Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-urllib3_1 for
openSUSE:Factory checked in at 2026-01-26 10:42:59
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-urllib3_1 (Old)
and /work/SRC/openSUSE:Factory/.python-urllib3_1.new.1928 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-urllib3_1"
Mon Jan 26 10:42:59 2026 rev:13 rq:1328693 version:1.26.20
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-urllib3_1/python-urllib3_1.changes
2025-08-08 15:10:45.245352759 +0200
+++
/work/SRC/openSUSE:Factory/.python-urllib3_1.new.1928/python-urllib3_1.changes
2026-01-26 10:44:47.625927800 +0100
@@ -1,0 +2,8 @@
+Wed Jan 21 16:44:35 UTC 2026 - Nico Krapp <[email protected]>
+
+- Add security patches:
+ * CVE-2025-66471.patch (bsc#1254867)
+ * CVE-2025-66418.patch (bsc#1254866)
+ * CVE-2026-21441.patch (bsc#1256331)
+
+-------------------------------------------------------------------
New:
----
CVE-2025-66418.patch
CVE-2025-66471.patch
CVE-2026-21441.patch
----------(New B)----------
New: * CVE-2025-66471.patch (bsc#1254867)
* CVE-2025-66418.patch (bsc#1254866)
* CVE-2026-21441.patch (bsc#1256331)
New:- Add security patches:
* CVE-2025-66471.patch (bsc#1254867)
* CVE-2025-66418.patch (bsc#1254866)
New: * CVE-2025-66418.patch (bsc#1254866)
* CVE-2026-21441.patch (bsc#1256331)
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-urllib3_1.spec ++++++
--- /var/tmp/diff_new_pack.Eos1fp/_old 2026-01-26 10:44:48.289955672 +0100
+++ /var/tmp/diff_new_pack.Eos1fp/_new 2026-01-26 10:44:48.289955672 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python-urllib3_1
#
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2026 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -39,6 +39,13 @@
Patch1: CVE-2025-50181-poolmanager-redirects.patch
# PATCH-FIX-OPENSUSE Explicitly ignore new DeprecationWarning from PyOpenSSL
25.1+
Patch2: filter-pyopenssl-deprecationwarning.patch
+# PATCH-FIX-UPSTREAM CVE-2025-66471.patch bsc#1254867
gh#urllib3/urllib3@c19571d
+# and parts from gh#urllib3/urllib3@c35033f as prerequisite
+Patch3: CVE-2025-66471.patch
+# PATCH-FIX-UPSTREAM CVE-2025-66418.patch bsc#1254866
gh#urllib3/urllib3@24d7b67
+Patch4: CVE-2025-66418.patch
+# PATCH-FIX-UPSTREAM CVE-2026-21441.patch bsc#1256331
gh#urllib3/urllib3@8864ac4
+Patch5: CVE-2026-21441.patch
BuildRequires: %{python_module base >= 3.7}
BuildRequires: %{python_module pip}
BuildRequires: %{python_module setuptools}
@@ -53,11 +60,11 @@
Requires: python-idna >= 2.0.0
Requires: python-pyOpenSSL >= 0.14
Requires: python-six >= 1.12.0
-Recommends: python-Brotli >= 1.0.9
+Recommends: python-Brotli >= 1.2.0
Recommends: python-PySocks >= 1.5.6
BuildArch: noarch
%if %{with test}
-BuildRequires: %{python_module Brotli >= 1.0.9}
+BuildRequires: %{python_module Brotli >= 1.2.0}
BuildRequires: %{python_module PySocks >= 1.5.6}
BuildRequires: %{python_module dateutil}
BuildRequires: %{python_module flaky}
++++++ CVE-2025-66418.patch ++++++
>From 24d7b67eac89f94e11003424bcf0d8f7b72222a8 Mon Sep 17 00:00:00 2001
From: Illia Volochii <[email protected]>
Date: Fri, 5 Dec 2025 16:41:33 +0200
Subject: [PATCH] Merge commit from fork
* Add a hard-coded limit for the decompression chain
* Reuse new list
---
changelog/GHSA-gm62-xv2j-4w53.security.rst | 4 ++++
src/urllib3/response.py | 12 +++++++++++-
test/test_response.py | 10 ++++++++++
3 files changed, 25 insertions(+), 1 deletion(-)
create mode 100644 changelog/GHSA-gm62-xv2j-4w53.security.rst
Index: urllib3-1.26.20/changelog/GHSA-gm62-xv2j-4w53.security.rst
===================================================================
--- /dev/null
+++ urllib3-1.26.20/changelog/GHSA-gm62-xv2j-4w53.security.rst
@@ -0,0 +1,4 @@
+Fixed a security issue where an attacker could compose an HTTP response with
+virtually unlimited links in the ``Content-Encoding`` header, potentially
+leading to a denial of service (DoS) attack by exhausting system resources
+during decoding. The number of allowed chained encodings is now limited to 5.
Index: urllib3-1.26.20/src/urllib3/response.py
===================================================================
--- urllib3-1.26.20.orig/src/urllib3/response.py
+++ urllib3-1.26.20/src/urllib3/response.py
@@ -225,8 +225,18 @@ class MultiDecoder(object):
they were applied.
"""
- def __init__(self, modes):
- self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")]
+ # Maximum allowed number of chained HTTP encodings in the
+ # Content-Encoding header.
+ max_decode_links = 5
+
+ def __init__(self, modes: str) -> None:
+ encodings = [m.strip() for m in modes.split(",")]
+ if len(encodings) > self.max_decode_links:
+ raise DecodeError(
+ "Too many content encodings in the chain: "
+ f"{len(encodings)} > {self.max_decode_links}"
+ )
+ self._decoders = [_get_decoder(e) for e in encodings]
def flush(self):
return self._decoders[0].flush()
Index: urllib3-1.26.20/test/test_response.py
===================================================================
--- urllib3-1.26.20.orig/test/test_response.py
+++ urllib3-1.26.20/test/test_response.py
@@ -477,6 +477,16 @@ class TestResponse(object):
assert r.data == b"foo"
+ def test_read_multi_decoding_too_many_links(self):
+ fp = BytesIO(b"foo")
+ with pytest.raises(
+ DecodeError, match="Too many content encodings in the chain: 6 > 5"
+ ):
+ HTTPResponse(
+ fp,
+ headers={"content-encoding": "gzip, deflate, br, zstd, gzip,
deflate"},
+ )
+
def test_body_blob(self):
resp = HTTPResponse(b"foo")
assert resp.data == b"foo"
++++++ CVE-2025-66471.patch ++++++
++++ 993 lines (skipped)
++++++ CVE-2026-21441.patch ++++++
>From 8864ac407bba8607950025e0979c4c69bc7abc7b Mon Sep 17 00:00:00 2001
From: Illia Volochii <[email protected]>
Date: Wed, 7 Jan 2026 18:07:30 +0200
Subject: [PATCH] Merge commit from fork
* Stop decoding response content during redirects needlessly
* Rename the new query parameter
* Add a changelog entry
---
CHANGES.rst | 13 +++++++++++++
dummyserver/app.py | 8 +++++++-
src/urllib3/response.py | 6 +++++-
test/with_dummyserver/test_connectionpool.py | 19 +++++++++++++++++++
4 files changed, 44 insertions(+), 2 deletions(-)
Index: urllib3-1.26.20/src/urllib3/response.py
===================================================================
--- urllib3-1.26.20.orig/src/urllib3/response.py
+++ urllib3-1.26.20/src/urllib3/response.py
@@ -476,7 +476,11 @@ class HTTPResponse(io.IOBase):
Unread data in the HTTPResponse connection blocks the connection from
being released back to the pool.
"""
try:
- self.read()
+ self.read(
+ # Do not spend resources decoding the content unless
+ # decoding has already been initialized.
+ decode_content=self._has_decoded_content,
+ )
except (HTTPError, SocketError, BaseSSLError, HTTPException):
pass
Index: urllib3-1.26.20/test/with_dummyserver/test_connectionpool.py
===================================================================
--- urllib3-1.26.20.orig/test/with_dummyserver/test_connectionpool.py
+++ urllib3-1.26.20/test/with_dummyserver/test_connectionpool.py
@@ -467,6 +467,25 @@ class TestConnectionPool(HTTPDummyServer
assert r.status == 200
assert r.data == b"Dummy server!"
+ @mock.patch("urllib3.response.GzipDecoder.decompress")
+ def test_no_decoding_with_redirect_when_preload_disabled(
+ self, gzip_decompress
+ ):
+ """
+ Test that urllib3 does not attempt to decode a gzipped redirect
+ response when `preload_content` is set to `False`.
+ """
+ with HTTPConnectionPool(self.host, self.port) as pool:
+ # Three requests are expected: two redirects and one final / 200
OK.
+ response = pool.request(
+ "GET",
+ "/redirect",
+ fields={"target": "/redirect?compressed=true", "compressed":
"true"},
+ preload_content=False,
+ )
+ assert response.status == 200
+ gzip_decompress.assert_not_called()
+
def test_303_redirect_makes_request_lose_body(self):
with HTTPConnectionPool(self.host, self.port) as pool:
response = pool.request(
