Accepting request 1092607 from devel:languages:python
- Delete requests-no-hardcoded-version.patch - Security Update to 2.31.0 (bsc#1211674): Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential forwarding of Proxy-Authorization headers to destination servers when following HTTPS redirects. When proxies are defined with user info (https://user:pass@proxy:8080), Requests will construct a Proxy-Authorization header that is attached to the request to authenticate with the proxy. In cases where Requests receives a redirect response, it previously reattached the Proxy-Authorization header incorrectly, resulting in the value being sent through the tunneled connection to the destination server. Users who rely on defining their proxy credentials in the URL are strongly encouraged to upgrade to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy credentials once the change has been fully deployed. Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability. Full details can be read in our Github Security Advisory and CVE-2023-32681. OBS-URL: https://build.opensuse.org/request/show/1092607 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-requests?expand=0&rev=79
This commit is contained in:
Dominique Leuenberger
Git OBS Bridge
commit
44d2d1e0e5
@ -1,3 +1,30 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Jun 12 12:02:29 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
|
||||
|
||||
- Delete requests-no-hardcoded-version.patch
|
||||
- Security Update to 2.31.0 (bsc#1211674):
|
||||
Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
|
||||
forwarding of Proxy-Authorization headers to destination servers when
|
||||
following HTTPS redirects.
|
||||
|
||||
When proxies are defined with user info (https://user:pass@proxy:8080), Requests
|
||||
will construct a Proxy-Authorization header that is attached to the request to
|
||||
authenticate with the proxy.
|
||||
|
||||
In cases where Requests receives a redirect response, it previously reattached
|
||||
the Proxy-Authorization header incorrectly, resulting in the value being
|
||||
sent through the tunneled connection to the destination server. Users who rely on
|
||||
defining their proxy credentials in the URL are strongly encouraged to upgrade
|
||||
to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
|
||||
credentials once the change has been fully deployed.
|
||||
|
||||
Users who do not use a proxy or do not supply their proxy credentials through
|
||||
the user information portion of their proxy URL are not subject to this
|
||||
vulnerability.
|
||||
|
||||
Full details can be read in our Github Security Advisory
|
||||
and CVE-2023-32681.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri May 5 12:03:42 UTC 2023 - Johannes Kastl <kastl@b1-systems.de>
|
||||
|
||||
|
||||
@ -26,14 +26,12 @@
|
||||
%endif
|
||||
%{?sle15_python_module_pythons}
|
||||
Name: python-requests%{psuffix}
|
||||
Version: 2.30.0
|
||||
Version: 2.31.0
|
||||
Release: 0
|
||||
Summary: Python HTTP Library
|
||||
License: Apache-2.0
|
||||
URL: https://docs.python-requests.org/
|
||||
Source: https://files.pythonhosted.org/packages/source/r/requests/requests-%{version}.tar.gz
|
||||
# PATCH-FIX-UPSTREAM: Allow charset normalizer >=2 and <4, and don't strict require httpbin===1.0.0
|
||||
Patch0: requests-no-hardcoded-version.patch
|
||||
BuildRequires: %{python_module base >= 3.7}
|
||||
BuildRequires: %{python_module setuptools}
|
||||
BuildRequires: fdupes
|
||||
|
||||
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:239d7d4458afcb28a692cdd298d87542235f4ca8d36d03a15bfc128a6559a2f4
|
||||
size 108411
|
||||
BIN
requests-2.31.0.tar.gz
(Stored with Git LFS)
Normal file
BIN
requests-2.31.0.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
@ -1,27 +0,0 @@
|
||||
---
|
||||
requirements-dev.txt | 2 +-
|
||||
setup.py | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/requirements-dev.txt
|
||||
+++ b/requirements-dev.txt
|
||||
@@ -1,7 +1,7 @@
|
||||
-e .[socks]
|
||||
pytest>=2.8.0,<=6.2.5
|
||||
pytest-cov
|
||||
-pytest-httpbin==1.0.0
|
||||
+pytest-httpbin>=1.0.0
|
||||
pytest-mock==2.0.0
|
||||
httpbin==0.7.0
|
||||
trustme
|
||||
--- a/setup.py
|
||||
+++ b/setup.py
|
||||
@@ -65,7 +65,7 @@ requires = [
|
||||
"certifi>=2017.4.17",
|
||||
]
|
||||
test_requirements = [
|
||||
- "pytest-httpbin==0.0.7",
|
||||
+ "pytest-httpbin>=0.0.7",
|
||||
"pytest-cov",
|
||||
"pytest-mock",
|
||||
"pytest-xdist",
|
||||
Loading…
Reference in New Issue
Block a user