Accepting request 1287779 from devel:languages:python

- Update to 2.5.0:
  * Security issues
    Pool managers now properly control redirects when retries is passed
    (CVE-2025-50181, GHSA-pq67-6m6q-mj2v, bsc#1244925)
    Redirects are now controlled by urllib3 in the Node.js runtime
    (CVE-2025-50182, GHSA-48p4-8xcf-vxj5, bsc#1244924)
  * Features
    Added support for the compression.zstd module that is new in Python 3.14.
    Added support for version 0.5 of hatch-vcs
  * Bugfixes
    Raised exception for HTTPResponse.shutdown on a connection already
    released to the pool.
    Fixed incorrect CONNECT statement when using an IPv6 proxy with
    connection_from_host. Previously would not be wrapped in [].

OBS-URL: https://build.opensuse.org/request/show/1287779
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-urllib3?expand=0&rev=72

python-urllib3.changes

@@ -1,59 +1,3 @@
--------------------------------------------------------------------
-Tue Jan 13 09:40:54 UTC 2026 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
-
-- Update to 2.6.3
-  * Fixed a high-severity security issue where decompression-bomb safeguards of
-    the streaming API were bypassed when HTTP redirects were followed.
-    (GHSA-38jv-5279-wg99) (bsc#1256331, CVE-2026-21441)
-  * Started treating ``Retry-After`` times greater than 6 hours as 6 hours by
-    default. (#3743)
-  * Fixed ``urllib3.connection.VerifiedHTTPSConnection`` on Emscripten. (#3752)
-
--------------------------------------------------------------------
-Wed Jan  7 09:49:28 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
-
-- Update to 2.6.2
-  * Fixed HTTPResponse.read_chunked() to properly handle leftover data in the
-    decoder's buffer when reading compressed chunked responses.
-- Update to 2.6.1
-  * Restore previously removed HTTPResponse.getheaders() and
-    HTTPResponse.getheader() methods.
-- Update to 2.6.0
-  * Security:
-    - Fixed a security issue where streaming API could improperly handle highly
-      compressed HTTP content ("decompression bombs") leading to excessive
-      resource consumption even when a small amount of data was requested.
-      Reading small chunks of compressed data is safer and much more efficient
-      now. (CVE-2025-66471, GHSA-2xpw-w6gg-jr37, bsc#1254867)
-    - Fixed a security issue where an attacker could compose an HTTP response
-      with virtually unlimited links in the Content-Encoding header, potentially
-      leading to a denial of service (DoS) attack by exhausting system resources
-      during decoding. The number of allowed chained encodings is now limited to
-      5. (CVE-2025-66418, GHSA-gm62-xv2j-4w53, bsc#1254866)
-  * Features:
-    - Enabled retrieval, deletion, and membership testing in HTTPHeaderDict
-      using bytes keys.
-    - Added host and port information to string representations of
-      HTTPConnection.
-    - Added support for Python 3.14 free-threading builds explicitly.
-  * Removals:
-    - Removed the HTTPResponse.getheaders() method in favor of
-      HTTPResponse.headers. Removed the HTTPResponse.getheader(name, default)
-      method in favor of HTTPResponse.headers.get(name, default).
-  * Bugfixes:
-    - Fixed redirect handling in urllib3.PoolManager when an integer is passed
-      for the retries parameter.
-    - Fixed HTTPConnectionPool when used in Emscripten with no explicit port.
-    - Fixed handling of SSLKEYLOGFILE with expandable variables.
-  * Misc:
-    - Changed the zstd extra to install backports.zstd instead of zstandard on
-      Python 3.13 and before.
-    - Improved the performance of content decoding by optimizing
-      BytesQueueBuffer class.
-    - Allowed building the urllib3 package with newer setuptools-scm v9.x.
-    - Ensured successful urllib3 builds by setting Hatchling requirement
-      to ≥ 1.27.0.
-
 -------------------------------------------------------------------
 Mon Jun 23 02:03:12 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
 

python-urllib3.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-urllib3
 #
-# Copyright (c) 2026 SUSE LLC and contributors
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -26,7 +26,7 @@
 %endif
 %{?sle15_python_module_pythons}
 Name:           python-urllib3%{psuffix}
-Version:        2.6.3
+Version:        2.5.0
 Release:        0
 Summary:        HTTP library with thread-safe connection pooling, file post, and more
 License:        MIT
@@ -43,13 +43,13 @@ BuildRequires:  fdupes
 BuildRequires:  python-rpm-macros
 #!BuildIgnore:  python-requests
 Requires:       ca-certificates-mozilla
-Recommends:     python-Brotli >= 1.2.0
+Recommends:     python-Brotli >= 1.0.9
 Recommends:     python-PySocks >= 1.7.1
 Recommends:     python-h2 >= 4
 Recommends:     python-zstandard >= 0.18
 BuildArch:      noarch
 %if %{with test}
-BuildRequires:  %{python_module Brotli >= 1.2.0}
+BuildRequires:  %{python_module Brotli >= 1.0.9}
 BuildRequires:  %{python_module PySocks >= 1.7.1}
 BuildRequires:  %{python_module Quart >= 0.19}
 BuildRequires:  %{python_module cryptography >= 43}

urllib3-2.6.3.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed
-size 435556