Sync from SUSE:SLFO:Main python-urllib3 revision b62f7a8b3740e3b8609fe1bca250e3b6

CVE-2024-37891.patch

@@ -1,154 +0,0 @@
-From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
-From: Quentin Pradet <quentin.pradet@gmail.com>
-Date: Mon, 17 Jun 2024 11:09:06 +0400
-Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
-
-* Strip Proxy-Authorization header on redirects
-
-* Fix test_retry_default_remove_headers_on_redirect
-
-* Set release date
----
- CHANGES.rst                               |  5 +++++
- src/urllib3/util/retry.py                 |  4 +++-
- test/test_retry.py                        |  6 ++++-
- test/with_dummyserver/test_poolmanager.py | 27 ++++++++++++++++++++---
- 4 files changed, 37 insertions(+), 5 deletions(-)
-
-
-diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
-index 7a76a4a6ad..0456cceba4 100644
---- a/src/urllib3/util/retry.py
-+++ b/src/urllib3/util/retry.py
-@@ -189,7 +189,9 @@ class Retry:
-     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
- 
-     #: Default headers to be used for ``remove_headers_on_redirect``
--    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
-+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
-+        ["Cookie", "Authorization", "Proxy-Authorization"]
-+    )
- 
-     #: Default maximum backoff time.
-     DEFAULT_BACKOFF_MAX = 120
-diff --git a/test/test_retry.py b/test/test_retry.py
-index f71e7acc9e..ac3ce4ca73 100644
---- a/test/test_retry.py
-+++ b/test/test_retry.py
-@@ -334,7 +334,11 @@ def test_retry_method_not_allowed(self) -> None:
-     def test_retry_default_remove_headers_on_redirect(self) -> None:
-         retry = Retry()
- 
--        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
-+        assert retry.remove_headers_on_redirect == {
-+            "authorization",
-+            "proxy-authorization",
-+            "cookie",
-+        }
- 
-     def test_retry_set_remove_headers_on_redirect(self) -> None:
-         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
-diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py
-index 4fa9ec850a..af77241d6c 100644
---- a/test/with_dummyserver/test_poolmanager.py
-+++ b/test/with_dummyserver/test_poolmanager.py
-@@ -144,7 +144,11 @@ def test_redirect_cross_host_remove_headers(self) -> None:
-                 "GET",
-                 f"{self.base_url}/redirect",
-                 fields={"target": f"{self.base_url_alt}/headers"},
--                headers={"Authorization": "foo", "Cookie": "foo=bar"},
-+                headers={
-+                    "Authorization": "foo",
-+                    "Proxy-Authorization": "bar",
-+                    "Cookie": "foo=bar",
-+                },
-             )
- 
-             assert r.status == 200
-@@ -152,13 +156,18 @@ def test_redirect_cross_host_remove_headers(self) -> None:
-             data = r.json()
- 
-             assert "Authorization" not in data
-+            assert "Proxy-Authorization" not in data
-             assert "Cookie" not in data
- 
-             r = http.request(
-                 "GET",
-                 f"{self.base_url}/redirect",
-                 fields={"target": f"{self.base_url_alt}/headers"},
--                headers={"authorization": "foo", "cookie": "foo=bar"},
-+                headers={
-+                    "authorization": "foo",
-+                    "proxy-authorization": "baz",
-+                    "cookie": "foo=bar",
-+                },
-             )
- 
-             assert r.status == 200
-@@ -167,6 +176,8 @@ def test_redirect_cross_host_remove_headers(self) -> None:
- 
-             assert "authorization" not in data
-             assert "Authorization" not in data
-+            assert "proxy-authorization" not in data
-+            assert "Proxy-Authorization" not in data
-             assert "cookie" not in data
-             assert "Cookie" not in data
- 
-@@ -176,7 +187,11 @@ def test_redirect_cross_host_no_remove_headers(self) -> None:
-                 "GET",
-                 f"{self.base_url}/redirect",
-                 fields={"target": f"{self.base_url_alt}/headers"},
--                headers={"Authorization": "foo", "Cookie": "foo=bar"},
-+                headers={
-+                    "Authorization": "foo",
-+                    "Proxy-Authorization": "bar",
-+                    "Cookie": "foo=bar",
-+                },
-                 retries=Retry(remove_headers_on_redirect=[]),
-             )
- 
-@@ -185,6 +200,7 @@ def test_redirect_cross_host_no_remove_headers(self) -> None:
-             data = r.json()
- 
-             assert data["Authorization"] == "foo"
-+            assert data["Proxy-Authorization"] == "bar"
-             assert data["Cookie"] == "foo=bar"
- 
-     def test_redirect_cross_host_set_removed_headers(self) -> None:
-@@ -196,6 +212,7 @@ def test_redirect_cross_host_set_removed_headers(self) -> None:
-                 headers={
-                     "X-API-Secret": "foo",
-                     "Authorization": "bar",
-+                    "Proxy-Authorization": "baz",
-                     "Cookie": "foo=bar",
-                 },
-                 retries=Retry(remove_headers_on_redirect=["X-API-Secret"]),
-@@ -207,11 +224,13 @@ def test_redirect_cross_host_set_removed_headers(self) -> None:
- 
-             assert "X-API-Secret" not in data
-             assert data["Authorization"] == "bar"
-+            assert data["Proxy-Authorization"] == "baz"
-             assert data["Cookie"] == "foo=bar"
- 
-             headers = {
-                 "x-api-secret": "foo",
-                 "authorization": "bar",
-+                "proxy-authorization": "baz",
-                 "cookie": "foo=bar",
-             }
-             r = http.request(
-@@ -229,12 +248,14 @@ def test_redirect_cross_host_set_removed_headers(self) -> None:
-             assert "x-api-secret" not in data
-             assert "X-API-Secret" not in data
-             assert data["Authorization"] == "bar"
-+            assert data["Proxy-Authorization"] == "baz"
-             assert data["Cookie"] == "foo=bar"
- 
-             # Ensure the header argument itself is not modified in-place.
-             assert headers == {
-                 "x-api-secret": "foo",
-                 "authorization": "bar",
-+                "proxy-authorization": "baz",
-                 "cookie": "foo=bar",
-             }
- 

openssl-3.2.patch

@@ -1,32 +0,0 @@
-Index: urllib3-2.1.0/changelog/3268.bugfix.rst
-===================================================================
---- /dev/null
-+++ urllib3-2.1.0/changelog/3268.bugfix.rst
-@@ -0,0 +1 @@
-+Fixed handling of OpenSSL 3.2.0 new error message for misconfiguring an HTTP proxy as HTTPS.
-Index: urllib3-2.1.0/src/urllib3/connection.py
-===================================================================
---- urllib3-2.1.0.orig/src/urllib3/connection.py
-+++ urllib3-2.1.0/src/urllib3/connection.py
-@@ -864,6 +864,7 @@ def _wrap_proxy_error(err: Exception, pr
-     is_likely_http_proxy = (
-         "wrong version number" in error_normalized
-         or "unknown protocol" in error_normalized
-+        or "record layer failure" in error_normalized
-     )
-     http_proxy_warning = (
-         ". Your proxy appears to only use HTTP and not HTTPS, "
-Index: urllib3-2.1.0/test/with_dummyserver/test_socketlevel.py
-===================================================================
---- urllib3-2.1.0.orig/test/with_dummyserver/test_socketlevel.py
-+++ urllib3-2.1.0/test/with_dummyserver/test_socketlevel.py
-@@ -1297,7 +1297,8 @@ class TestSSL(SocketDummyServerTestCase)
-         self._start_server(socket_handler)
-         with HTTPSConnectionPool(self.host, self.port, ca_certs=DEFAULT_CA) as pool:
-             with pytest.raises(
--                SSLError, match=r"(wrong version number|record overflow)"
-+                SSLError,
-+                match=r"(wrong version number|record overflow|record layer failure)",
-             ):
-                 pool.request("GET", "/", retries=False)
- 

python-urllib3.changes

@@ -1,3 +1,127 @@
+-------------------------------------------------------------------
+Mon Jun 23 02:03:12 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Update to 2.5.0:
+  * Security issues
+    Pool managers now properly control redirects when retries is passed
+    (CVE-2025-50181, GHSA-pq67-6m6q-mj2v, bsc#1244925)
+    Redirects are now controlled by urllib3 in the Node.js runtime
+    (CVE-2025-50182, GHSA-48p4-8xcf-vxj5, bsc#1244924)
+  * Features
+    Added support for the compression.zstd module that is new in Python 3.14.
+    Added support for version 0.5 of hatch-vcs
+  * Bugfixes
+    Raised exception for HTTPResponse.shutdown on a connection already
+    released to the pool.
+    Fixed incorrect CONNECT statement when using an IPv6 proxy with
+    connection_from_host. Previously would not be wrapped in [].
+
+-------------------------------------------------------------------
+Tue May 27 08:56:43 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Update to 2.4.0
+  * Applied PEP 639 by specifying the license fields in
+    pyproject.toml. (#3522)
+  * Updated exceptions to save and restore more properties during the
+    pickle/serialization process. (#3567)
+  * Added verify_flags option to create_urllib3_context with a default
+    of VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT for Python
+    3.13+. (#3571)
+  * Fixed a bug with partial reads of streaming data in Emscripten.
+    (#3555)
+  * Switched to uv for installing development dependecies. (#3550)
+  * Removed the multiple.intoto.jsonl asset from GitHub releases.
+    Attestation of release files since v2.3.0 can be found on PyPI.
+    (#3566)
+- 2.3.0:
+  * Added HTTPResponse.shutdown() to stop any ongoing or future reads
+    for a specific response. It calls shutdown(SHUT_RD) on the
+    underlying socket. This feature was sponsored by LaunchDarkly.
+    (#2868)
+  * Added support for JavaScript Promise Integration on Emscripten.
+    This enables more efficient WebAssembly requests and streaming,
+    and makes it possible to use in Node.js if you launch it as node
+    --experimental-wasm-stack-switching. (#3400)
+  * Added the proxy_is_tunneling property to HTTPConnection and
+    HTTPSConnection. (#3285)
+  * Added pickling support to NewConnectionError and
+    NameResolutionError. (#3480)
+  * Fixed an issue in debug logs where the HTTP version was rendering
+    as "HTTP/11" instead of "HTTP/1.1". (#3489)
+  * Removed support for Python 3.8. (#3492)
+
+-------------------------------------------------------------------
+Tue May 27 08:51:09 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Skip test_close_after_handshake flaky test, it fails sometimes in
+  ppc64le and s390x architectures, bsc#1243583
+
+-------------------------------------------------------------------
+Thu Dec 19 07:20:32 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Skip some flaky tests that fail sometimes in OBS (bsc#1234681)
+
+-------------------------------------------------------------------
+Wed Dec 18 08:41:22 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Ignore DeprecationWarning in tests (bsc#1234681)
+
+-------------------------------------------------------------------
+Thu Oct  3 05:10:09 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Update to 2.2.3:
+  * Features
+    + Added support for Python 3.13.
+  * Bugfixes
+    + Fixed the default encoding of chunked request bodies to be UTF-8
+      instead of ISO-8859-1. All other methods of supplying a request body
+      already use UTF-8 starting in urllib3 v2.0.
+    + Fixed ResourceWarning on CONNECT with Python < 3.11.4 by backporting
+      python/cpython#103472.
+    + Fixed a crash where certain standard library hash functions were absent
+      in restricted environments.
+    + Added the Proxy-Authorization header to the list of headers to strip
+      from requests when redirecting to a different host. As before,
+      different headers can be set via Retry.remove_headers_on_redirect.
+    + Allowed passing negative integers as amt to read methods of
+      http.client.HTTPResponse as an alternative to None.
+    + Fixed issue where InsecureRequestWarning was emitted for HTTPS
+      connections when using Emscripten.
+    + Fixed HTTPConnectionPool.urlopen to stop automatically casting
+      non-proxy headers to HTTPHeaderDict. This change was premature as it
+      did not apply to proxy headers and HTTPHeaderDict does not handle byte
+      header values correctly yet.
+    + Changed InvalidChunkLength to ProtocolError when response terminates
+      before the chunk length is sent.
+    + Changed ProtocolError to be more verbose on incomplete reads with
+      excess content.
+    + Added support for HTTPResponse.read1() method.
+    + Fixed issue where requests against urls with trailing dots were
+      failing due to SSL errors when using proxy.
+    + Fixed HTTPConnection.proxy_is_verified and
+      HTTPSConnection.proxy_is_verified to be always set to a boolean after
+      connecting to a proxy. It could be None in some cases previously.
+    + Fixed an issue where headers passed in a request with json= would be
+      mutated
+    + Fixed HTTPSConnection.is_verified to be set to False when connecting
+      from a HTTPS proxy to an HTTP target. It was set to True previously.
+    + Fixed handling of new error message from OpenSSL 3.2.0 when configuring
+      an HTTP proxy as HTTPS
+    + Fixed TLS 1.3 post-handshake auth when the server certificate
+      validation is disabled
+  * HTTP/2 (experimental)
+    + Excluded Transfer-Encoding: chunked from HTTP/2 request body
+    + Added a probing mechanism for determining whether a given target
+      origin supports HTTP/2 via ALPN.
+    + Add support for sending a request body with HTTP/2
+  * Removals
+    + Drop support for end-of-life PyPy3.8 and PyPy3.9.
+- Drop patches, they are now included upstream:
+  * CVE-2024-37891.patch
+  * openssl-3.2.patch
+- Included patched hypercorn, which is only unpacked and used for the test
+  suite.
+
 -------------------------------------------------------------------
 Tue Jun 18 09:46:57 UTC 2024 - Markéta Machová <mmachova@suse.com>
 

python-urllib3.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-urllib3
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -26,42 +26,45 @@
 %endif
 %{?sle15_python_module_pythons}
 Name:           python-urllib3%{psuffix}
-Version:        2.1.0
+Version:        2.5.0
 Release:        0
 Summary:        HTTP library with thread-safe connection pooling, file post, and more
 License:        MIT
 URL:            https://urllib3.readthedocs.org/
 Source:         https://files.pythonhosted.org/packages/source/u/urllib3/urllib3-%{version}.tar.gz
-# PATCH-FIX-OPENSUSE openssl-3.2.patch gh#urllib3/urllib3#3271
-Patch1:         openssl-3.2.patch
-# PATCH-FIX-UPSTREAM https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e Strip Proxy-Authorization header on redirects
-Patch2:         CVE-2024-37891.patch
-BuildRequires:  %{python_module base >= 3.7}
+# https://github.com/urllib3/urllib3/issues/3334
+%define hypercorn_commit d1719f8c1570cbd8e6a3719ffdb14a4d72880abb
+Source1:        https://github.com/urllib3/hypercorn/archive/%{hypercorn_commit}/hypercorn-%{hypercorn_commit}.tar.gz
+BuildRequires:  %{python_module base >= 3.8}
+BuildRequires:  %{python_module hatch-vcs}
 BuildRequires:  %{python_module hatchling}
 BuildRequires:  %{python_module pip}
 BuildRequires:  fdupes
 BuildRequires:  python-rpm-macros
 #!BuildIgnore:  python-requests
 Requires:       ca-certificates-mozilla
-Requires:       python-certifi
-Requires:       python-cryptography >= 1.9
-Requires:       python-idna >= 3.4
-Requires:       python-pyOpenSSL >= 23.2.0
 Recommends:     python-Brotli >= 1.0.9
 Recommends:     python-PySocks >= 1.7.1
+Recommends:     python-h2 >= 4
+Recommends:     python-zstandard >= 0.18
 BuildArch:      noarch
 %if %{with test}
 BuildRequires:  %{python_module Brotli >= 1.0.9}
 BuildRequires:  %{python_module PySocks >= 1.7.1}
-BuildRequires:  %{python_module certifi}
-BuildRequires:  %{python_module cryptography >= 1.9}
+BuildRequires:  %{python_module Quart >= 0.19}
+BuildRequires:  %{python_module cryptography >= 43}
 BuildRequires:  %{python_module flaky}
-BuildRequires:  %{python_module idna >= 3.4}
+BuildRequires:  %{python_module h2 >= 4.1}
+BuildRequires:  %{python_module httpx >= 0.25}
+BuildRequires:  %{python_module idna >= 3.7}
 BuildRequires:  %{python_module psutil}
+BuildRequires:  %{python_module pyOpenSSL >= 24.2}
 BuildRequires:  %{python_module pytest >= 7.4.0}
+BuildRequires:  %{python_module pytest-socket >= 0.7}
 BuildRequires:  %{python_module pytest-timeout >= 2.1.0}
 BuildRequires:  %{python_module pytest-xdist}
-BuildRequires:  %{python_module tornado >= 6.2}
+BuildRequires:  %{python_module quart-trio >= 0.11}
+BuildRequires:  %{python_module trio >= 0.26}
 BuildRequires:  %{python_module trustme >= 0.9.0}
 BuildRequires:  %{python_module urllib3 >= %{version}}
 BuildRequires:  timezone
@@ -88,6 +91,11 @@ Highlights
 
 %prep
 %autosetup -p1 -n urllib3-%{version}
+# https://github.com/urllib3/urllib3/issues/3334
+%if %{with test}
+mkdir ../patched-hypercorn
+tar -C ../patched-hypercorn -zxf %{SOURCE1}
+%endif
 
 find . -type f -exec chmod a-x '{}' \;
 find . -name __pycache__ -type d -exec rm -fr {} +
@@ -104,10 +112,12 @@ find . -name __pycache__ -type d -exec rm -fr {} +
 
 %if %{with test}
 %check
+# https://github.com/urllib3/urllib3/issues/3334
+export PYTHONPATH="$PWD/../patched-hypercorn/hypercorn-%{hypercorn_commit}/src"
 # gh#urllib3/urllib3#2109
 export CI="true"
 # skip some randomly failing tests (mostly on i586, but sometimes they fail on other architectures)
-skiplist="test_ssl_read_timeout or test_ssl_failed_fingerprint_verification or test_ssl_custom_validation_failure_terminates"
+skiplist="test_ssl_read_timeout or test_ssl_failed_fingerprint_verification or test_ssl_custom_validation_failure_terminates or test_close_after_handshake"
 # gh#urllib3/urllib3#1752 and others: upstream's way of checking that the build
 # system has a correct system time breaks (re-)building the package after too
 # many months have passed since the last release.
@@ -116,7 +126,12 @@ skiplist+=" or test_recent_date"
 skiplist+=" or test_requesting_large_resources_via_ssl"
 # Try to access external evil.com
 skiplist+=" or test_deprecated_no_scheme"
-%pytest %{?jobs:-n %jobs} -k "not (${skiplist})" --ignore test/with_dummyserver/test_socketlevel.py
+# weird threading issues on OBS runners
+skiplist+=" or test_http2_probe_blocked_per_thread"
+# flaky test, works locally but fails in OBS with
+# TypeError: _wrap_bio() argument 'incoming' must be _ssl.MemoryBIO, not _ssl.MemoryBIO
+skiplist+=" or test_https_proxy_forwarding_for_https or test_https_headers_forwarding_for_https"
+%pytest -W ignore::DeprecationWarning %{?jobs:-n %jobs} -k "not (${skiplist})" --ignore test/with_dummyserver/test_socketlevel.py
 %endif
 
 %if ! %{with test}
@@ -124,7 +139,7 @@ skiplist+=" or test_deprecated_no_scheme"
 %license LICENSE.txt
 %doc CHANGES.rst README.md
 %{python_sitelib}/urllib3
-%{python_sitelib}/urllib3-%{version}*-info
+%{python_sitelib}/urllib3-%{version}.dist-info
 %endif
 
 %changelog