Upgrade urllib3 to 1.25.3, requests to 2.22.0
- Fix urllib3 CVE-2019-11324 (#1774595) - Fix urllib3 CVE-2019-11236 (#1775363)
This commit is contained in:
parent
46d2457dea
commit
afb5be3c75
@ -23,7 +23,7 @@ Name: python-%{srcname}
|
||||
# When updating, update the bundled libraries versions bellow!
|
||||
# You can use vendor_meta.sh in the dist git repo
|
||||
Version: 19.0.3
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
Summary: A tool for installing and managing Python packages
|
||||
|
||||
# We bundle a lot of libraries with pip, which itself is under MIT license.
|
||||
@ -50,6 +50,7 @@ Summary: A tool for installing and managing Python packages
|
||||
# idna: BSD
|
||||
# urllib3: MIT
|
||||
# certifi: MPLv2.0
|
||||
# rfc3986: ASL 2.0
|
||||
# setuptools: MIT
|
||||
# webencodings: BSD
|
||||
|
||||
@ -107,6 +108,19 @@ Patch4: dummy-certifi.patch
|
||||
# https://github.com/pypa/pip/pull/6728
|
||||
Patch6: python39.patch
|
||||
|
||||
# Upgrade urllib3 to 1.25.3
|
||||
# This bundles rfc3986
|
||||
# https://github.com/pypa/pip/commit/0d620c4a03a8b3765ec45785299244e1a494d750
|
||||
# CVE-2019-11324: Certification mishandle when error should be thrown
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1774595
|
||||
# CVE-2019-11236: CRLF injection due to not encoding the '\r\n' sequence
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1775363
|
||||
Patch7: urllib3-1.25.3.patch
|
||||
|
||||
# Upgrade requests to 2.22.0 (needed for urllib3 1.25.3)
|
||||
# https://github.com/pypa/pip/commit/8e8d28dd8ecc9226ea4e0f75d54151df90f4d78e
|
||||
Patch8: requests-2.22.0.patch
|
||||
|
||||
# Downstream only patch
|
||||
# Users might have local installations of pip from using
|
||||
# `pip install --user --upgrade pip` on older/newer versions.
|
||||
@ -154,11 +168,12 @@ Provides: bundled(python%{1}dist(pep517)) = 0.5.0
|
||||
Provides: bundled(python%{1}dist(progress)) = 1.4
|
||||
Provides: bundled(python%{1}dist(pyparsing)) = 2.3.1
|
||||
Provides: bundled(python%{1}dist(pytoml)) = 0.1.20
|
||||
Provides: bundled(python%{1}dist(requests)) = 2.21.0
|
||||
Provides: bundled(python%{1}dist(requests)) = 2.22.0
|
||||
Provides: bundled(python%{1}dist(retrying)) = 1.3.3
|
||||
Provides: bundled(python%{1}dist(setuptools)) = 40.6.3
|
||||
Provides: bundled(python%{1}dist(six)) = 1.12.0
|
||||
Provides: bundled(python%{1}dist(urllib3)) = 1.24.1
|
||||
Provides: bundled(python%{1}dist(urllib3)) = 1.25.3
|
||||
Provides: bundled(python%{1}dist(rfc3986)) = 1.3.2
|
||||
Provides: bundled(python%{1}dist(webencodings)) = 0.5.1
|
||||
}
|
||||
|
||||
@ -300,6 +315,8 @@ popd
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
|
||||
# this goes together with patch4
|
||||
rm src/pip/_vendor/certifi/*.pem
|
||||
@ -520,6 +537,11 @@ ln -sf %{buildroot}%{_bindir}/pip3 _bin/pip
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Jan 02 2020 Miro Hrončok <mhroncok@redhat.com> - 19.0.3-6
|
||||
- Upgrade urllib3 to 1.25.3, requests to 2.22.0
|
||||
- Fix urllib3 CVE-2019-11324 (#1774595)
|
||||
- Fix urllib3 CVE-2019-11236 (#1775363)
|
||||
|
||||
* Mon Nov 25 2019 Miro Hrončok <mhroncok@redhat.com> - 19.0.3-5
|
||||
- Make python-pip-wheel work with Python 3.9
|
||||
|
||||
|
91
requests-2.22.0.patch
Normal file
91
requests-2.22.0.patch
Normal file
@ -0,0 +1,91 @@
|
||||
From 8e8d28dd8ecc9226ea4e0f75d54151df90f4d78e Mon Sep 17 00:00:00 2001
|
||||
From: Pradyun Gedam <pradyunsg@gmail.com>
|
||||
Date: Sat, 20 Jul 2019 09:31:48 +0530
|
||||
Subject: [PATCH] Upgrade requests to 2.22.0
|
||||
|
||||
---
|
||||
news/requests.vendor | 1 +
|
||||
src/pip/_vendor/requests/__init__.py | 4 ++--
|
||||
src/pip/_vendor/requests/__version__.py | 6 +++---
|
||||
src/pip/_vendor/requests/api.py | 4 ++--
|
||||
src/pip/_vendor/vendor.txt | 1 +
|
||||
5 files changed, 9 insertions(+), 7 deletions(-)
|
||||
create mode 100644 news/requests.vendor
|
||||
|
||||
diff --git a/news/requests.vendor b/news/requests.vendor
|
||||
new file mode 100644
|
||||
index 0000000000..aac729b0e1
|
||||
--- /dev/null
|
||||
+++ b/news/requests.vendor
|
||||
@@ -0,0 +1 @@
|
||||
+Upgrade requests to 2.22.0
|
||||
diff --git a/src/pip/_vendor/requests/__init__.py b/src/pip/_vendor/requests/__init__.py
|
||||
index 80c4ce1d21..1d30e3e063 100644
|
||||
--- a/src/pip/_vendor/requests/__init__.py
|
||||
+++ b/src/pip/_vendor/requests/__init__.py
|
||||
@@ -57,10 +57,10 @@ def check_compatibility(urllib3_version, chardet_version):
|
||||
# Check urllib3 for compatibility.
|
||||
major, minor, patch = urllib3_version # noqa: F811
|
||||
major, minor, patch = int(major), int(minor), int(patch)
|
||||
- # urllib3 >= 1.21.1, <= 1.24
|
||||
+ # urllib3 >= 1.21.1, <= 1.25
|
||||
assert major == 1
|
||||
assert minor >= 21
|
||||
- assert minor <= 24
|
||||
+ assert minor <= 25
|
||||
|
||||
# Check chardet for compatibility.
|
||||
major, minor, patch = chardet_version.split('.')[:3]
|
||||
diff --git a/src/pip/_vendor/requests/__version__.py b/src/pip/_vendor/requests/__version__.py
|
||||
index f5b5d03671..9844f740ab 100644
|
||||
--- a/src/pip/_vendor/requests/__version__.py
|
||||
+++ b/src/pip/_vendor/requests/__version__.py
|
||||
@@ -5,10 +5,10 @@
|
||||
__title__ = 'requests'
|
||||
__description__ = 'Python HTTP for Humans.'
|
||||
__url__ = 'http://python-requests.org'
|
||||
-__version__ = '2.21.0'
|
||||
-__build__ = 0x022100
|
||||
+__version__ = '2.22.0'
|
||||
+__build__ = 0x022200
|
||||
__author__ = 'Kenneth Reitz'
|
||||
__author_email__ = 'me@kennethreitz.org'
|
||||
__license__ = 'Apache 2.0'
|
||||
-__copyright__ = 'Copyright 2018 Kenneth Reitz'
|
||||
+__copyright__ = 'Copyright 2019 Kenneth Reitz'
|
||||
__cake__ = u'\u2728 \U0001f370 \u2728'
|
||||
diff --git a/src/pip/_vendor/requests/api.py b/src/pip/_vendor/requests/api.py
|
||||
index abada96d46..ef71d0759e 100644
|
||||
--- a/src/pip/_vendor/requests/api.py
|
||||
+++ b/src/pip/_vendor/requests/api.py
|
||||
@@ -19,7 +19,7 @@ def request(method, url, **kwargs):
|
||||
:param method: method for the new :class:`Request` object.
|
||||
:param url: URL for the new :class:`Request` object.
|
||||
:param params: (optional) Dictionary, list of tuples or bytes to send
|
||||
- in the body of the :class:`Request`.
|
||||
+ in the query string for the :class:`Request`.
|
||||
:param data: (optional) Dictionary, list of tuples, bytes, or file-like
|
||||
object to send in the body of the :class:`Request`.
|
||||
:param json: (optional) A JSON serializable Python object to send in the body of the :class:`Request`.
|
||||
@@ -65,7 +65,7 @@ def get(url, params=None, **kwargs):
|
||||
|
||||
:param url: URL for the new :class:`Request` object.
|
||||
:param params: (optional) Dictionary, list of tuples or bytes to send
|
||||
- in the body of the :class:`Request`.
|
||||
+ in the query string for the :class:`Request`.
|
||||
:param \*\*kwargs: Optional arguments that ``request`` takes.
|
||||
:return: :class:`Response <Response>` object
|
||||
:rtype: requests.Response
|
||||
diff --git a/src/pip/_vendor/vendor.txt b/src/pip/_vendor/vendor.txt
|
||||
index bcf579515e..e5542fbc5e 100644
|
||||
--- a/src/pip/_vendor/vendor.txt
|
||||
+++ b/src/pip/_vendor/vendor.txt
|
||||
@@ -12,7 +12,7 @@ pep517==0.5.0
|
||||
progress==1.4
|
||||
pyparsing==2.3.1
|
||||
pytoml==0.1.20
|
||||
-requests==2.21.0
|
||||
+requests==2.22.0
|
||||
certifi==2018.11.29
|
||||
chardet==3.0.4
|
||||
idna==2.8
|
4621
urllib3-1.25.3.patch
Normal file
4621
urllib3-1.25.3.patch
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user