python-urllib3 (1.24.1-1+deb10u2) buster-security; urgency=high [ Sean Whitton ] * Non-maintainer upload by the LTS Security Team. * CVE-2023-43803: Request body isn't stripped during cross-origin redirects (Closes: #1054226). [ Guilhem Moulin ] * Use system 'six' in test/with_dummyserver/test_https.py too. * Retroactively fix CVE-2018-25091. -- Sean Whitton Wed, 08 Nov 2023 11:02:05 +0000 python-urllib3 (1.24.1-1+deb10u1) buster-security; urgency=high * Non-maintainer upload by the LTS Security Team. * CVE-2018-25091: urllib3 does not remove the ‘authorization’ HTTP header when following a cross-origin redirect cross-origin redirects. (This is similar to CVE-2018-20060, but applies to non-titlecase header fields.) * Fix CVE-2019-11236: An attacker controlling the request parameter can inject headers by injecting CR/LF characters. (Closes: #927172) * Fix CVE-2019-11324: When verifying HTTPS connections when an SSLContext is passed to urllib3, system CA certificates will be loaded into the SSLContext by default in addition to any manually-specified CA certificates. This causes TLS handshakes that should fail given only the manually specified certs to succeed based on system CA certs. (Closes: #927412) * Fix CVE-2020-26137: CRLF injection vulnerability when the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). * Fix CVE-2023-43804: Cookie request header isn't stripped during cross-origin redirects. (Closes: #1053626) -- Guilhem Moulin Sat, 07 Oct 2023 18:59:08 +0200 python-urllib3 (1.24.1-1) unstable; urgency=medium * Upload to unstable. -- Daniele Tricoli Mon, 11 Feb 2019 02:14:53 +0100 python-urllib3 (1.24.1-1~exp1) experimental; urgency=medium * New upstream release. * Refresh 01_do-not-use-embedded-python-six.patch. * debian/control - Update to use my debian.org mail address. - Bump Standards-Version to 4.3.0 (no changes needed). * debian/copyright - Update to use my debian.org mail address. - Update copyright years. -- Daniele Tricoli Thu, 10 Jan 2019 01:16:27 +0100 python-urllib3 (1.24-1) unstable; urgency=medium * Upload to unstable. (Closes: #911716) -- Daniele Tricoli Thu, 25 Oct 2018 05:01:14 +0200 python-urllib3 (1.24-1~exp1) experimental; urgency=medium [ Ondřej Nový ] * d/control: Set Vcs-* to salsa.debian.org * d/copyright: Use https protocol in Format field * d/control: Remove ancient X-Python-Version field * d/control: Remove ancient X-Python3-Version field * Convert git repository from git-dpm to gbp layout [ Daniele Tricoli ] * New upstream release. * Refresh patches after git-dpm to gbp pq conversion. * Add debian/gbp.conf. * Refresh patches. * debian/clean - Update path of urllib3.egg-info. * debian/control - Require newer dh-python which cleans .pytest_cache directory. * debian/copyright - Update copyright years. - Update Source field to point to new pypi HTTPS URL. - Add section for urllib3/contrib/_securetransport. - Update paths and remove section about ordered_dict.py. - Add section about backported socket.makefile(). * debian/patches/01_do-not-use-embedded-python-six.patch - Refresh and also patch urllib3.contrib.pyopenssl to use the packaged version of six. (Closes: #905479) * debian/patches/04_relax_nosetests_options.patch - Drop since no more used (tests use pytest). * debian/rules - Ignore tests that require dummyserver or network access. - Clean .pytest_cache/ to build twice in a row. * debian/upstream/signing-key.asc - Remove since upstream will not sign tarballs anymore. * debian/watch - Remove pgpsigurlmangle since upstream will not sign tarballs anymore. -- Daniele Tricoli Fri, 19 Oct 2018 08:42:27 +0200 python-urllib3 (1.22-1) unstable; urgency=medium * Team upload. * New upstream release (Closes: #876334) * d/watch - Check upstream signature - Use https * Bump debhelper compat level to 11 * Standards-Version is 4.1.3 now (no changes needed) * Add python{3,}-pytest to B-D * Use pytest for unit tests (same as upstream) and skip timing tests * Skip test_recent_date test * Use autopkgtest-pkg-python testsuite instead of hardcoded one -- Ondřej Nový Thu, 04 Jan 2018 15:09:14 +0100 python-urllib3 (1.21.1-1) unstable; urgency=medium * New upstream release. (Closes: #861642) * debian/control - Add python-psutil{,3} to Build-Depends. - Add version constraint for six. (Closes: #857006) - Bump Standards-Version to 4.0.0 (no changes needed). * debian/copyright - Update copyright years. * debian/patches/01_do-not-use-embedded-python-six.patch - Refresh. * debian/tests/control - Add autodep8 tests. (Closes: #796717) -- Daniele Tricoli Fri, 14 Jul 2017 01:21:44 +0200 python-urllib3 (1.19.1-1) unstable; urgency=medium * New upstream release. * debian/control - Remove python{,3}-ndg-httpsclient and python{,3}-pyasn1. - Add python{,3}-cryptography, python{,3}-idna and python-ipaddress. * debian/patches/01_do-not-use-embedded-python-six.patch - Refresh. -- Daniele Tricoli Thu, 08 Dec 2016 15:08:04 +0100 python-urllib3 (1.16-1) unstable; urgency=medium * New upstream release. -- Daniele Tricoli Sun, 04 Sep 2016 01:21:05 +0200 python-urllib3 (1.15.1-2) unstable; urgency=medium * debian/patches/01_do-not-use-embedded-python-six.patch - Patch urllib3.contrib.appengine and dummyserver tests. (Closes: #825310) -- Daniele Tricoli Thu, 26 May 2016 05:11:02 +0200 python-urllib3 (1.15.1-1) unstable; urgency=medium * New upstream release. * debian/control - Bump Standards-Version to 3.9.8 (no changes needed). - Add python{,3}-socks to Suggests. * debian/copyright - Update copyright years. * debian/patches/01_do-not-use-embedded-python-six.patch - Refresh. * debian/rules - Don't run contrib socks tests at build time. - Exclude GAE tests. (Closes: #825168) -- Daniele Tricoli Tue, 24 May 2016 16:18:22 +0200 python-urllib3 (1.13.1-2) unstable; urgency=medium * debian/control - Remove python-urllib3-whl and python3-wheel B-D. (Closes: #814467) - Use secure URI for Vcs-Git. - Bump Standards-Version to 3.9.7 (no changes needed). - Bump X-Python3-Version to >= 3.2. * debian/copyright - Update copyright years. * debian/python-urllib3-whl.install - Remove. * debian/rules - Remove override_dh_auto_install since it's no longer needed to build the wheel package. -- Daniele Tricoli Fri, 12 Feb 2016 01:35:42 +0100 python-urllib3 (1.13.1-1) unstable; urgency=medium * New upstream release. * debian/patches/01_do-not-use-embedded-python-six.patch - Refresh. * debian/patches/05_avoid-embedded-ssl-match-hostname.patch - Refresh. -- Daniele Tricoli Wed, 23 Dec 2015 23:02:05 +0100 python-urllib3 (1.12-1) unstable; urgency=medium * New upstream release. * debian/control - Update Vcs fields for git migration. * debian/patches/01_do-not-use-embedded-python-six.patch - Refresh. * debian/patches/06_rely-on-six-to-import-httplib-or-http.client.patch - Remove since included in this release. -- Daniele Tricoli Sun, 11 Oct 2015 03:31:25 +0200 python-urllib3 (1.11-2) unstable; urgency=medium * debian/patches/06_rely-on-six-to-import-httplib-or-http.client.patch - Rely on six to import httplib or http.client. Thanks to Edward Betts for the report. (Closes: #796356) -- Daniele Tricoli Sun, 23 Aug 2015 21:19:59 +0200 python-urllib3 (1.11-1) unstable; urgency=medium * New upstream release. * debian/control - Add python{,3}-tornado to Build-Depends. - Add python-ntlm to python-urllib3's Suggests. * debian/patches/01_do-not-use-embedded-python-six.patch - Refresh. -- Daniele Tricoli Mon, 17 Aug 2015 18:51:43 +0200 python-urllib3 (1.10.4-1) unstable; urgency=medium * New upstream release. * debian/watch - Use pypi.debian.net redirector. * debian/patches/01_do-not-use-embedded-python-six.patch - Refresh. -- Daniele Tricoli Sun, 03 May 2015 17:18:55 +0200 python-urllib3 (1.10-1) experimental; urgency=medium * New upstream release. * debian/patches/01_do-not-use-embedded-python-six.patch - Refresh. * debian/patches/06_do-not-make-SSLv3-mandatory.patch - Remove since it was merged upstream. -- Daniele Tricoli Thu, 15 Jan 2015 22:58:53 +0100 python-urllib3 (1.9.1-3) unstable; urgency=medium [ Stefano Rivera ] * Replace 05_do-not-use-embedded-ssl-match-hostname.patch with 05_avoid-embedded-ssl-match-hostname.patch. Users may use virtualenv with cPython << 2.7.9 (or Debian python2.7 2.7.8-7). (Closes: #755106, #763389) [ Daniele Tricoli ] * debian/patches/06_do-not-make-SSLv3-mandatory.patch - Since SSL version 3 is insecure it is supported only if Python supports it. (Closes: #770246) -- Daniele Tricoli Thu, 20 Nov 2014 13:17:59 +0100 python-urllib3 (1.9.1-2) unstable; urgency=medium * debian/control - Bump python{,3}-nose to >=1.3.3 to build urllib3 on Wheezy. Thanks to Nick Phillips for the report. (Closes: #765035) -- Daniele Tricoli Tue, 21 Oct 2014 02:59:57 +0200 python-urllib3 (1.9.1-1) unstable; urgency=medium * New upstream release. * debian/control - Bump Standards-Version to 3.9.6 (no changes needed). * debian/patches/01_do-not-use-embedded-python-six.patch - Refresh. * debian/patches/05_do-not-use-embedded-ssl-match-hostname.patch - Refresh. * debian/patches/06_add-test-init-py.patch - Remove since fixed upstream. * debian/rules - Exclude with_dummyserver tests since they are also failing upstream. -- Daniele Tricoli Tue, 23 Sep 2014 04:28:42 +0200 python-urllib3 (1.9-1) unstable; urgency=medium * New upstream release * debian/control - Add python-ndg-httpsclient, python-openssl and python-pyasn1 into python-urllib3's Recomends to ensure that SNI works as expected and to prevent CRIME attack - Add python3-ndg-httpsclient, python3-openssl and python3-pyasn1 into python3-urllib3's Suggests since Python 3 already support SNI and and SSL compression can be disabled using OP_NO_COMPRESSION * debian/patches/01_do-not-use-embedded-python-six.patch - Refresh * debian/patches/02_require-cert-verification.patch - Refresh * debian/patches/05_do-not-use-embedded-ssl-match-hostname.patch - Refresh * debian/patches/06_relax-test-requirements.patch - Remove since upstream now does not specify version of packages needed for testing inside setup.py * debian/patches/06_add-test-init-py.patch - Add needed test/__init__.py file not shipped in sdist -- Daniele Tricoli Mon, 01 Sep 2014 02:56:44 +0200 python-urllib3 (1.8.3-1) unstable; urgency=medium * New upstream release (Closes: #754090) * debian/patches/01_do-not-use-embedded-python-six.patch - Refresh * debian/patches/04_relax_nosetests_options.patch - Refresh -- Daniele Tricoli Mon, 07 Jul 2014 16:09:06 +0200 python-urllib3 (1.8.2-1) unstable; urgency=medium * New upstream release * debian/clean - Removed .coverage entry * debian/control - Added python3-coverage, python3-mock, python3-nose to Build-Depends - Bumped python(3)-coverage to (>=3.6) - Removed python-tornado from Build-Depends since it was used only for dummyserver * debian/copyright - Updated copyright years * debian/patches/01_do-not-use-embedded-python-six.patch - Refreshed * debian/patches/02_require-cert-verification.patch - Refreshed * debian/patches/03_no-setuptools.patch - Superseded by debian/patches/setuptools.patch * debian/patches/03_force-setuptools.patch - Renamed from setuptools.patch - Added description * debian/patches/05_do-not-use-embedded-ssl-match-hostname.patch - Do not use embedded copy of ssl.match_hostname * debian/patches/06_relax-test-requirements.patch - Relax version of packages needed for testing * debian/rules - Enabled tests at build time also for Python 3 using the custom build plugin of pybuild - Cleaned .coverage file generated by nose using coverage plugin - No need to remove dummyserver since it is not installed anymore -- Daniele Tricoli Wed, 28 May 2014 19:41:18 +0200 python-urllib3 (1.8-2) unstable; urgency=medium * Team upload. * d/control: - Fix python-urllib3-whl Depends. - Fix typo in python-urllib3-whl description. -- Barry Warsaw Thu, 22 May 2014 18:19:16 -0400 python-urllib3 (1.8-1) unstable; urgency=medium * Team upload. [ Daniele Tricoli ] * New upstream release * debian/control - Bumped Standards-Version to 3.9.5 (no changes needed) * debian/patches/01_do-not-use-embedded-python-six.patch - Refreshed * debian/patches/02_require-cert-verification.patch - Refreshed [ Barry Warsaw ] * d/control: - Added python-setuptools, python3-setuptools, and python3-wheel to Build-Depends. - Added python-urllib3-whl binary package. * d/rules: - Build the universal wheels. - Simplify through use of PYBUILD_NAME. * d/python-urllib3-whl.install: Added. * d/patches/setuptools.patch: Use setuptools.setup() so that the bdist_wheel command will work. -- Barry Warsaw Thu, 15 May 2014 17:21:50 -0400 python-urllib3 (1.7.1-1) unstable; urgency=low * New upstream release * Switched to pybuild * debian/clean - Switched to debian/clean for cleaning instead of using debian/rules * debian/compat - Bumped debhelper compatibility level to 9 * debian/control - Added python-mock to Build-Depends - Bumped debhelper B-D to (>= 9) * debian/copyright - Removed stanza about mimetools_choose_boundary since not shipped anymore * debian/patches/01_do-not-use-embedded-python-six.patch - Refreshed * debian/patches/02_require-cert-verification.patch - Refreshed * debian/patches/04_relax_nosetests_options.patch - Refreshed * debian/patches/05_fix_python3_syntax_error_in_ntlmpool.patch - Removed since fixed upstream * debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch - Removed since fixed upstream * debian/watch - Switched download URL to https -- Daniele Tricoli Thu, 17 Oct 2013 13:28:10 +0200 python-urllib3 (1.6-2) unstable; urgency=high * debian/patches/06_fix_abuse_of_match_hostname_for_DoS.patch - Added upstream patch to fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099) (Closes: #709070) Thanks Henri Salo and Jakub Wilk for the report -- Daniele Tricoli Mon, 20 May 2013 19:34:17 +0200 python-urllib3 (1.6-1) unstable; urgency=low [ Jakub Wilk ] * Use canonical URIs for Vcs-* fields. [ Daniele Tricoli ] * New upstream release * Upload to unstable (Closes: #707780) * debian/control - Added python3-six to Build-Depends field - Bumped debhelper dependency to 8.1 for build-{arch,indep} support - Removed python-setuptools from Build-Depends field * debian/copyright - Updated copyright years - Added stanza for urllib3/packages/ordered_dict.py * debian/patches/01_do-not-use-embedded-python-six.patch - Refreshed * debian/patches/02_require-cert-verification.patch - Refreshed * debian/patches/03_no-setuptools.patch - Do not use setuptools * debian/patches/04_relax_nosetests_options.patch - Do not use logging-clear-handlers to see all logging output and disabled cover-min-percentage since it require python-nose (>= 1.3): this way it will be easier to backport python-urllib3 to Wheezy. * debian/patches/05_fix_python3_syntax_error_in_ntlmpool.patch - Fix syntax error 'unicodeescape' codec can't decode bytes in position 130-132 for Python3 -- Daniele Tricoli Sat, 11 May 2013 15:15:38 +0200 python-urllib3 (1.5-1) experimental; urgency=low * New upstream release * debian/control - Bumped Standards-Version to 3.9.4 (no changes needed) * debian/patches/01_do-not-use-embedded-python-six.patch - Refreshed * debian/rules - Run tests only for python2.7 since upstream is using assertRaises() as a context manager -- Daniele Tricoli Fri, 09 Nov 2012 04:23:18 +0100 python-urllib3 (1.3-3) unstable; urgency=low * debian/control - Added ca-certificates to Recommends field * debian/patches/02_require-cert-verification.patch - require SSL certificate validation by default by using CERT_REQUIRED and using the system /etc/ssl/certs/ca-certificates.crt. Thanks to Jamie Strandboge for report and patch (Closes: #686872) -- Daniele Tricoli Mon, 10 Sep 2012 14:33:35 +0200 python-urllib3 (1.3-2) unstable; urgency=low * debian/control - Tightened B-D of python-coverage to >= 3.4 (Closes: #668427) - Fixed typo in python3-urllib3's ${python3:Depends} * debian/patches/01_do-not-use-embedded-python-six.patch - Refreshed * debian/rules - Actually remove the embedded python-six from binary packages - Cleaned .egg-info to build packages twice in a row -- Daniele Tricoli Tue, 17 Apr 2012 21:34:49 +0200 python-urllib3 (1.3-1) unstable; urgency=low * New upstream release * debian/control - Bumped Standards-Version to 3.9.3 (no changes needed) * debian/patches/01_do-not-use-embedded-python-six.patch - Refreshed -- Daniele Tricoli Thu, 29 Mar 2012 02:09:04 +0200 python-urllib3 (1.2.2-1) unstable; urgency=low * Initial release (Closes: #648783) -- Daniele Tricoli Fri, 10 Feb 2012 04:41:11 +0100