* [Buildroot] [PATCH] package/python-urllib3: security bump to version 1.24.2
@ 2019-04-25 7:07 Peter Korsgaard
2019-04-26 7:14 ` Thomas Petazzoni
2019-04-26 13:06 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-04-25 7:07 UTC (permalink / raw)
To: buildroot
Fixes the following security issue:
- CVE-2019-11324: The urllib3 library before 1.24.2 for Python mishandles
certain cases where the desired set of CA certificates is different from
the OS store of CA certificates, which results in SSL connections
succeeding in situations where a verification failure is the correct
outcome. This is related to use of the ssl_context, ca_certs, or
ca_certs_dir argument.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/python-urllib3/python-urllib3.hash | 4 ++--
package/python-urllib3/python-urllib3.mk | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package/python-urllib3/python-urllib3.hash b/package/python-urllib3/python-urllib3.hash
index 098c7940a0..ec075cb4f6 100644
--- a/package/python-urllib3/python-urllib3.hash
+++ b/package/python-urllib3/python-urllib3.hash
@@ -1,5 +1,5 @@
# md5, sha256 from https://pypi.org/pypi/urllib3/json
-md5 f3d8b1841539200c949a33e87e551d8e urllib3-1.24.1.tar.gz
-sha256 de9529817c93f27c8ccbfead6985011db27bd0ddfcdb2d86f3f663385c6a9c22 urllib3-1.24.1.tar.gz
+md5 20bb5a170a534bd0acd98bfc007fcc22 urllib3-1.24.2.tar.gz
+sha256 9a247273df709c4fedb38c711e44292304f73f39ab01beda9f6b9fc375669ac3 urllib3-1.24.2.tar.gz
# Locally computed sha256 checksums
sha256 11db569430ca5ad793f1399297b8df5041a22137abaf90642ea71da21d59121c LICENSE.txt
diff --git a/package/python-urllib3/python-urllib3.mk b/package/python-urllib3/python-urllib3.mk
index a2c3096a9c..893d32d976 100644
--- a/package/python-urllib3/python-urllib3.mk
+++ b/package/python-urllib3/python-urllib3.mk
@@ -4,9 +4,9 @@
#
################################################################################
-PYTHON_URLLIB3_VERSION = 1.24.1
+PYTHON_URLLIB3_VERSION = 1.24.2
PYTHON_URLLIB3_SOURCE = urllib3-$(PYTHON_URLLIB3_VERSION).tar.gz
-PYTHON_URLLIB3_SITE = https://files.pythonhosted.org/packages/b1/53/37d82ab391393565f2f831b8eedbffd57db5a718216f82f1a8b4d381a1c1
+PYTHON_URLLIB3_SITE = https://files.pythonhosted.org/packages/fd/fa/b21f4f03176463a6cccdb612a5ff71b927e5224e83483012747c12fc5d62
PYTHON_URLLIB3_LICENSE = MIT
PYTHON_URLLIB3_LICENSE_FILES = LICENSE.txt
PYTHON_URLLIB3_SETUP_TYPE = setuptools
--
2.11.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/python-urllib3: security bump to version 1.24.2
2019-04-25 7:07 [Buildroot] [PATCH] package/python-urllib3: security bump to version 1.24.2 Peter Korsgaard
@ 2019-04-26 7:14 ` Thomas Petazzoni
2019-04-26 13:06 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni @ 2019-04-26 7:14 UTC (permalink / raw)
To: buildroot
On Thu, 25 Apr 2019 09:07:22 +0200
Peter Korsgaard <peter@korsgaard.com> wrote:
> Fixes the following security issue:
>
> - CVE-2019-11324: The urllib3 library before 1.24.2 for Python mishandles
> certain cases where the desired set of CA certificates is different from
> the OS store of CA certificates, which results in SSL connections
> succeeding in situations where a verification failure is the correct
> outcome. This is related to use of the ssl_context, ca_certs, or
> ca_certs_dir argument.
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
> package/python-urllib3/python-urllib3.hash | 4 ++--
> package/python-urllib3/python-urllib3.mk | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/python-urllib3: security bump to version 1.24.2
2019-04-25 7:07 [Buildroot] [PATCH] package/python-urllib3: security bump to version 1.24.2 Peter Korsgaard
2019-04-26 7:14 ` Thomas Petazzoni
@ 2019-04-26 13:06 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-04-26 13:06 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issue:
> - CVE-2019-11324: The urllib3 library before 1.24.2 for Python mishandles
> certain cases where the desired set of CA certificates is different from
> the OS store of CA certificates, which results in SSL connections
> succeeding in situations where a verification failure is the correct
> outcome. This is related to use of the ssl_context, ca_certs, or
> ca_certs_dir argument.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2019.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-04-26 13:06 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-25 7:07 [Buildroot] [PATCH] package/python-urllib3: security bump to version 1.24.2 Peter Korsgaard
2019-04-26 7:14 ` Thomas Petazzoni
2019-04-26 13:06 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.