From ab88c497a466672cdd81c1aadd55c0ca19c4ccfe547d40195b409b63d9444ed6 Mon Sep 17 00:00:00 2001 From: Steve Kowalik Date: Mon, 10 Feb 2025 04:57:19 +0000 Subject: [PATCH] - Update to 11.1.2: * CVE-2025-23217: mitmweb's API now requires an authentication token by default. The mitmweb API is bound to localhost only, but @gronke found that an attacker can circumvent that restriction by tunneling requests through the proxy server itself in an SSRF-style attack. (fa89055, @mhils) (bsc#1236890) * Add (optional) password protection for mitmweb. The web_password option replaces the randomly-generated token authentication with a fixed secret that survives mitmproxy restarts. (0bd573a, @mhils) * mitmweb can now be hosted under arbitrary domains, the previously-used DNS rebind protection is not required anymore. (62693af, @mhils) * Security Hardening: mitmweb's xsrf_token cookie is now HttpOnly; SameSite=Strict. (#7491, @mhils) * Fix console freezing due to DNS queries with an empty question section. (#7497, @sujaldev) * Fixed a bug that caused mitmproxy to crash when loading prior knowledge h2 flows. (#7514, @sujaldev) * Fix a bug where mitmproxy would get stuck in secure web proxy mode when using ignore_hosts or allow_hosts. (#7519, @mhils) * Copy request/response data to the clipboard in mitmweb (#7352, @lups2000) * Fix a bug where exporting a curl or httpie command with escaped characters would lead to different data being sent. (#7520, @proteusvacuum) * Local Capture Mode is now available on Linux as well. (#7440, @mhils) * mitmproxy now requires Python 3.12 or above. (#7440, @mhils) * Add cache-busting for mitmweb's front end code. (#7386, @mhils) * Clicking the URL in mitmweb now places the cursor at the current position instead of selecting the entire URL. (#7385, @lups2000) * Add missing status codes (#7455, @jwadolowski) * All filter expressions are now case-insensitive by default. Users can OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-mitmproxy?expand=0&rev=24 --- mitmproxy-11.0.0.tar.gz | 3 -- mitmproxy-11.1.2.tar.gz | 3 ++ python-mitmproxy.changes | 70 ++++++++++++++++++++++++++++++++++++++++ python-mitmproxy.spec | 57 ++++++++++++++------------------ 4 files changed, 98 insertions(+), 35 deletions(-) delete mode 100644 mitmproxy-11.0.0.tar.gz create mode 100644 mitmproxy-11.1.2.tar.gz diff --git a/mitmproxy-11.0.0.tar.gz b/mitmproxy-11.0.0.tar.gz deleted file mode 100644 index f0b123e..0000000 --- a/mitmproxy-11.0.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4852952008229292b649c80dcc708f24de0eebb6a8d1aabe8b0c79a735d58f13 -size 31024600 diff --git a/mitmproxy-11.1.2.tar.gz b/mitmproxy-11.1.2.tar.gz new file mode 100644 index 0000000..b74729d --- /dev/null +++ b/mitmproxy-11.1.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c3e47913f4b1ad4784bffbd2d2952ba456fe32e3dfd2da43a78f240b04653792 +size 31039774 diff --git a/python-mitmproxy.changes b/python-mitmproxy.changes index 7cc9557..435f4a8 100644 --- a/python-mitmproxy.changes +++ b/python-mitmproxy.changes @@ -1,3 +1,73 @@ +------------------------------------------------------------------- +Mon Feb 10 04:57:07 UTC 2025 - Steve Kowalik + +- Update to 11.1.2: + * CVE-2025-23217: mitmweb's API now requires an authentication token by + default. The mitmweb API is bound to localhost only, but @gronke found + that an attacker can circumvent that restriction by tunneling requests + through the proxy server itself in an SSRF-style attack. + (fa89055, @mhils) (bsc#1236890) + * Add (optional) password protection for mitmweb. The web_password option + replaces the randomly-generated token authentication with a fixed secret + that survives mitmproxy restarts. (0bd573a, @mhils) + * mitmweb can now be hosted under arbitrary domains, the previously-used + DNS rebind protection is not required anymore. (62693af, @mhils) + * Security Hardening: mitmweb's xsrf_token cookie is now HttpOnly; + SameSite=Strict. (#7491, @mhils) + * Fix console freezing due to DNS queries with an empty question + section. (#7497, @sujaldev) + * Fixed a bug that caused mitmproxy to crash when loading prior knowledge + h2 flows. (#7514, @sujaldev) + * Fix a bug where mitmproxy would get stuck in secure web proxy mode when + using ignore_hosts or allow_hosts. (#7519, @mhils) + * Copy request/response data to the clipboard in mitmweb (#7352, @lups2000) + * Fix a bug where exporting a curl or httpie command with escaped + characters would lead to different data being sent. + (#7520, @proteusvacuum) + * Local Capture Mode is now available on Linux as well. (#7440, @mhils) + * mitmproxy now requires Python 3.12 or above. (#7440, @mhils) + * Add cache-busting for mitmweb's front end code. (#7386, @mhils) + * Clicking the URL in mitmweb now places the cursor at the current + position instead of selecting the entire URL. (#7385, @lups2000) + * Add missing status codes (#7455, @jwadolowski) + * All filter expressions are now case-insensitive by default. Users can + opt into case-sensitive filters by setting + MITMPROXY_CASE_SENSITIVE_FILTERS=1 as an environment variable. + (#7458, @mhils, @AdityaPatadiya) + * Remove filter expression lowercasing in block_list addon + (#7456, @jwadolowski) + * Remove check for status codes in the blocklist add-on. + (#7453, @lups2000, @AdityaPatadiya) + * Prompt user before clearing screen (#7445, @errorxyz) + * Stop sorting keys in JSON contentview (#7346, @injust) + * Fix a bug where a custom CA would raise an error. (#7355, @nneonneo) + * Fix a bug where the mitmproxy UI would crash on negative durations. + (#7358, @mhils) + * Allow technically invalid HTTP transfer encodings in requests if + validate_inbound_headers is disabled. (#7361, #7373, @mhils) + * Fix a bug in windows management in mitmproxy TUI whereby the help window + does not appear if "?" is pressed within the overlay + (#6500, @emanuele-em) + * Tighten HTTP detection heuristic to better support custom TCP-based + protocols. (#7228, @fatanugraha) + * Implement stricter validation of HTTP headers to harden against request + smuggling attacks. (#7345, @mhils) + * Increase HTTP/2 default flow control window size, fixing performance + issues. (#7317, @sujaldev) + * Fix a bug where mitmproxy would incorrectly report that TLS 1.0 and 1.1 + are not supported with the current OpenSSL build. (#7241, @mhils) + * Add a tun proxy mode that creates a virtual network device on Linux for + transparent proxying. (#7278, @mhils) + * browser.start command now supports Firefox. (#7239, @sujaldev) + * Fix interaction of the modify_headers and stream_large_bodies options. + This may break users of modify_headers that rely on filters referencing + the message body. We expect this to be uncommon, but please make + yourself heard if that's not the case. (#7286, @lukant) + * Fix a crash when handling corrupted compressed body in savehar addon and + its tests. (#7320, @8192bytes) + * Remove dependency on protobuf library as it was no longer being + used. (#7327, @matthew16550) + ------------------------------------------------------------------- Fri Oct 18 00:32:15 UTC 2024 - Joshua Smith diff --git a/python-mitmproxy.spec b/python-mitmproxy.spec index 0d9550e..cf5b7df 100644 --- a/python-mitmproxy.spec +++ b/python-mitmproxy.spec @@ -1,7 +1,7 @@ # # spec file for package python-mitmproxy # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,85 +17,77 @@ %{?sle15_python_module_pythons} -%define skip_python39 1 +# Upstream only supports Python 3.12+! +%define skip_python311 1 Name: python-mitmproxy -Version: 11.0.0 +Version: 11.1.2 Release: 0 Summary: An interactive, SSL/TLS-capable intercepting proxy License: MIT -Group: Development/Languages/Python URL: https://mitmproxy.org Source: https://github.com/mitmproxy/mitmproxy/archive/refs/tags/v%{version}.tar.gz#/mitmproxy-%{version}.tar.gz BuildRequires: %{python_module Brotli >= 1.0} -BuildRequires: %{python_module Flask >= 1.1.1} -BuildRequires: %{python_module aioquic >= 0.9.4} +BuildRequires: %{python_module Flask >= 3.0} +BuildRequires: %{python_module aioquic >= 1.1.0} +BuildRequires: %{python_module argon2-cffi >= 23.1.0} BuildRequires: %{python_module asgiref >= 3.2.10} BuildRequires: %{python_module certifi >= 2019.9.11} -BuildRequires: %{python_module click >= 7.0} -BuildRequires: %{python_module cryptography >= 38.0} +BuildRequires: %{python_module cryptography >= 42.0} BuildRequires: %{python_module h11 >= 0.11} BuildRequires: %{python_module h2 >= 4.1} BuildRequires: %{python_module hyperframe >= 6.0} BuildRequires: %{python_module hypothesis >= 5.8} BuildRequires: %{python_module kaitaistruct >= 0.10} BuildRequires: %{python_module ldap3 >= 2.8} -BuildRequires: %{python_module mitmproxy-rs >= 0.5.1} -BuildRequires: %{python_module mitmproxy-wireguard >= 0.1.6} +BuildRequires: %{python_module mitmproxy-rs >= 0.11} BuildRequires: %{python_module msgpack >= 1.0.0} BuildRequires: %{python_module parver >= 0.1} BuildRequires: %{python_module passlib >= 1.6.5} BuildRequires: %{python_module pip} -BuildRequires: %{python_module protobuf >= 3.14} BuildRequires: %{python_module publicsuffix2 >= 2.20190812} BuildRequires: %{python_module pyOpenSSL >= 22.1} BuildRequires: %{python_module pyparsing >= 2.4.2} -BuildRequires: %{python_module pyperclip >= 1.6.0} +BuildRequires: %{python_module pyperclip >= 1.9.0} BuildRequires: %{python_module pytest >= 6.1.0} BuildRequires: %{python_module pytest-asyncio >= 0.17.0} BuildRequires: %{python_module requests >= 2.9.1} BuildRequires: %{python_module ruamel.yaml >= 0.16} BuildRequires: %{python_module setuptools} BuildRequires: %{python_module sortedcontainers >= 2.3} -BuildRequires: %{python_module tornado >= 6.1} -BuildRequires: %{python_module typing_extensions >= 4.3 if %python-base < 3.11} -BuildRequires: %{python_module urwid >= 2.1.1} +BuildRequires: %{python_module tornado >= 6.4} +BuildRequires: %{python_module urwid >= 2.6.14} BuildRequires: %{python_module wheel} BuildRequires: %{python_module wsproto >= 1.0} -BuildRequires: %{python_module zstandard >= 0.11} +BuildRequires: %{python_module zstandard >= 0.15} BuildRequires: fdupes BuildRequires: python-rpm-macros Requires: python-Brotli >= 1.0 -Requires: python-Flask >= 1.1.1 -Requires: python-aioquic >= 0.9.4 +Requires: python-Flask >= 3.0 +Requires: python-aioquic >= 1.1.0 +Requires: python-argon2-cffi >= 23.1.0 Requires: python-asgiref >= 3.2.10 Requires: python-certifi >= 2019.9.11 -Requires: python-click >= 7.0 -Requires: python-cryptography >= 38.0 +Requires: python-cryptography >= 42.0 Requires: python-h11 >= 0.11 Requires: python-h2 >= 4.1 Requires: python-hyperframe >= 6.0 Requires: python-kaitaistruct >= 0.10 Requires: python-ldap3 >= 2.8 -Requires: python-mitmproxy-rs >= 0.5.1 -Requires: python-mitmproxy-wireguard >= 0.1.6 +Requires: python-mitmproxy-rs >= 0.11 Requires: python-msgpack >= 1.0.0 Requires: python-passlib >= 1.6.5 -Requires: python-protobuf >= 3.14 Requires: python-publicsuffix2 >= 2.20190812 Requires: python-pyOpenSSL >= 22.1 Requires: python-pyparsing >= 2.4.2 -Requires: python-pyperclip >= 1.6.0 +Requires: python-pyperclip >= 1.9.0 Requires: python-ruamel.yaml >= 0.16 Requires: python-sortedcontainers >= 2.3 -Requires: python-tornado >= 6.1 -Requires: python-urwid >= 2.1.1 +Requires: python-tornado >= 6.4 +Requires: python-urwid >= 2.6.14 Requires: python-wsproto >= 1.0 -Requires: python-zstandard >= 0.11 +Requires: python-zstandard >= 0.15 Requires(post): update-alternatives Requires(postun): update-alternatives -%if 0%{?python_version_nodots} < 311 -Requires: python-typing_extensions >= 4.3 -%endif BuildArch: noarch %python_subpackages @@ -135,7 +127,8 @@ hypothesis.settings.register_profile( # test_refresh fails on i586... wrong timestamp type, maybe? # test_rollback and test_output[None-expected_out0-expected_err0] just randomly fail on i586 # test_dns and test_name_servers require networking -%pytest -k "not (test_refresh or test_rollback or test_output or test_name_servers or test_dns)" --hypothesis-profile="obs" +# test_tun_mode requires root to create a TUN device +%pytest -k "not (test_refresh or test_rollback or test_output or test_name_servers or test_dns or test_tun_mode)" --hypothesis-profile="obs" %post %python_install_alternative mitmdump @@ -151,7 +144,7 @@ hypothesis.settings.register_profile( %doc README.md CHANGELOG.md %license LICENSE %{python_sitelib}/mitmproxy -%{python_sitelib}/mitmproxy-%{version}*-info +%{python_sitelib}/mitmproxy-%{version}.dist-info %python_alternative %{_bindir}/mitmdump %python_alternative %{_bindir}/mitmproxy %python_alternative %{_bindir}/mitmweb