""" A vulnerability has been discovered in the urllib3 Python library. When verifying HTTPS connections when an SSLContext is passed to urllib3, system CA certificates will be loaded into the SSLContext by default in addition to any manually-specified CA certificates. This causes TLS handshakes that should fail given only the manually specified certs to succeed based on system CA certs. This affects urllib3 1.24.1 and below. The fix has been released in version 1.24.2. The vulnerability was reported by Christian Heimes. A CVE ID has been requested, will follow up with it when we have it. Best Havoc / on behalf of Tidelift security team & urllib3 team """
I just added 1.24.2 to the tree and I'm testing to see if its ready for stabilization.
This is good for rapid stabilization: KEYWORDS="alpha amd64 arm arm64 hppa ia64 ppc ppc64 s390 sparc x86 I'll take care of amd64.
stable on ~amd64
sparc stable
arm stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=62abf42734d0afff1cc59c54035763f202644367 commit 62abf42734d0afff1cc59c54035763f202644367 Author: Tobias Klausmann <klausman@gentoo.org> AuthorDate: 2019-05-07 18:03:15 +0000 Commit: Tobias Klausmann <klausman@gentoo.org> CommitDate: 2019-05-07 18:03:23 +0000 dev-python/urllib3-1.24.2-r0: alpha stable Bug: http://bugs.gentoo.org/683890 Signed-off-by: Tobias Klausmann <klausman@gentoo.org> dev-python/urllib3/urllib3-1.24.2.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
x86 stable
ppc64 stable
s390 stable
ppc stable
ia64 stable
hppa done, all arches done
@python, please drop vulnerable.
Cleanup is blocked by elasticsearch-py.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dfd9b99758aa243e6d0f3e950f6ee8cf6fb1f76e commit dfd9b99758aa243e6d0f3e950f6ee8cf6fb1f76e Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-08-15 19:50:29 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-08-16 13:40:33 +0000 dev-python/urllib3: Clean old up Bug: https://bugs.gentoo.org/683890 Signed-off-by: Michał Górny <mgorny@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/12719 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/urllib3/Manifest | 3 - .../urllib3/files/urllib3-1.23-tornado5.patch | 72 ---------------------- dev-python/urllib3/urllib3-1.22.ebuild | 63 ------------------- dev-python/urllib3/urllib3-1.23.ebuild | 72 ---------------------- dev-python/urllib3/urllib3-1.24.1.ebuild | 67 -------------------- 5 files changed, 277 deletions(-)
Repository is clean, all done!