dimstar_suse
5be49c1e29
- Update to 6.5.7:
## Security fixes
* CurlAsyncHTTPClient now fully resets the curl object before reusing it.
This prevents incorrectly reusing options from a previous request,
specifically including client SSL and credentials used for accessing
proxies.
* SimpleAsyncHTTPClient now strips the Authorization and Cookie headers
from the request when following a redirect to a different origin. This
matches the default behavior of CurlAsyncHTTPClient. Applications that
need different behavior here can set follow_redirects=False and handle
redirects manually. CVE-2026-49853
* SimpleAsyncHTTPClient now enforces max_body_size on the decompressed size
of the response, rather than the compressed size. This prevents a
denial-of-service attack via a very large compressed response.
CVE-2026-49855
* Fixed a bug in the C extension that could have read up to three bytes
past the end of an input array. CVE-2026-49854
* OpenIDMixin has improved parsing for the check_authentication response.
## Bug fixes
* CurlAsyncHTTPClient has been updated to use non-deprecated APIs, avoiding
deprecation warnings with recent versions of pycurl.
- Refreshed patch ignore-resourcewarning-doctests.patch
- Drop patch fix-tests-with-curl-8-19.patch, merged upstream.
OBS-URL: https://build.opensuse.org/request/show/1358805
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-tornado6?expand=0&rev=24