Accepting request 1297619 from devel:languages:python

- Do not ignore deprecation warnings, the testsuite explicitly
  clears all warnings multiple times.
- Add patch filter-pyopenssl-deprecationwarning.patch:
  * Explicitly filter out new DeprecationWarnings raised by PyOpenSSL 25.1+
old: openSUSE:Factory/python-urllib3_1
new: devel:languages:python/python-urllib3_1 rev None
Index: python-urllib3_1.changes
===================================================================
--- python-urllib3_1.changes (revision 11)
+++ python-urllib3_1.changes (revision 30)
@@ -1,4 +1,17 @@
 -------------------------------------------------------------------
+Tue Aug  5 05:58:09 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Do not ignore deprecation warnings, the testsuite explicitly
+  clears all warnings multiple times.
+- Add patch filter-pyopenssl-deprecationwarning.patch:
+  * Explicitly filter out new DeprecationWarnings raised by PyOpenSSL 25.1+
+
+-------------------------------------------------------------------
+Thu Jul 17 20:28:07 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- ignore deprecation warnings
+
+-------------------------------------------------------------------
 Wed Jun 25 05:18:37 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
 
 - Add patch CVE-2025-50181-poolmanager-redirects.patch:
@@ -71,7 +84,7 @@
 -------------------------------------------------------------------
 Mon May 15 13:52:10 UTC 2023 - Dirk Müller <dmueller@suse.com>
 
-- rename to python-urllib3_1 
+- rename to python-urllib3_1
 
 -------------------------------------------------------------------
 Fri Apr 21 12:38:19 UTC 2023 - Dirk Müller <dmueller@suse.com>
@@ -198,7 +211,7 @@
 
 - update to 1.26.6
   * Deprecated the urllib3.contrib.ntlmpool module.
-  * Changed HTTPConnection.request_chunked() to not erroneously emit multiple 
+  * Changed HTTPConnection.request_chunked() to not erroneously emit multiple
     Transfer-Encoding headers in the case that one is already specified.
   * Fixed typo in deprecation message to recommend Retry.DEFAULT_ALLOWED_METHODS.
 
@@ -280,7 +293,7 @@
     ``Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT``, and ``Retry(allowed_methods=...)``
     (Pull #2000) **Starting in urllib3 v2.0: Deprecated options will be removed**
   * Added default ``User-Agent`` header to every request (Pull #1750)
-  * Added ``urllib3.util.SKIP_HEADER`` for skipping ``User-Agent``, ``Accept-Encoding``, 
+  * Added ``urllib3.util.SKIP_HEADER`` for skipping ``User-Agent``, ``Accept-Encoding``,
     and ``Host`` headers from being automatically emitted with requests (Pull #2018)
   * Collapse ``transfer-encoding: chunked`` request data and framing into
     the same ``socket.send()`` call (Pull #1906)
@@ -573,7 +586,7 @@
 - add 1414.patch - fix tests with new tornado
 - refresh python-urllib3-recent-date.patch
 - drop urllib3-test-no-coverage.patch
- * Allow providing a list of headers to strip from requests when redirecting 
+ * Allow providing a list of headers to strip from requests when redirecting
    to a different host. Defaults to the Authorization header. Different
    headers can be set via Retry.remove_headers_on_redirect.
  * Fix util.selectors._fileobj_to_fd to accept long
@@ -921,9 +934,9 @@
   * pyopenssl: Support for TLSv1.1 and TLSv1.2. (Issue #696)
   * Close connections more defensively on exception. (Issue #734)
   * Adjusted read_chunked to handle gzipped, chunk-encoded bodies
-    without repeatedly flushing the decoder, to function better on 
+    without repeatedly flushing the decoder, to function better on
     Jython. (Issue #743)
-  * Accept ca_cert_dir for SSL-related PoolManager configuration. 
+  * Accept ca_cert_dir for SSL-related PoolManager configuration.
     (Issue #758)
 
 - removed ready-event.patch: applied upstream
@@ -963,12 +976,12 @@
 -------------------------------------------------------------------
 Tue Oct  6 15:03:05 UTC 2015 - hpj@urpla.net
 
-- add python-pyOpenSSL, python-certifi and python-pyasn1 requirements 
+- add python-pyOpenSSL, python-certifi and python-pyasn1 requirements
 
 -------------------------------------------------------------------
 Tue Oct  6 12:46:25 UTC 2015 - hpj@urpla.net
 
-- Comment out test requirements, as tests are disabled anyway, and 
+- Comment out test requirements, as tests are disabled anyway, and
   one of these packages depend on python-requests, which depends on
   this package resulting in a circular dependency for openSUSE <= 13.1
 
@@ -978,9 +991,9 @@
 - Update to version 1.12
   * Rely on six for importing httplib to work around conflicts with
     other Python 3 shims. (Issue #688)
-  * Add support for directories of certificate authorities, as 
+  * Add support for directories of certificate authorities, as
     supported by OpenSSL. (Issue #701)
-  * New exception: NewConnectionError, raised when we fail to 
+  * New exception: NewConnectionError, raised when we fail to
     establish a new connection, usually ECONNREFUSED socket error.
 - Fix version dependencies
 - Add new build requirements following upstream changes
@@ -988,7 +1001,7 @@
   * python-tox
   * python-twine
   * python-wheel
-- Update 0001-Don-t-pin-dependency-to-exact-version.patch 
+- Update 0001-Don-t-pin-dependency-to-exact-version.patch
 - Disable tests for now, as there require network
 
 -------------------------------------------------------------------
@@ -998,42 +1011,42 @@
 - Rebase 0001-Don-t-pin-dependency-to-exact-version.patch and
   urllib3-test-no-coverage.patch
 - Update to version 1.9 (2014-07-04)
-  * Shuffled around development-related files. 
-    If you're maintaining a distro package of urllib3, you may need 
+  * Shuffled around development-related files.
+    If you're maintaining a distro package of urllib3, you may need
     to tweak things. (Issue #415)
-  * Unverified HTTPS requests will trigger a warning on the first 
+  * Unverified HTTPS requests will trigger a warning on the first
     request. See our new security documentation for details.
     (Issue #426)
-  * New retry logic and urllib3.util.retry.Retry configuration 
+  * New retry logic and urllib3.util.retry.Retry configuration
     object. (Issue #326)
-  * All raised exceptions should now wrapped in a 
-    urllib3.exceptions.HTTPException-extending exception. 
+  * All raised exceptions should now wrapped in a
+    urllib3.exceptions.HTTPException-extending exception.
     (Issue #326)
   * All errors during a retry-enabled request should be wrapped in
-    urllib3.exceptions.MaxRetryError, including timeout-related 
-    exceptions which were previously exempt. Underlying error is 
+    urllib3.exceptions.MaxRetryError, including timeout-related
+    exceptions which were previously exempt. Underlying error is
     accessible from the .reason propery. (Issue #326)
-  * urllib3.exceptions.ConnectionError renamed to 
+  * urllib3.exceptions.ConnectionError renamed to
     urllib3.exceptions.ProtocolError. (Issue #326)
   * Errors during response read (such as IncompleteRead) are now
     wrapped in urllib3.exceptions.ProtocolError. (Issue #418)
-  * Requesting an empty host will raise 
+  * Requesting an empty host will raise
     urllib3.exceptions.LocationValueError. (Issue #417)
-  * Catch read timeouts over SSL connections as 
+  * Catch read timeouts over SSL connections as
     urllib3.exceptions.ReadTimeoutError. (Issue #419)
   * Apply socket arguments before connecting. (Issue #427)
 - Update to version 1.8.3 (2014-06-23)
-  * Fix TLS verification when using a proxy in Python 3.4.1. 
+  * Fix TLS verification when using a proxy in Python 3.4.1.
     (Issue #385)
-  * Add disable_cache option to urllib3.util.make_headers. 
+  * Add disable_cache option to urllib3.util.make_headers.
     (Issue #393)
-  * Wrap socket.timeout exception with 
+  * Wrap socket.timeout exception with
     urllib3.exceptions.ReadTimeoutError. (Issue #399)
-  * Fixed proxy-related bug where connections were being reused 
+  * Fixed proxy-related bug where connections were being reused
     incorrectly. (Issues #366, #369)
-  * Added socket_options keyword parameter which allows to define 
+  * Added socket_options keyword parameter which allows to define
     setsockopt configuration of new sockets. (Issue #397)
-  * Removed HTTPConnection.tcp_nodelay in favor of 
+  * Removed HTTPConnection.tcp_nodelay in favor of
     HTTPConnection.default_socket_options. (Issue #397)
   * Fixed TypeError bug in Python 2.6.4. (Issue #411)
 - Update to version 1.8.2 (2014-04-17)
@@ -1041,7 +1054,7 @@
 - Update to version 1.8.1 (2014-04-17)
   * Fix AppEngine bug of HTTPS requests going out as HTTP.
     (Issue #356)
-  * Don't install dummyserver into site-packages as it's only 
+  * Don't install dummyserver into site-packages as it's only
     needed for the test suite. (Issue #362)
   * Added support for specifying source_address. (Issue #352)
 
Index: python-urllib3_1.spec
===================================================================
--- python-urllib3_1.spec (revision 11)
+++ python-urllib3_1.spec (revision 30)
@@ -1,7 +1,7 @@
 #
 # spec file for package python-urllib3_1
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -37,6 +37,8 @@
 Patch0:         remove_mock.patch
 # PATCH-FIX-UPSTREAM CVE-2025-50181 gh#urllib3/urllib3@f05b1329126d, bsc#1244925
 Patch1:         CVE-2025-50181-poolmanager-redirects.patch
+# PATCH-FIX-OPENSUSE Explicitly ignore new DeprecationWarning from PyOpenSSL 25.1+
+Patch2:         filter-pyopenssl-deprecationwarning.patch
 BuildRequires:  %{python_module base >= 3.7}
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}
Index: filter-pyopenssl-deprecationwarning.patch
===================================================================
--- filter-pyopenssl-deprecationwarning.patch (added)
+++ filter-pyopenssl-deprecationwarning.patch (revision 30)
@@ -0,0 +1,133 @@
+Index: urllib3-1.26.20/test/with_dummyserver/test_https.py
+===================================================================
+--- urllib3-1.26.20.orig/test/with_dummyserver/test_https.py
++++ urllib3-1.26.20/test/with_dummyserver/test_https.py
+@@ -215,6 +215,10 @@ class TestHTTPS(HTTPSDummyServerTestCase
+             assert conn.__class__ == VerifiedHTTPSConnection
+ 
+             with warnings.catch_warnings(record=True) as w:
++                # Filter PyOpenSSL 25.1+ DeprecationWarning
++                warnings.filterwarnings(
++                    "ignore", message="Attempting to mutate a Context after", category=DeprecationWarning
++                )
+                 r = https_pool.request("GET", "/")
+                 assert r.status == 200
+ 
+@@ -245,6 +249,13 @@ class TestHTTPS(HTTPSDummyServerTestCase
+                 r = https_pool.request("GET", "/")
+                 assert r.status == 200
+ 
++                # Filter PyOpenSSL 25.1+ DeprecationWarning
++                calls = warn.call_args_list
++                calls = [
++                    call for call in calls if call[0][1] != DeprecationWarning and
++                    not call[0][0].startswith("Attempting to mutate a Context")
++                ]
++
+                 # Modern versions of Python, or systems using PyOpenSSL, don't
+                 # emit warnings.
+                 if (
+@@ -252,7 +263,7 @@ class TestHTTPS(HTTPSDummyServerTestCase
+                     or util.IS_PYOPENSSL
+                     or util.IS_SECURETRANSPORT
+                 ):
+-                    assert not warn.called, warn.call_args_list
++                    assert not calls
+                 else:
+                     assert warn.called
+                     if util.HAS_SNI:
+@@ -274,6 +285,13 @@ class TestHTTPS(HTTPSDummyServerTestCase
+                 r = https_pool.request("GET", "/")
+                 assert r.status == 200
+ 
++                # Filter PyOpenSSL 25.1+ DeprecationWarning
++                calls = warn.call_args_list
++                calls = [
++                    call for call in calls if call[0][1] != DeprecationWarning and
++                    not call[0][0].startswith("Attempting to mutate a Context")
++                ]
++
+                 # Modern versions of Python, or systems using PyOpenSSL, don't
+                 # emit warnings.
+                 if (
+@@ -281,7 +299,7 @@ class TestHTTPS(HTTPSDummyServerTestCase
+                     or util.IS_PYOPENSSL
+                     or util.IS_SECURETRANSPORT
+                 ):
+-                    assert not warn.called, warn.call_args_list
++                    assert not calls
+                 else:
+                     assert warn.called
+                     if util.HAS_SNI:
+@@ -306,6 +324,10 @@ class TestHTTPS(HTTPSDummyServerTestCase
+             assert conn.__class__ == VerifiedHTTPSConnection
+ 
+             with warnings.catch_warnings(record=True) as w:
++                # Filter PyOpenSSL 25.1+ DeprecationWarning
++                warnings.filterwarnings(
++                    "ignore", message="Attempting to mutate a Context after", category=DeprecationWarning
++                )
+                 r = https_pool.request("GET", "/")
+                 assert r.status == 200
+ 
+@@ -412,6 +434,12 @@ class TestHTTPS(HTTPSDummyServerTestCase
+                 # warnings, which we want to ignore here.
+                 calls = warn.call_args_list
+ 
++                # Filter PyOpenSSL 25.1+ DeprecationWarning
++                calls = [
++                    call for call in calls if call[0][1] != DeprecationWarning and
++                    not call[0][0].startswith("Attempting to mutate a Context")
++                ]
++
+                 # If we're using a deprecated TLS version we can remove 'DeprecationWarning'
+                 if self.tls_protocol_deprecated():
+                     calls = [call for call in calls if call[0][1] != DeprecationWarning]
+@@ -687,6 +715,11 @@ class TestHTTPS(HTTPSDummyServerTestCase
+     def _request_without_resource_warnings(self, method, url):
+         with warnings.catch_warnings(record=True) as w:
+             warnings.simplefilter("always")
++            # Filter PyOpenSSL 25.1+ DeprecationWarning
++            warnings.filterwarnings(
++                "ignore", message="Attempting to mutate a Context after",
++                category=DeprecationWarning
++            )
+             with HTTPSConnectionPool(
+                 self.host, self.port, ca_certs=DEFAULT_CA
+             ) as https_pool:
+@@ -742,6 +775,11 @@ class TestHTTPS(HTTPSDummyServerTestCase
+             conn = https_pool._get_conn()
+             try:
+                 with warnings.catch_warnings(record=True) as w:
++                    # Filter PyOpenSSL 25.1+ DeprecationWarning
++                    warnings.filterwarnings(
++                        "ignore", message="Attempting to mutate a Context after",
++                        category=DeprecationWarning
++                    )
+                     conn.connect()
+                     if not hasattr(conn.sock, "version"):
+                         pytest.skip("SSLSocket.version() not available")
+@@ -769,6 +807,11 @@ class TestHTTPS(HTTPSDummyServerTestCase
+             conn = https_pool._get_conn()
+             try:
+                 with warnings.catch_warnings(record=True) as w:
++                    # Filter PyOpenSSL 25.1+ DeprecationWarning
++                    warnings.filterwarnings(
++                        "ignore", message="Attempting to mutate a Context after",
++                        category=DeprecationWarning
++                    )
+                     conn.connect()
+             finally:
+                 conn.close()
+@@ -788,6 +831,11 @@ class TestHTTPS(HTTPSDummyServerTestCase
+             conn = https_pool._get_conn()
+             try:
+                 with warnings.catch_warnings(record=True) as w:
++                    # Filter PyOpenSSL 25.1+ DeprecationWarning
++                    warnings.filterwarnings(
++                        "ignore", message="Attempting to mutate a Context after",
++                        category=DeprecationWarning
++                    )
+                     conn.connect()
+             finally:
+                 conn.close()

OBS-URL: https://build.opensuse.org/request/show/1297619
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-urllib3_1?expand=0&rev=12

CVE-2025-50181-poolmanager-redirects.patch

@@ -0,0 +1,230 @@
+From f05b1329126d5be6de501f9d1e3e36738bc08857 Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Wed, 18 Jun 2025 16:25:01 +0300
+Subject: [PATCH] Merge commit from fork
+
+* Apply Quentin's suggestion
+
+Co-authored-by: Quentin Pradet <quentin.pradet@gmail.com>
+
+* Add tests for disabled redirects in the pool manager
+
+* Add a possible fix for the issue with not raised `MaxRetryError`
+
+* Make urllib3 handle redirects instead of JS when JSPI is used
+
+* Fix info in the new comment
+
+* State that redirects with XHR are not controlled by urllib3
+
+* Remove excessive params from new test requests
+
+* Add tests reaching max non-0 redirects
+
+* Test redirects with Emscripten
+
+* Fix `test_merge_pool_kwargs`
+
+* Add a changelog entry
+
+* Parametrize tests
+
+* Drop a fix for Emscripten
+
+* Apply Seth's suggestion to docs
+
+Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
+
+* Use a minor release instead of the patch one
+
+---------
+
+Co-authored-by: Quentin Pradet <quentin.pradet@gmail.com>
+Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
+---
+ CHANGES.rst                                |   9 ++
+ docs/reference/contrib/emscripten.rst      |   2 +-
+ dummyserver/app.py                         |   1 +
+ src/urllib3/poolmanager.py                 |  18 +++-
+ test/contrib/emscripten/test_emscripten.py |  16 ++++
+ test/test_poolmanager.py                   |   5 +-
+ test/with_dummyserver/test_poolmanager.py  | 101 +++++++++++++++++++++
+ 7 files changed, 148 insertions(+), 4 deletions(-)
+
+Index: urllib3-1.26.20/src/urllib3/poolmanager.py
+===================================================================
+--- urllib3-1.26.20.orig/src/urllib3/poolmanager.py
++++ urllib3-1.26.20/src/urllib3/poolmanager.py
+@@ -170,6 +170,22 @@ class PoolManager(RequestMethods):
+ 
+     def __init__(self, num_pools=10, headers=None, **connection_pool_kw):
+         RequestMethods.__init__(self, headers)
++        if "retries" in connection_pool_kw:
++            retries = connection_pool_kw["retries"]
++            if not isinstance(retries, Retry):
++                # When Retry is initialized, raise_on_redirect is based
++                # on a redirect boolean value.
++                # But requests made via a pool manager always set
++                # redirect to False, and raise_on_redirect always ends
++                # up being False consequently.
++                # Here we fix the issue by setting raise_on_redirect to
++                # a value needed by the pool manager without considering
++                # the redirect boolean.
++                raise_on_redirect = retries is not False
++                retries = Retry.from_int(retries, redirect=False)
++                retries.raise_on_redirect = raise_on_redirect
++                connection_pool_kw = connection_pool_kw.copy()
++                connection_pool_kw["retries"] = retries
+         self.connection_pool_kw = connection_pool_kw
+         self.pools = RecentlyUsedContainer(num_pools)
+ 
+@@ -389,7 +405,7 @@ class PoolManager(RequestMethods):
+             kw["body"] = None
+             kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
+ 
+-        retries = kw.get("retries")
++        retries = kw.get("retries", response.retries)
+         if not isinstance(retries, Retry):
+             retries = Retry.from_int(retries, redirect=redirect)
+ 
+Index: urllib3-1.26.20/test/test_poolmanager.py
+===================================================================
+--- urllib3-1.26.20.orig/test/test_poolmanager.py
++++ urllib3-1.26.20/test/test_poolmanager.py
+@@ -326,9 +326,10 @@ class TestPoolManager(object):
+ 
+     def test_merge_pool_kwargs(self):
+         """Assert _merge_pool_kwargs works in the happy case"""
+-        p = PoolManager(strict=True)
++        retries = retry.Retry(total=100)
++        p = PoolManager(strict=True, retries=retries)
+         merged = p._merge_pool_kwargs({"new_key": "value"})
+-        assert {"strict": True, "new_key": "value"} == merged
++        assert {"retries": retries, "strict": True, "new_key": "value"} == merged
+ 
+     def test_merge_pool_kwargs_none(self):
+         """Assert false-y values to _merge_pool_kwargs result in defaults"""
+Index: urllib3-1.26.20/test/with_dummyserver/test_poolmanager.py
+===================================================================
+--- urllib3-1.26.20.orig/test/with_dummyserver/test_poolmanager.py
++++ urllib3-1.26.20/test/with_dummyserver/test_poolmanager.py
+@@ -82,6 +82,94 @@ class TestPoolManager(HTTPDummyServerTes
+             assert r.status == 200
+             assert r.data == b"Dummy server!"
+ 
++    @pytest.mark.parametrize(
++        "retries",
++        (0, Retry(total=0), Retry(redirect=0), Retry(total=0, redirect=0)),
++    )
++    def test_redirects_disabled_for_pool_manager_with_0(
++        self, retries: typing.Literal[0] | Retry
++    ) -> None:
++        """
++        Check handling redirects when retries is set to 0 on the pool
++        manager.
++        """
++        with PoolManager(retries=retries) as http:
++            with pytest.raises(MaxRetryError):
++                http.request("GET", f"{self.base_url}/redirect")
++
++            # Setting redirect=True should not change the behavior.
++            with pytest.raises(MaxRetryError):
++                http.request("GET", f"{self.base_url}/redirect", redirect=True)
++
++            # Setting redirect=False should not make it follow the redirect,
++            # but MaxRetryError should not be raised.
++            response = http.request("GET", f"{self.base_url}/redirect", redirect=False)
++            assert response.status == 303
++
++    @pytest.mark.parametrize(
++        "retries",
++        (
++            False,
++            Retry(total=False),
++            Retry(redirect=False),
++            Retry(total=False, redirect=False),
++        ),
++    )
++    def test_redirects_disabled_for_pool_manager_with_false(
++        self, retries: typing.Literal[False] | Retry
++    ) -> None:
++        """
++        Check that setting retries set to False on the pool manager disables
++        raising MaxRetryError and redirect=True does not change the
++        behavior.
++        """
++        with PoolManager(retries=retries) as http:
++            response = http.request("GET", f"{self.base_url}/redirect")
++            assert response.status == 303
++
++            response = http.request("GET", f"{self.base_url}/redirect", redirect=True)
++            assert response.status == 303
++
++            response = http.request("GET", f"{self.base_url}/redirect", redirect=False)
++            assert response.status == 303
++
++    def test_redirects_disabled_for_individual_request(self) -> None:
++        """
++        Check handling redirects when they are meant to be disabled
++        on the request level.
++        """
++        with PoolManager() as http:
++            # Check when redirect is not passed.
++            with pytest.raises(MaxRetryError):
++                http.request("GET", f"{self.base_url}/redirect", retries=0)
++            response = http.request("GET", f"{self.base_url}/redirect", retries=False)
++            assert response.status == 303
++
++            # Check when redirect=True.
++            with pytest.raises(MaxRetryError):
++                http.request(
++                    "GET", f"{self.base_url}/redirect", retries=0, redirect=True
++                )
++            response = http.request(
++                "GET", f"{self.base_url}/redirect", retries=False, redirect=True
++            )
++            assert response.status == 303
++
++            # Check when redirect=False.
++            response = http.request(
++                "GET", f"{self.base_url}/redirect", retries=0, redirect=False
++            )
++            assert response.status == 303
++            response = http.request(
++                "GET", f"{self.base_url}/redirect", retries=False, redirect=False
++            )
++            assert response.status == 303
++
++
++     def test_redirect_cross_host_remove_headers(self) -> None:
++         with PoolManager() as http:
++             r = http.request(
++
+     def test_cross_host_redirect(self):
+         with PoolManager() as http:
+             cross_host_location = "%s/echo?a=b" % self.base_url_alt
+@@ -136,6 +224,24 @@ class TestPoolManager(HTTPDummyServerTes
+             pool = http.connection_from_host(self.host, self.port)
+             assert pool.num_connections == 1
+ 
++        # Check when retries are configured for the pool manager.
++        with PoolManager(retries=1) as http:
++            with pytest.raises(MaxRetryError):
++                http.request(
++                    "GET",
++                    f"{self.base_url}/redirect",
++                    fields={"target": f"/redirect?target={self.base_url}/"},
++                )
++
++            # Here we allow more retries for the request.
++            response = http.request(
++                "GET",
++                f"{self.base_url}/redirect",
++                fields={"target": f"/redirect?target={self.base_url}/"},
++                retries=2,
++            )
++            assert response.status == 200
++
+     def test_redirect_cross_host_remove_headers(self):
+         with PoolManager() as http:
+             r = http.request(

filter-pyopenssl-deprecationwarning.patch

@@ -0,0 +1,133 @@
+Index: urllib3-1.26.20/test/with_dummyserver/test_https.py
+===================================================================
+--- urllib3-1.26.20.orig/test/with_dummyserver/test_https.py
++++ urllib3-1.26.20/test/with_dummyserver/test_https.py
+@@ -215,6 +215,10 @@ class TestHTTPS(HTTPSDummyServerTestCase
+             assert conn.__class__ == VerifiedHTTPSConnection
+ 
+             with warnings.catch_warnings(record=True) as w:
++                # Filter PyOpenSSL 25.1+ DeprecationWarning
++                warnings.filterwarnings(
++                    "ignore", message="Attempting to mutate a Context after", category=DeprecationWarning
++                )
+                 r = https_pool.request("GET", "/")
+                 assert r.status == 200
+ 
+@@ -245,6 +249,13 @@ class TestHTTPS(HTTPSDummyServerTestCase
+                 r = https_pool.request("GET", "/")
+                 assert r.status == 200
+ 
++                # Filter PyOpenSSL 25.1+ DeprecationWarning
++                calls = warn.call_args_list
++                calls = [
++                    call for call in calls if call[0][1] != DeprecationWarning and
++                    not call[0][0].startswith("Attempting to mutate a Context")
++                ]
++
+                 # Modern versions of Python, or systems using PyOpenSSL, don't
+                 # emit warnings.
+                 if (
+@@ -252,7 +263,7 @@ class TestHTTPS(HTTPSDummyServerTestCase
+                     or util.IS_PYOPENSSL
+                     or util.IS_SECURETRANSPORT
+                 ):
+-                    assert not warn.called, warn.call_args_list
++                    assert not calls
+                 else:
+                     assert warn.called
+                     if util.HAS_SNI:
+@@ -274,6 +285,13 @@ class TestHTTPS(HTTPSDummyServerTestCase
+                 r = https_pool.request("GET", "/")
+                 assert r.status == 200
+ 
++                # Filter PyOpenSSL 25.1+ DeprecationWarning
++                calls = warn.call_args_list
++                calls = [
++                    call for call in calls if call[0][1] != DeprecationWarning and
++                    not call[0][0].startswith("Attempting to mutate a Context")
++                ]
++
+                 # Modern versions of Python, or systems using PyOpenSSL, don't
+                 # emit warnings.
+                 if (
+@@ -281,7 +299,7 @@ class TestHTTPS(HTTPSDummyServerTestCase
+                     or util.IS_PYOPENSSL
+                     or util.IS_SECURETRANSPORT
+                 ):
+-                    assert not warn.called, warn.call_args_list
++                    assert not calls
+                 else:
+                     assert warn.called
+                     if util.HAS_SNI:
+@@ -306,6 +324,10 @@ class TestHTTPS(HTTPSDummyServerTestCase
+             assert conn.__class__ == VerifiedHTTPSConnection
+ 
+             with warnings.catch_warnings(record=True) as w:
++                # Filter PyOpenSSL 25.1+ DeprecationWarning
++                warnings.filterwarnings(
++                    "ignore", message="Attempting to mutate a Context after", category=DeprecationWarning
++                )
+                 r = https_pool.request("GET", "/")
+                 assert r.status == 200
+ 
+@@ -412,6 +434,12 @@ class TestHTTPS(HTTPSDummyServerTestCase
+                 # warnings, which we want to ignore here.
+                 calls = warn.call_args_list
+ 
++                # Filter PyOpenSSL 25.1+ DeprecationWarning
++                calls = [
++                    call for call in calls if call[0][1] != DeprecationWarning and
++                    not call[0][0].startswith("Attempting to mutate a Context")
++                ]
++
+                 # If we're using a deprecated TLS version we can remove 'DeprecationWarning'
+                 if self.tls_protocol_deprecated():
+                     calls = [call for call in calls if call[0][1] != DeprecationWarning]
+@@ -687,6 +715,11 @@ class TestHTTPS(HTTPSDummyServerTestCase
+     def _request_without_resource_warnings(self, method, url):
+         with warnings.catch_warnings(record=True) as w:
+             warnings.simplefilter("always")
++            # Filter PyOpenSSL 25.1+ DeprecationWarning
++            warnings.filterwarnings(
++                "ignore", message="Attempting to mutate a Context after",
++                category=DeprecationWarning
++            )
+             with HTTPSConnectionPool(
+                 self.host, self.port, ca_certs=DEFAULT_CA
+             ) as https_pool:
+@@ -742,6 +775,11 @@ class TestHTTPS(HTTPSDummyServerTestCase
+             conn = https_pool._get_conn()
+             try:
+                 with warnings.catch_warnings(record=True) as w:
++                    # Filter PyOpenSSL 25.1+ DeprecationWarning
++                    warnings.filterwarnings(
++                        "ignore", message="Attempting to mutate a Context after",
++                        category=DeprecationWarning
++                    )
+                     conn.connect()
+                     if not hasattr(conn.sock, "version"):
+                         pytest.skip("SSLSocket.version() not available")
+@@ -769,6 +807,11 @@ class TestHTTPS(HTTPSDummyServerTestCase
+             conn = https_pool._get_conn()
+             try:
+                 with warnings.catch_warnings(record=True) as w:
++                    # Filter PyOpenSSL 25.1+ DeprecationWarning
++                    warnings.filterwarnings(
++                        "ignore", message="Attempting to mutate a Context after",
++                        category=DeprecationWarning
++                    )
+                     conn.connect()
+             finally:
+                 conn.close()
+@@ -788,6 +831,11 @@ class TestHTTPS(HTTPSDummyServerTestCase
+             conn = https_pool._get_conn()
+             try:
+                 with warnings.catch_warnings(record=True) as w:
++                    # Filter PyOpenSSL 25.1+ DeprecationWarning
++                    warnings.filterwarnings(
++                        "ignore", message="Attempting to mutate a Context after",
++                        category=DeprecationWarning
++                    )
+                     conn.connect()
+             finally:
+                 conn.close()

openssl-3.2.patch

@@ -1,34 +0,0 @@
-Index: urllib3-1.26.18/changelog/3268.bugfix.rst
-===================================================================
---- /dev/null
-+++ urllib3-1.26.18/changelog/3268.bugfix.rst
-@@ -0,0 +1 @@
-+Fixed handling of OpenSSL 3.2.0 new error message for misconfiguring an HTTP proxy as HTTPS.
-Index: urllib3-1.26.18/test/with_dummyserver/test_socketlevel.py
-===================================================================
---- urllib3-1.26.18.orig/test/with_dummyserver/test_socketlevel.py
-+++ urllib3-1.26.18/test/with_dummyserver/test_socketlevel.py
-@@ -1226,7 +1226,8 @@ class TestSSL(SocketDummyServerTestCase)
-         self._start_server(socket_handler)
-         with HTTPSConnectionPool(self.host, self.port, ca_certs=DEFAULT_CA) as pool:
-             with pytest.raises(
--                SSLError, match=r"(wrong version number|record overflow)"
-+                SSLError,
-+                match=r"(wrong version number|record overflow|record layer failure)",
-             ):
-                 pool.request("GET", "/", retries=False)
- 
-Index: urllib3-1.26.18/src/urllib3/connectionpool.py
-===================================================================
---- urllib3-1.26.18.orig/src/urllib3/connectionpool.py
-+++ urllib3-1.26.18/src/urllib3/connectionpool.py
-@@ -768,7 +768,8 @@ class HTTPConnectionPool(ConnectionPool,
-                 # so we try to cover our bases here!
-                 message = " ".join(re.split("[^a-z]", str(ssl_error).lower()))
-                 return (
--                    "wrong version number" in message or "unknown protocol" in message
-+                    "wrong version number" in message or "unknown protocol" in message or "record layer failure" in message
-+
-                 )
- 
-             # Try to detect a common user error with proxies which is to

python-urllib3_1.changes

@@ -1,3 +1,43 @@
+-------------------------------------------------------------------
+Tue Aug  5 05:58:09 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Do not ignore deprecation warnings, the testsuite explicitly
+  clears all warnings multiple times.
+- Add patch filter-pyopenssl-deprecationwarning.patch:
+  * Explicitly filter out new DeprecationWarnings raised by PyOpenSSL 25.1+
+
+-------------------------------------------------------------------
+Thu Jul 17 20:28:07 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- ignore deprecation warnings
+
+-------------------------------------------------------------------
+Wed Jun 25 05:18:37 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Add patch CVE-2025-50181-poolmanager-redirects.patch:
+  * Pool managers now properly control redirects when retries is passed
+    (CVE-2025-50181, GHSA-pq67-6m6q-mj2v, bsc#1244925)
+
+-------------------------------------------------------------------
+Mon May 19 07:29:03 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Skip some test that fails with latest python-tornado
+
+-------------------------------------------------------------------
+Tue Sep 10 06:30:59 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Update to 1.26.20:
+  * Fixed a crash where certain standard library hash functions were absent
+    in FIPS-compliant environments.
+  * Replaced deprecated dash-separated setuptools entries in setup.cfg.
+  * Backported changes to our tests and CI configuration from v2.x to
+    support testing with CPython 3.12 and 3.13.
+  * Added the Proxy-Authorization header to the list of headers to strip
+    from requests when redirecting to a different host. As before, different
+    headers can be set via Retry.remove_headers_on_redirect.
+- Drop patch openssl-3.2.patch:
+  * No longer required.
+
 -------------------------------------------------------------------
 Thu Jan 11 12:03:28 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
 
@@ -44,7 +84,7 @@ Mon May 22 11:23:33 UTC 2023 - Steve Kowalik <steven.kowalik@suse.com>
 -------------------------------------------------------------------
 Mon May 15 13:52:10 UTC 2023 - Dirk Müller <dmueller@suse.com>
 
-- rename to python-urllib3_1 
+- rename to python-urllib3_1
 
 -------------------------------------------------------------------
 Fri Apr 21 12:38:19 UTC 2023 - Dirk Müller <dmueller@suse.com>
@@ -171,7 +211,7 @@ Tue Jul 13 10:53:07 UTC 2021 - Markéta Machová <mmachova@suse.com>
 
 - update to 1.26.6
   * Deprecated the urllib3.contrib.ntlmpool module.
-  * Changed HTTPConnection.request_chunked() to not erroneously emit multiple 
+  * Changed HTTPConnection.request_chunked() to not erroneously emit multiple
     Transfer-Encoding headers in the case that one is already specified.
   * Fixed typo in deprecation message to recommend Retry.DEFAULT_ALLOWED_METHODS.
 
@@ -253,7 +293,7 @@ Thu Nov 26 09:02:30 UTC 2020 - Dirk Mueller <dmueller@suse.com>
     ``Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT``, and ``Retry(allowed_methods=...)``
     (Pull #2000) **Starting in urllib3 v2.0: Deprecated options will be removed**
   * Added default ``User-Agent`` header to every request (Pull #1750)
-  * Added ``urllib3.util.SKIP_HEADER`` for skipping ``User-Agent``, ``Accept-Encoding``, 
+  * Added ``urllib3.util.SKIP_HEADER`` for skipping ``User-Agent``, ``Accept-Encoding``,
     and ``Host`` headers from being automatically emitted with requests (Pull #2018)
   * Collapse ``transfer-encoding: chunked`` request data and framing into
     the same ``socket.send()`` call (Pull #1906)
@@ -546,7 +586,7 @@ Sun Jul 15 22:30:26 UTC 2018 - mimi.vx@gmail.com
 - add 1414.patch - fix tests with new tornado
 - refresh python-urllib3-recent-date.patch
 - drop urllib3-test-no-coverage.patch
- * Allow providing a list of headers to strip from requests when redirecting 
+ * Allow providing a list of headers to strip from requests when redirecting
    to a different host. Defaults to the Authorization header. Different
    headers can be set via Retry.remove_headers_on_redirect.
  * Fix util.selectors._fileobj_to_fd to accept long
@@ -894,9 +934,9 @@ Tue Jan  5 14:40:22 UTC 2016 - hpj@urpla.net
   * pyopenssl: Support for TLSv1.1 and TLSv1.2. (Issue #696)
   * Close connections more defensively on exception. (Issue #734)
   * Adjusted read_chunked to handle gzipped, chunk-encoded bodies
-    without repeatedly flushing the decoder, to function better on 
+    without repeatedly flushing the decoder, to function better on
     Jython. (Issue #743)
-  * Accept ca_cert_dir for SSL-related PoolManager configuration. 
+  * Accept ca_cert_dir for SSL-related PoolManager configuration.
     (Issue #758)
 
 - removed ready-event.patch: applied upstream
@@ -936,12 +976,12 @@ Wed Oct 14 09:35:30 UTC 2015 - toddrme2178@gmail.com
 -------------------------------------------------------------------
 Tue Oct  6 15:03:05 UTC 2015 - hpj@urpla.net
 
-- add python-pyOpenSSL, python-certifi and python-pyasn1 requirements 
+- add python-pyOpenSSL, python-certifi and python-pyasn1 requirements
 
 -------------------------------------------------------------------
 Tue Oct  6 12:46:25 UTC 2015 - hpj@urpla.net
 
-- Comment out test requirements, as tests are disabled anyway, and 
+- Comment out test requirements, as tests are disabled anyway, and
   one of these packages depend on python-requests, which depends on
   this package resulting in a circular dependency for openSUSE <= 13.1
 
@@ -951,9 +991,9 @@ Fri Sep 25 11:24:49 UTC 2015 - p.drouand@gmail.com
 - Update to version 1.12
   * Rely on six for importing httplib to work around conflicts with
     other Python 3 shims. (Issue #688)
-  * Add support for directories of certificate authorities, as 
+  * Add support for directories of certificate authorities, as
     supported by OpenSSL. (Issue #701)
-  * New exception: NewConnectionError, raised when we fail to 
+  * New exception: NewConnectionError, raised when we fail to
     establish a new connection, usually ECONNREFUSED socket error.
 - Fix version dependencies
 - Add new build requirements following upstream changes
@@ -961,7 +1001,7 @@ Fri Sep 25 11:24:49 UTC 2015 - p.drouand@gmail.com
   * python-tox
   * python-twine
   * python-wheel
-- Update 0001-Don-t-pin-dependency-to-exact-version.patch 
+- Update 0001-Don-t-pin-dependency-to-exact-version.patch
 - Disable tests for now, as there require network
 
 -------------------------------------------------------------------
@@ -971,42 +1011,42 @@ Thu Sep 11 12:38:13 UTC 2014 - toddrme2178@gmail.com
 - Rebase 0001-Don-t-pin-dependency-to-exact-version.patch and
   urllib3-test-no-coverage.patch
 - Update to version 1.9 (2014-07-04)
-  * Shuffled around development-related files. 
+  * Shuffled around development-related files.
-    If you're maintaining a distro package of urllib3, you may need 
+    If you're maintaining a distro package of urllib3, you may need
     to tweak things. (Issue #415)
-  * Unverified HTTPS requests will trigger a warning on the first 
+  * Unverified HTTPS requests will trigger a warning on the first
     request. See our new security documentation for details.
     (Issue #426)
-  * New retry logic and urllib3.util.retry.Retry configuration 
+  * New retry logic and urllib3.util.retry.Retry configuration
     object. (Issue #326)
-  * All raised exceptions should now wrapped in a 
+  * All raised exceptions should now wrapped in a
-    urllib3.exceptions.HTTPException-extending exception. 
+    urllib3.exceptions.HTTPException-extending exception.
     (Issue #326)
   * All errors during a retry-enabled request should be wrapped in
-    urllib3.exceptions.MaxRetryError, including timeout-related 
+    urllib3.exceptions.MaxRetryError, including timeout-related
-    exceptions which were previously exempt. Underlying error is 
+    exceptions which were previously exempt. Underlying error is
     accessible from the .reason propery. (Issue #326)
-  * urllib3.exceptions.ConnectionError renamed to 
+  * urllib3.exceptions.ConnectionError renamed to
     urllib3.exceptions.ProtocolError. (Issue #326)
   * Errors during response read (such as IncompleteRead) are now
     wrapped in urllib3.exceptions.ProtocolError. (Issue #418)
-  * Requesting an empty host will raise 
+  * Requesting an empty host will raise
     urllib3.exceptions.LocationValueError. (Issue #417)
-  * Catch read timeouts over SSL connections as 
+  * Catch read timeouts over SSL connections as
     urllib3.exceptions.ReadTimeoutError. (Issue #419)
   * Apply socket arguments before connecting. (Issue #427)
 - Update to version 1.8.3 (2014-06-23)
-  * Fix TLS verification when using a proxy in Python 3.4.1. 
+  * Fix TLS verification when using a proxy in Python 3.4.1.
     (Issue #385)
-  * Add disable_cache option to urllib3.util.make_headers. 
+  * Add disable_cache option to urllib3.util.make_headers.
     (Issue #393)
-  * Wrap socket.timeout exception with 
+  * Wrap socket.timeout exception with
     urllib3.exceptions.ReadTimeoutError. (Issue #399)
-  * Fixed proxy-related bug where connections were being reused 
+  * Fixed proxy-related bug where connections were being reused
     incorrectly. (Issues #366, #369)
-  * Added socket_options keyword parameter which allows to define 
+  * Added socket_options keyword parameter which allows to define
     setsockopt configuration of new sockets. (Issue #397)
-  * Removed HTTPConnection.tcp_nodelay in favor of 
+  * Removed HTTPConnection.tcp_nodelay in favor of
     HTTPConnection.default_socket_options. (Issue #397)
   * Fixed TypeError bug in Python 2.6.4. (Issue #411)
 - Update to version 1.8.2 (2014-04-17)
@@ -1014,7 +1054,7 @@ Thu Sep 11 12:38:13 UTC 2014 - toddrme2178@gmail.com
 - Update to version 1.8.1 (2014-04-17)
   * Fix AppEngine bug of HTTPS requests going out as HTTP.
     (Issue #356)
-  * Don't install dummyserver into site-packages as it's only 
+  * Don't install dummyserver into site-packages as it's only
     needed for the test suite. (Issue #362)
   * Added support for specifying source_address. (Issue #352)
 

python-urllib3_1.spec

@@ -1,7 +1,7 @@
 #
-# spec file
+# spec file for package python-urllib3_1
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -26,18 +26,19 @@
 %endif
 %{?sle15_python_module_pythons}
 Name:           python-urllib3_1%{psuffix}
-Version:        1.26.18
+Version:        1.26.20
 Release:        0
 Summary:        HTTP library with thread-safe connection pooling, file post, and more
 License:        MIT
-Group:          Development/Languages/Python
 URL:            https://urllib3.readthedocs.org/
 Source:         https://files.pythonhosted.org/packages/source/u/urllib3/urllib3-%{version}.tar.gz
 # PATCH-FIX-UPSTREAM remove_mock.patch gh#urllib3/urllib3#2108 mcepl@suse.com
 # remove dependency on the external module mock
 Patch0:         remove_mock.patch
-# PATCH-FIX-UPSTREAM openssl-3.2.patch gh#urllib3/urllib3#3271
+# PATCH-FIX-UPSTREAM CVE-2025-50181 gh#urllib3/urllib3@f05b1329126d, bsc#1244925
-Patch1:         openssl-3.2.patch
+Patch1:         CVE-2025-50181-poolmanager-redirects.patch
+# PATCH-FIX-OPENSUSE Explicitly ignore new DeprecationWarning from PyOpenSSL 25.1+
+Patch2:         filter-pyopenssl-deprecationwarning.patch
 BuildRequires:  %{python_module base >= 3.7}
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}
@@ -134,6 +135,8 @@ skiplist="test_ssl_read_timeout or test_ssl_failed_fingerprint_verification or t
 skiplist+=" or test_recent_date"
 # too slow to run in obs (checks 2GiB of data)
 skiplist+=" or test_requesting_large_resources_via_ssl"
+# Latest tornado raises an exception on bad header so this test fails
+skiplist+=" or test_skip_header"
 # Python 3.12: SSL requests to localhost hang during handshake
 python312_skip=" or TestClientCerts or TestSSL or test_cannot_import_ssl or (TestProxyManager and test_connect)"
 %pytest -k "not (${skiplist} ${$python_skip})"  --no-success-flaky-report