rpms / python-pip

Clone
Source Code
GIT

#51 Fedora 31: Upgrade urllib3 to 1.25.3, requests to 2.22.0
Merged 4 years ago by churchyard. Opened 4 years ago by churchyard.
rpms/ churchyard/python-pip f31-urllib3-1.25.3  into  f31

file modified
+25 -3 
@@ -23,7 +23,7 @@ 
 

  # When updating, update the bundled libraries versions bellow!
 

  # You can use vendor_meta.sh in the dist git repo
 

  Version:        19.1.1
 

- Release:        6%{?dist}
 

+ Release:        7%{?dist}
 

  Summary:        A tool for installing and managing Python packages
 

  

  # We bundle a lot of libraries with pip, which itself is under MIT license.
 
@@ -50,6 +50,7 @@ 
 

  # idna: BSD
 

  # urllib3: MIT
 

  # certifi: MPLv2.0
 

+ # rfc3986: ASL 2.0
 

  # setuptools: MIT
 

  # webencodings: BSD
 

  
@@ -109,6 +110,19 @@ 
 

  # https://github.com/pypa/pip/pull/6728
 

  Patch6:         python39.patch
 

  

+ # Upgrade urllib3 to 1.25.3
 

+ # This bundles rfc3986
 

+ # https://github.com/pypa/pip/commit/0d620c4a03a8b3765ec45785299244e1a494d750
 

+ # CVE-2019-11324: Certification mishandle when error should be thrown
 

+ # https://bugzilla.redhat.com/show_bug.cgi?id=1774595
 

+ # CVE-2019-11236: CRLF injection due to not encoding the '\r\n' sequence
 

+ # https://bugzilla.redhat.com/show_bug.cgi?id=1775363
 

+ Patch7:         urllib3-1.25.3.patch
 

+ 

+ # Upgrade requests to 2.22.0 (needed for urllib3 1.25.3)
 

+ # https://github.com/pypa/pip/commit/8e8d28dd8ecc9226ea4e0f75d54151df90f4d78e
 

+ Patch8:         requests-2.22.0.patch
 

+ 

  # Downstream only patch
 

  # Users might have local installations of pip from using
 

  # `pip install --user --upgrade pip` on older/newer versions.
 
@@ -156,11 +170,12 @@ 
 

  Provides: bundled(python%{1}dist(progress)) = 1.5
 

  Provides: bundled(python%{1}dist(pyparsing)) = 2.4.0
 

  Provides: bundled(python%{1}dist(pytoml)) = 0.1.20
 

- Provides: bundled(python%{1}dist(requests)) = 2.21.0
 

+ Provides: bundled(python%{1}dist(requests)) = 2.22.0
 

  Provides: bundled(python%{1}dist(retrying)) = 1.3.3
 

  Provides: bundled(python%{1}dist(setuptools)) = 41.0.1
 

  Provides: bundled(python%{1}dist(six)) = 1.12.0
 

- Provides: bundled(python%{1}dist(urllib3)) = 1.24.1
 

+ Provides: bundled(python%{1}dist(urllib3)) = 1.25.3
 

+ Provides: bundled(python%{1}dist(rfc3986)) = 1.3.2
 

  Provides: bundled(python%{1}dist(webencodings)) = 0.5.1
 

  }
 

  
@@ -307,6 +322,8 @@ 
 

  %patch4 -p1
 

  %patch5 -p1
 

  %patch6 -p1
 

+ %patch7 -p1
 

+ %patch8 -p1
 

  

  # this goes together with patch4
 

  rm src/pip/_vendor/certifi/*.pem
 
@@ -529,6 +546,11 @@ 
 

  %endif
 

  

  %changelog
 

+ * Thu Jan 02 2020 Miro Hrončok <mhroncok@redhat.com> - 19.1.1-7
 

+ - Upgrade urllib3 to 1.25.3, requests to 2.22.0
 

+ - Fix urllib3 CVE-2019-11324 (#1774595)
 

+ - Fix urllib3 CVE-2019-11236 (#1775363)
 

+ 

  * Mon Nov 25 2019 Miro Hrončok <mhroncok@redhat.com> - 19.1.1-6
 

  - Make python-pip-wheel work with Python 3.9

file added
+91 
@@ -0,0 +1,91 @@ 
 

+ From 8e8d28dd8ecc9226ea4e0f75d54151df90f4d78e Mon Sep 17 00:00:00 2001
 

+ From: Pradyun Gedam <pradyunsg@gmail.com>
 

+ Date: Sat, 20 Jul 2019 09:31:48 +0530
 

+ Subject: [PATCH] Upgrade requests to 2.22.0
 

+ 

+ ---
 

+  news/requests.vendor                    | 1 +
 

+  src/pip/_vendor/requests/__init__.py    | 4 ++--
 

+  src/pip/_vendor/requests/__version__.py | 6 +++---
 

+  src/pip/_vendor/requests/api.py         | 4 ++--
 

+  src/pip/_vendor/vendor.txt              | 1 +
 

+  5 files changed, 9 insertions(+), 7 deletions(-)
 

+  create mode 100644 news/requests.vendor
 

+ 

+ diff --git a/news/requests.vendor b/news/requests.vendor
 

+ new file mode 100644
 

+ index 0000000000..aac729b0e1
 

+ --- /dev/null
 

+ +++ b/news/requests.vendor
 

+ @@ -0,0 +1 @@
 

+ +Upgrade requests to 2.22.0
 

+ diff --git a/src/pip/_vendor/requests/__init__.py b/src/pip/_vendor/requests/__init__.py
 

+ index 80c4ce1d21..1d30e3e063 100644
 

+ --- a/src/pip/_vendor/requests/__init__.py
 

+ +++ b/src/pip/_vendor/requests/__init__.py
 

+ @@ -57,10 +57,10 @@ def check_compatibility(urllib3_version, chardet_version):
 

+      # Check urllib3 for compatibility.
 

+      major, minor, patch = urllib3_version  # noqa: F811
 

+      major, minor, patch = int(major), int(minor), int(patch)
 

+ -    # urllib3 >= 1.21.1, <= 1.24
 

+ +    # urllib3 >= 1.21.1, <= 1.25
 

+      assert major == 1
 

+      assert minor >= 21
 

+ -    assert minor <= 24
 

+ +    assert minor <= 25
 

+  

+      # Check chardet for compatibility.
 

+      major, minor, patch = chardet_version.split('.')[:3]
 

+ diff --git a/src/pip/_vendor/requests/__version__.py b/src/pip/_vendor/requests/__version__.py
 

+ index f5b5d03671..9844f740ab 100644
 

+ --- a/src/pip/_vendor/requests/__version__.py
 

+ +++ b/src/pip/_vendor/requests/__version__.py
 

+ @@ -5,10 +5,10 @@
 

+  __title__ = 'requests'
 

+  __description__ = 'Python HTTP for Humans.'
 

+  __url__ = 'http://python-requests.org'
 

+ -__version__ = '2.21.0'
 

+ -__build__ = 0x022100
 

+ +__version__ = '2.22.0'
 

+ +__build__ = 0x022200
 

+  __author__ = 'Kenneth Reitz'
 

+  __author_email__ = 'me@kennethreitz.org'
 

+  __license__ = 'Apache 2.0'
 

+ -__copyright__ = 'Copyright 2018 Kenneth Reitz'
 

+ +__copyright__ = 'Copyright 2019 Kenneth Reitz'
 

+  __cake__ = u'\u2728 \U0001f370 \u2728'
 

+ diff --git a/src/pip/_vendor/requests/api.py b/src/pip/_vendor/requests/api.py
 

+ index abada96d46..ef71d0759e 100644
 

+ --- a/src/pip/_vendor/requests/api.py
 

+ +++ b/src/pip/_vendor/requests/api.py
 

+ @@ -19,7 +19,7 @@ def request(method, url, **kwargs):
 

+      :param method: method for the new :class:`Request` object.
 

+      :param url: URL for the new :class:`Request` object.
 

+      :param params: (optional) Dictionary, list of tuples or bytes to send
 

+ -        in the body of the :class:`Request`.
 

+ +        in the query string for the :class:`Request`.
 

+      :param data: (optional) Dictionary, list of tuples, bytes, or file-like
 

+          object to send in the body of the :class:`Request`.
 

+      :param json: (optional) A JSON serializable Python object to send in the body of the :class:`Request`.
 

+ @@ -65,7 +65,7 @@ def get(url, params=None, **kwargs):
 

+  

+      :param url: URL for the new :class:`Request` object.
 

+      :param params: (optional) Dictionary, list of tuples or bytes to send
 

+ -        in the body of the :class:`Request`.
 

+ +        in the query string for the :class:`Request`.
 

+      :param \*\*kwargs: Optional arguments that ``request`` takes.
 

+      :return: :class:`Response <Response>` object
 

+      :rtype: requests.Response
 

+ diff --git a/src/pip/_vendor/vendor.txt b/src/pip/_vendor/vendor.txt
 

+ index bcf579515e..e5542fbc5e 100644
 

+ --- a/src/pip/_vendor/vendor.txt
 

+ +++ b/src/pip/_vendor/vendor.txt
 

+ @@ -12,7 +12,7 @@ pep517==0.5.0
 

+  progress==1.5
 

+  pyparsing==2.4.0
 

+  pytoml==0.1.20
 

+ -requests==2.21.0
 

+ +requests==2.22.0
 

+      certifi==2019.3.9
 

+      chardet==3.0.4
 

+      idna==2.8

file added
+4621
The added file is too large to be shown here, see it at: urllib3-1.25.3.patch
  • Fix urllib3 CVE-2019-11324 (#1774595)
  • Fix urllib3 CVE-2019-11236 (#1775363)

rebased onto f3ccc88f24ae262e076d6969d38065ee8c3c666b
4 years ago

rebased onto cfdddae
4 years ago

The %check passes locally with python2-virtualenv.

The CI job has succeeded - before the latest rebase. The rebase was "comment only" - but in case we want to be double sure, the CI job is running.

I have reported the missing CI job links.

Second CI is green.

Same as my comment on #52

Pull-Request has been merged by churchyard
4 years ago
Changes Summary 3
+25 -3
file changed
python-pip.spec
+91
file added
requests-2.22.0.patch
+4621
file added
urllib3-1.25.3.patch
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.