All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] package/python-urllib3: security bump to version 1.24.2
@ 2019-04-25  7:07 Peter Korsgaard
  2019-04-26  7:14 ` Thomas Petazzoni
  2019-04-26 13:06 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-04-25  7:07 UTC (permalink / raw)
  To: buildroot

Fixes the following security issue:

- CVE-2019-11324: The urllib3 library before 1.24.2 for Python mishandles
  certain cases where the desired set of CA certificates is different from
  the OS store of CA certificates, which results in SSL connections
  succeeding in situations where a verification failure is the correct
  outcome.  This is related to use of the ssl_context, ca_certs, or
  ca_certs_dir argument.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/python-urllib3/python-urllib3.hash | 4 ++--
 package/python-urllib3/python-urllib3.mk   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/python-urllib3/python-urllib3.hash b/package/python-urllib3/python-urllib3.hash
index 098c7940a0..ec075cb4f6 100644
--- a/package/python-urllib3/python-urllib3.hash
+++ b/package/python-urllib3/python-urllib3.hash
@@ -1,5 +1,5 @@
 # md5, sha256 from https://pypi.org/pypi/urllib3/json
-md5	f3d8b1841539200c949a33e87e551d8e  urllib3-1.24.1.tar.gz
-sha256	de9529817c93f27c8ccbfead6985011db27bd0ddfcdb2d86f3f663385c6a9c22  urllib3-1.24.1.tar.gz
+md5	20bb5a170a534bd0acd98bfc007fcc22  urllib3-1.24.2.tar.gz
+sha256	9a247273df709c4fedb38c711e44292304f73f39ab01beda9f6b9fc375669ac3  urllib3-1.24.2.tar.gz
 # Locally computed sha256 checksums
 sha256	11db569430ca5ad793f1399297b8df5041a22137abaf90642ea71da21d59121c  LICENSE.txt
diff --git a/package/python-urllib3/python-urllib3.mk b/package/python-urllib3/python-urllib3.mk
index a2c3096a9c..893d32d976 100644
--- a/package/python-urllib3/python-urllib3.mk
+++ b/package/python-urllib3/python-urllib3.mk
@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-PYTHON_URLLIB3_VERSION = 1.24.1
+PYTHON_URLLIB3_VERSION = 1.24.2
 PYTHON_URLLIB3_SOURCE = urllib3-$(PYTHON_URLLIB3_VERSION).tar.gz
-PYTHON_URLLIB3_SITE = https://files.pythonhosted.org/packages/b1/53/37d82ab391393565f2f831b8eedbffd57db5a718216f82f1a8b4d381a1c1
+PYTHON_URLLIB3_SITE = https://files.pythonhosted.org/packages/fd/fa/b21f4f03176463a6cccdb612a5ff71b927e5224e83483012747c12fc5d62
 PYTHON_URLLIB3_LICENSE = MIT
 PYTHON_URLLIB3_LICENSE_FILES = LICENSE.txt
 PYTHON_URLLIB3_SETUP_TYPE = setuptools
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/python-urllib3: security bump to version 1.24.2
  2019-04-25  7:07 [Buildroot] [PATCH] package/python-urllib3: security bump to version 1.24.2 Peter Korsgaard
@ 2019-04-26  7:14 ` Thomas Petazzoni
  2019-04-26 13:06 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni @ 2019-04-26  7:14 UTC (permalink / raw)
  To: buildroot

On Thu, 25 Apr 2019 09:07:22 +0200
Peter Korsgaard <peter@korsgaard.com> wrote:

> Fixes the following security issue:
> 
> - CVE-2019-11324: The urllib3 library before 1.24.2 for Python mishandles
>   certain cases where the desired set of CA certificates is different from
>   the OS store of CA certificates, which results in SSL connections
>   succeeding in situations where a verification failure is the correct
>   outcome.  This is related to use of the ssl_context, ca_certs, or
>   ca_certs_dir argument.
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
>  package/python-urllib3/python-urllib3.hash | 4 ++--
>  package/python-urllib3/python-urllib3.mk   | 4 ++--
>  2 files changed, 4 insertions(+), 4 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/python-urllib3: security bump to version 1.24.2
  2019-04-25  7:07 [Buildroot] [PATCH] package/python-urllib3: security bump to version 1.24.2 Peter Korsgaard
  2019-04-26  7:14 ` Thomas Petazzoni
@ 2019-04-26 13:06 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-04-26 13:06 UTC (permalink / raw)
  To: buildroot

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes the following security issue:
 > - CVE-2019-11324: The urllib3 library before 1.24.2 for Python mishandles
 >   certain cases where the desired set of CA certificates is different from
 >   the OS store of CA certificates, which results in SSL connections
 >   succeeding in situations where a verification failure is the correct
 >   outcome.  This is related to use of the ssl_context, ca_certs, or
 >   ca_certs_dir argument.

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2019.02.x, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-04-26 13:06 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-25  7:07 [Buildroot] [PATCH] package/python-urllib3: security bump to version 1.24.2 Peter Korsgaard
2019-04-26  7:14 ` Thomas Petazzoni
2019-04-26 13:06 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.