Sync from SUSE:SLFO:Main python-urllib3 revision b62f7a8b3740e3b8609fe1bca250e3b6

openssl-3.2.patch

@@ -1,32 +0,0 @@
-Index: urllib3-2.1.0/changelog/3268.bugfix.rst
-===================================================================
---- /dev/null
-+++ urllib3-2.1.0/changelog/3268.bugfix.rst
-@@ -0,0 +1 @@
-+Fixed handling of OpenSSL 3.2.0 new error message for misconfiguring an HTTP proxy as HTTPS.
-Index: urllib3-2.1.0/src/urllib3/connection.py
-===================================================================
---- urllib3-2.1.0.orig/src/urllib3/connection.py
-+++ urllib3-2.1.0/src/urllib3/connection.py
-@@ -864,6 +864,7 @@ def _wrap_proxy_error(err: Exception, pr
-     is_likely_http_proxy = (
-         "wrong version number" in error_normalized
-         or "unknown protocol" in error_normalized
-+        or "record layer failure" in error_normalized
-     )
-     http_proxy_warning = (
-         ". Your proxy appears to only use HTTP and not HTTPS, "
-Index: urllib3-2.1.0/test/with_dummyserver/test_socketlevel.py
-===================================================================
---- urllib3-2.1.0.orig/test/with_dummyserver/test_socketlevel.py
-+++ urllib3-2.1.0/test/with_dummyserver/test_socketlevel.py
-@@ -1297,7 +1297,8 @@ class TestSSL(SocketDummyServerTestCase)
-         self._start_server(socket_handler)
-         with HTTPSConnectionPool(self.host, self.port, ca_certs=DEFAULT_CA) as pool:
-             with pytest.raises(
--                SSLError, match=r"(wrong version number|record overflow)"
-+                SSLError,
-+                match=r"(wrong version number|record overflow|record layer failure)",
-             ):
-                 pool.request("GET", "/", retries=False)
- 

python-urllib3.changes

@@ -1,3 +1,132 @@
+-------------------------------------------------------------------
+Mon Jun 23 02:03:12 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Update to 2.5.0:
+  * Security issues
+    Pool managers now properly control redirects when retries is passed
+    (CVE-2025-50181, GHSA-pq67-6m6q-mj2v, bsc#1244925)
+    Redirects are now controlled by urllib3 in the Node.js runtime
+    (CVE-2025-50182, GHSA-48p4-8xcf-vxj5, bsc#1244924)
+  * Features
+    Added support for the compression.zstd module that is new in Python 3.14.
+    Added support for version 0.5 of hatch-vcs
+  * Bugfixes
+    Raised exception for HTTPResponse.shutdown on a connection already
+    released to the pool.
+    Fixed incorrect CONNECT statement when using an IPv6 proxy with
+    connection_from_host. Previously would not be wrapped in [].
+
+-------------------------------------------------------------------
+Tue May 27 08:56:43 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Update to 2.4.0
+  * Applied PEP 639 by specifying the license fields in
+    pyproject.toml. (#3522)
+  * Updated exceptions to save and restore more properties during the
+    pickle/serialization process. (#3567)
+  * Added verify_flags option to create_urllib3_context with a default
+    of VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT for Python
+    3.13+. (#3571)
+  * Fixed a bug with partial reads of streaming data in Emscripten.
+    (#3555)
+  * Switched to uv for installing development dependecies. (#3550)
+  * Removed the multiple.intoto.jsonl asset from GitHub releases.
+    Attestation of release files since v2.3.0 can be found on PyPI.
+    (#3566)
+- 2.3.0:
+  * Added HTTPResponse.shutdown() to stop any ongoing or future reads
+    for a specific response. It calls shutdown(SHUT_RD) on the
+    underlying socket. This feature was sponsored by LaunchDarkly.
+    (#2868)
+  * Added support for JavaScript Promise Integration on Emscripten.
+    This enables more efficient WebAssembly requests and streaming,
+    and makes it possible to use in Node.js if you launch it as node
+    --experimental-wasm-stack-switching. (#3400)
+  * Added the proxy_is_tunneling property to HTTPConnection and
+    HTTPSConnection. (#3285)
+  * Added pickling support to NewConnectionError and
+    NameResolutionError. (#3480)
+  * Fixed an issue in debug logs where the HTTP version was rendering
+    as "HTTP/11" instead of "HTTP/1.1". (#3489)
+  * Removed support for Python 3.8. (#3492)
+
+-------------------------------------------------------------------
+Tue May 27 08:51:09 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Skip test_close_after_handshake flaky test, it fails sometimes in
+  ppc64le and s390x architectures, bsc#1243583
+
+-------------------------------------------------------------------
+Thu Dec 19 07:20:32 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Skip some flaky tests that fail sometimes in OBS (bsc#1234681)
+
+-------------------------------------------------------------------
+Wed Dec 18 08:41:22 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Ignore DeprecationWarning in tests (bsc#1234681)
+
+-------------------------------------------------------------------
+Thu Oct  3 05:10:09 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Update to 2.2.3:
+  * Features
+    + Added support for Python 3.13.
+  * Bugfixes
+    + Fixed the default encoding of chunked request bodies to be UTF-8
+      instead of ISO-8859-1. All other methods of supplying a request body
+      already use UTF-8 starting in urllib3 v2.0.
+    + Fixed ResourceWarning on CONNECT with Python < 3.11.4 by backporting
+      python/cpython#103472.
+    + Fixed a crash where certain standard library hash functions were absent
+      in restricted environments.
+    + Added the Proxy-Authorization header to the list of headers to strip
+      from requests when redirecting to a different host. As before,
+      different headers can be set via Retry.remove_headers_on_redirect.
+    + Allowed passing negative integers as amt to read methods of
+      http.client.HTTPResponse as an alternative to None.
+    + Fixed issue where InsecureRequestWarning was emitted for HTTPS
+      connections when using Emscripten.
+    + Fixed HTTPConnectionPool.urlopen to stop automatically casting
+      non-proxy headers to HTTPHeaderDict. This change was premature as it
+      did not apply to proxy headers and HTTPHeaderDict does not handle byte
+      header values correctly yet.
+    + Changed InvalidChunkLength to ProtocolError when response terminates
+      before the chunk length is sent.
+    + Changed ProtocolError to be more verbose on incomplete reads with
+      excess content.
+    + Added support for HTTPResponse.read1() method.
+    + Fixed issue where requests against urls with trailing dots were
+      failing due to SSL errors when using proxy.
+    + Fixed HTTPConnection.proxy_is_verified and
+      HTTPSConnection.proxy_is_verified to be always set to a boolean after
+      connecting to a proxy. It could be None in some cases previously.
+    + Fixed an issue where headers passed in a request with json= would be
+      mutated
+    + Fixed HTTPSConnection.is_verified to be set to False when connecting
+      from a HTTPS proxy to an HTTP target. It was set to True previously.
+    + Fixed handling of new error message from OpenSSL 3.2.0 when configuring
+      an HTTP proxy as HTTPS
+    + Fixed TLS 1.3 post-handshake auth when the server certificate
+      validation is disabled
+  * HTTP/2 (experimental)
+    + Excluded Transfer-Encoding: chunked from HTTP/2 request body
+    + Added a probing mechanism for determining whether a given target
+      origin supports HTTP/2 via ALPN.
+    + Add support for sending a request body with HTTP/2
+  * Removals
+    + Drop support for end-of-life PyPy3.8 and PyPy3.9.
+- Drop patches, they are now included upstream:
+  * CVE-2024-37891.patch
+  * openssl-3.2.patch
+- Included patched hypercorn, which is only unpacked and used for the test
+  suite.
+
+-------------------------------------------------------------------
+Tue Jun 18 09:46:57 UTC 2024 - Markéta Machová <mmachova@suse.com>
+
+- Add CVE-2024-37891.patch (bsc#1226469)
+
 -------------------------------------------------------------------
 Thu Jan 11 11:46:04 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
 

python-urllib3.spec

@@ -1,7 +1,7 @@
 #
-# spec file
+# spec file for package python-urllib3
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -26,40 +26,45 @@
 %endif
 %{?sle15_python_module_pythons}
 Name:           python-urllib3%{psuffix}
-Version:        2.1.0
+Version:        2.5.0
 Release:        0
 Summary:        HTTP library with thread-safe connection pooling, file post, and more
 License:        MIT
 URL:            https://urllib3.readthedocs.org/
 Source:         https://files.pythonhosted.org/packages/source/u/urllib3/urllib3-%{version}.tar.gz
-# PATCH-FIX-OPENSUSE openssl-3.2.patch gh#urllib3/urllib3#3271
-Patch1:         openssl-3.2.patch
-BuildRequires:  %{python_module base >= 3.7}
+# https://github.com/urllib3/urllib3/issues/3334
+%define hypercorn_commit d1719f8c1570cbd8e6a3719ffdb14a4d72880abb
+Source1:        https://github.com/urllib3/hypercorn/archive/%{hypercorn_commit}/hypercorn-%{hypercorn_commit}.tar.gz
+BuildRequires:  %{python_module base >= 3.8}
+BuildRequires:  %{python_module hatch-vcs}
 BuildRequires:  %{python_module hatchling}
 BuildRequires:  %{python_module pip}
 BuildRequires:  fdupes
 BuildRequires:  python-rpm-macros
 #!BuildIgnore:  python-requests
 Requires:       ca-certificates-mozilla
-Requires:       python-certifi
-Requires:       python-cryptography >= 1.9
-Requires:       python-idna >= 3.4
-Requires:       python-pyOpenSSL >= 23.2.0
 Recommends:     python-Brotli >= 1.0.9
 Recommends:     python-PySocks >= 1.7.1
+Recommends:     python-h2 >= 4
+Recommends:     python-zstandard >= 0.18
 BuildArch:      noarch
 %if %{with test}
 BuildRequires:  %{python_module Brotli >= 1.0.9}
 BuildRequires:  %{python_module PySocks >= 1.7.1}
-BuildRequires:  %{python_module certifi}
-BuildRequires:  %{python_module cryptography >= 1.9}
+BuildRequires:  %{python_module Quart >= 0.19}
+BuildRequires:  %{python_module cryptography >= 43}
 BuildRequires:  %{python_module flaky}
-BuildRequires:  %{python_module idna >= 3.4}
+BuildRequires:  %{python_module h2 >= 4.1}
+BuildRequires:  %{python_module httpx >= 0.25}
+BuildRequires:  %{python_module idna >= 3.7}
 BuildRequires:  %{python_module psutil}
+BuildRequires:  %{python_module pyOpenSSL >= 24.2}
 BuildRequires:  %{python_module pytest >= 7.4.0}
+BuildRequires:  %{python_module pytest-socket >= 0.7}
 BuildRequires:  %{python_module pytest-timeout >= 2.1.0}
 BuildRequires:  %{python_module pytest-xdist}
-BuildRequires:  %{python_module tornado >= 6.2}
+BuildRequires:  %{python_module quart-trio >= 0.11}
+BuildRequires:  %{python_module trio >= 0.26}
 BuildRequires:  %{python_module trustme >= 0.9.0}
 BuildRequires:  %{python_module urllib3 >= %{version}}
 BuildRequires:  timezone
@@ -86,6 +91,11 @@ Highlights
 
 %prep
 %autosetup -p1 -n urllib3-%{version}
+# https://github.com/urllib3/urllib3/issues/3334
+%if %{with test}
+mkdir ../patched-hypercorn
+tar -C ../patched-hypercorn -zxf %{SOURCE1}
+%endif
 
 find . -type f -exec chmod a-x '{}' \;
 find . -name __pycache__ -type d -exec rm -fr {} +
@@ -102,10 +112,12 @@ find . -name __pycache__ -type d -exec rm -fr {} +
 
 %if %{with test}
 %check
+# https://github.com/urllib3/urllib3/issues/3334
+export PYTHONPATH="$PWD/../patched-hypercorn/hypercorn-%{hypercorn_commit}/src"
 # gh#urllib3/urllib3#2109
 export CI="true"
 # skip some randomly failing tests (mostly on i586, but sometimes they fail on other architectures)
-skiplist="test_ssl_read_timeout or test_ssl_failed_fingerprint_verification or test_ssl_custom_validation_failure_terminates"
+skiplist="test_ssl_read_timeout or test_ssl_failed_fingerprint_verification or test_ssl_custom_validation_failure_terminates or test_close_after_handshake"
 # gh#urllib3/urllib3#1752 and others: upstream's way of checking that the build
 # system has a correct system time breaks (re-)building the package after too
 # many months have passed since the last release.
@@ -114,7 +126,12 @@ skiplist+=" or test_recent_date"
 skiplist+=" or test_requesting_large_resources_via_ssl"
 # Try to access external evil.com
 skiplist+=" or test_deprecated_no_scheme"
-%pytest %{?jobs:-n %jobs} -k "not (${skiplist})" --ignore test/with_dummyserver/test_socketlevel.py
+# weird threading issues on OBS runners
+skiplist+=" or test_http2_probe_blocked_per_thread"
+# flaky test, works locally but fails in OBS with
+# TypeError: _wrap_bio() argument 'incoming' must be _ssl.MemoryBIO, not _ssl.MemoryBIO
+skiplist+=" or test_https_proxy_forwarding_for_https or test_https_headers_forwarding_for_https"
+%pytest -W ignore::DeprecationWarning %{?jobs:-n %jobs} -k "not (${skiplist})" --ignore test/with_dummyserver/test_socketlevel.py
 %endif
 
 %if ! %{with test}
@@ -122,7 +139,7 @@ skiplist+=" or test_deprecated_no_scheme"
 %license LICENSE.txt
 %doc CHANGES.rst README.md
 %{python_sitelib}/urllib3
-%{python_sitelib}/urllib3-%{version}*-info
+%{python_sitelib}/urllib3-%{version}.dist-info
 %endif
 
 %changelog