URL > exposing requests users to session fixation attacks and potentially cookie > stealing. This was disclosed privately by Matthew Daley of BugFuzz. This > affects all versions of requests from v2.1.0 to v2.5.3 (inclusive on both > ends). > Fix error when requests is an install_requires dependency and python setup.py > test is run. (#2462) > Fix error when urllib3 is unbundled and requests continues to use the > vendored import location. > Include fixes to urllib3’s header handling. > Requests’ handling of unvendored dependencies is now more restrictive. > Features and Improvements > > Support bytearrays when passed as parameters in the files argument. (#2468) > Avoid data duplication when creating a request with str, bytes, or bytearray > input to the files argument. > 2.5.3 (2015-02-24) > Bugfixes > > Revert changes to our vendored certificate bundle. For more context see > (#2455, #2456, and http://bugs.python.org/issue23476) > 2.5.2 (2015-02-23) > Features and Improvements > > Add sha256 fingerprint support. (shazow/urllib3#540) > Improve the performance of headers. (shazow/urllib3#544) > Bugfixes > > Copy pip’s import machinery. When downstream redistributors remove > requests.packages.urllib3 the import machinery will continue to let those > same symbols work. Example usage in requests’ documentation and 3rd-party > libraries relying on the vendored copies of urllib3 will work without having > to fallback to the system urllib3. > Attempt to quote parts of the URL on redirect if unquoting and then quoting > fails. (#2356) > Fix filename type check for multipart form-data uploads. (#2411) > Properly handle the case where a server issuing digest authentication > challenges provides both auth and auth-int qop-values. (#2408) > Fix a socket leak. (shazow/urllib3#549) > Fix multiple Set-Cookie headers properly. (shazow/urllib3#534) > Disable the built-in hostname verification. (shazow/urllib3#526) > Fix the behaviour of decoding an exhausted stream. (shazow/urllib3#535) > Security > > Pulled in an updated cacert.pem. > Drop RC4 from the default cipher list. (shazow/urllib3#551) > 2.5.1 (2014-12-23) > Behavioural Changes > > Only catch HTTPErrors in raise_for_status (#2382) > Bugfixes > > Handle LocationParseError from urllib3 (#2344) > Handle file-like object filenames that are not strings (#2379) > Unbreak HTTPDigestAuth handler. Allow new nonces to be negotiated (#2389) > 2.5.0 (2014-12-01) > Improvements > > Allow usage of urllib3’s Retry object with HTTPAdapters (#2216) > The iter_lines method on a response now accepts a delimiter with which to > split the content (#2295) > Behavioural Changes > > Add deprecation warnings to functions in requests.utils that will be removed > in 3.0 (#2309) > Sessions used by the functional API are always closed (#2326) > Restrict requests to HTTP/1.1 and HTTP/1.0 (stop accepting HTTP/0.9) (#2323) > Bugfixes > > Only parse the URL once (#2353) > Allow Content-Length header to always be overriden (#2332) > Properly handle files in HTTPDigestAuth (#2333) > Cap redirect_cache size to prevent memory abuse (#2299) > Fix HTTPDigestAuth handling of redirects after authenticating successfully > (#2253) > Fix crash with custom method parameter to Session.request (#2317) > Fix how Link headers are parsed using the regular expression library (#2271) > Documentation > > Add more references for interlinking (#2348) > Update CSS for theme (#2290) > Update width of buttons and sidebar (#2289) > Replace references of Gittip with Gratipay (#2282) > Add link to changelog in sidebar (#2273) > 2.4.3 (2014-10-06) > Bugfixes > > Unicode URL improvements for Python 2. > Re-order JSON param for backwards compat. > Automatically defrag authentication schemes from host/pass URIs. (#2249) > 2.4.2 (2014-10-05) > Improvements > > FINALLY! Add json parameter for uploads! (#2258) > Support for bytestring URLs on Python 3.x (#2238) > Bugfixes > > Avoid getting stuck in a loop (#2244) > Multiple calls to iter* fail with unhelpful error. (#2240, #2241) > Documentation > > Correct redirection introduction (#2245) > Added example of how to send multiple files in one request. (#2227) > Clarify how to pass a custom set of CAs (#2248) > 2.4.1 (2014-09-09) > Now has a “security” package extras set, $ pip install requests[security] > Requests will now use Certifi if it is available. > Capture and re-raise urllib3 ProtocolError > Bugfix for responses that attempt to redirect to themselves forever (wtf?). > 2.4.0 (2014-08-29) > Behavioral Changes > > Connection: keep-alive header is now sent automatically. > Improvements > > Support for connect timeouts! Timeout now accepts a tuple (connect, read) > which is used to set individual connect and read timeouts. > Allow copying of PreparedRequests without headers/cookies. > Updated bundled urllib3 version. > Refactored settings loading from environment – new > Session.merge_environment_settings. > Handle socket errors in iter_content. > ``` > > > Diffs > ----- > > 3rdparty/python/requirements.txt 44217469a9583ec50233f34d54a32c105e6bab2c > src/main/python/apache/aurora/client/api/BUILD > d71cc31b2bb86d1a7321e78cd7716a32ff47e47d > > Diff: https://reviews.apache.org/r/36797/diff/ > > > Testing > ------- > > ./src/test/sh/org/apache/aurora/e2e/test_end_to_end.sh > > > Thanks, > > Kevin Sweeney > >