* [Buildroot] [git commit branch/2021.02.x] package/python-urllib3: security bump to version 1.26.6
@ 2021-08-03 14:23 Peter Korsgaard
0 siblings, 0 replies; only message in thread
From: Peter Korsgaard @ 2021-08-03 14:23 UTC (permalink / raw
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=f87a20a9a40e3a00b126781c586e36ffcf47bd75
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2021.02.x
Fix CVE-2021-33503: An issue was discovered in urllib3 before 1.26.5.
When provided with a URL containing many @ characters in the authority
component, the authority regular expression exhibits catastrophic
backtracking, causing a denial of service if a URL were passed as a
parameter or redirected to via an HTTP redirect.
https://github.com/urllib3/urllib3/blob/1.26.6/CHANGES.rst
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 56a105f9fb80fa2f6bd01280d64744cd3e7d73c4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/python-urllib3/python-urllib3.hash | 4 ++--
package/python-urllib3/python-urllib3.mk | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/python-urllib3/python-urllib3.hash b/package/python-urllib3/python-urllib3.hash
index 820156b4ca..288d986e7c 100644
--- a/package/python-urllib3/python-urllib3.hash
+++ b/package/python-urllib3/python-urllib3.hash
@@ -1,5 +1,5 @@
# md5, sha256 from https://pypi.org/pypi/urllib3/json
-md5 e2a2039e22fc29b751e26b7042e8db2f urllib3-1.26.4.tar.gz
-sha256 e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937 urllib3-1.26.4.tar.gz
+md5 3a88ec3bcb761ca23df2c3583949be37 urllib3-1.26.6.tar.gz
+sha256 f57b4c16c62fa2760b7e3d97c35b255512fb6b59a259730f36ba32ce9f8e342f urllib3-1.26.6.tar.gz
# Locally computed sha256 checksums
sha256 c37bf186e27cf9dbe9619e55edfe3cea7b30091ceb3da63c7dacbe0e6d77907b LICENSE.txt
diff --git a/package/python-urllib3/python-urllib3.mk b/package/python-urllib3/python-urllib3.mk
index d5a04163f9..775986d516 100644
--- a/package/python-urllib3/python-urllib3.mk
+++ b/package/python-urllib3/python-urllib3.mk
@@ -4,9 +4,9 @@
#
################################################################################
-PYTHON_URLLIB3_VERSION = 1.26.4
+PYTHON_URLLIB3_VERSION = 1.26.6
PYTHON_URLLIB3_SOURCE = urllib3-$(PYTHON_URLLIB3_VERSION).tar.gz
-PYTHON_URLLIB3_SITE = https://files.pythonhosted.org/packages/cb/cf/871177f1fc795c6c10787bc0e1f27bb6cf7b81dbde399fd35860472cecbc
+PYTHON_URLLIB3_SITE = https://files.pythonhosted.org/packages/4f/5a/597ef5911cb8919efe4d86206aa8b2658616d676a7088f0825ca08bd7cb8
PYTHON_URLLIB3_LICENSE = MIT
PYTHON_URLLIB3_LICENSE_FILES = LICENSE.txt
PYTHON_URLLIB3_CPE_ID_VENDOR = python
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-08-03 14:36 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-08-03 14:23 [Buildroot] [git commit branch/2021.02.x] package/python-urllib3: security bump to version 1.26.6 Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.