Your message dated Sat, 21 Oct 2023 15:37:01 +0000
with message-id <[email protected]>
and subject line Bug#1054212: fixed in python-urllib3 1.26.18-1
has caused the Debian Bug report #1054212,
regarding python-urllib3: Drop 02_require-cert-verification.patch (no longer
needed)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1054212: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054212
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-urllib3
Version: 1.26.17-1
Severity: normal
X-Debbugs-Cc: [email protected], [email protected]
Hi,
In the process of packaging a library, I ran into a test failure caused
by urllib3's 02_require-cert-verification.patch
It looks like this patch is no longer required, but given the security
implications, I'm not just going to commit to git, but rather ask for
input.
Several relevant changes were made in urllib3 since the authoring of
this patch:
1. urllib3.contrib.pyopenssl now uses the operating system's default CA
certificates on inject.
https://github.com/urllib3/urllib3/pull/332
2. When ca_certs is given, cert_reqs defaults to 'CERT_REQUIRED'.
https://github.com/urllib3/urllib3/pull/650
With unpatched upstream urllib3 1.26.18 (not even 2.x):
>>> import urllib3
>>> http = urllib3.PoolManager()
>>> http.request("GET", "https://expired.badssl.com/";)
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate
verify failed: certificate has expired (_ssl.c:1006)
>>> http.request("GET", "https://wrong.host.badssl.com/";)
urllib3.exceptions.MaxRetryError:
HTTPSConnectionPool(host='wrong.host.badssl.com', port=443): Max retries
exceeded with url: / (Caused by SSLError(CertificateError("hostname
'wrong.host.badssl.com' doesn't match either of '*.badssl.com', 'badssl.com'")))
>>> http.request("GET", "https://untrusted-root.badssl.com/";)
urllib3.exceptions.MaxRetryError:
HTTPSConnectionPool(host='untrusted-root.badssl.com', port=443): Max retries
exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate
in certificate chain (_ssl.c:1006)')))
>>> http.request("GET", "https://self-signed.badssl.com/";)
urllib3.exceptions.MaxRetryError:
HTTPSConnectionPool(host='self-signed.badssl.com', port=443): Max retries
exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate
(_ssl.c:1006)')))
>>> http.request("GET", "https://revoked.badssl.com/";)
urllib3.exceptions.MaxRetryError:
HTTPSConnectionPool(host='revoked.badssl.com', port=443): Max retries exceeded
with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired
(_ssl.c:1006)')))
How do you feel about dropping it?
Stefano
--- End Message ---
--- Begin Message ---
Source: python-urllib3
Source-Version: 1.26.18-1
Done: Stefano Rivera <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-urllib3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefano Rivera <[email protected]> (supplier of updated python-urllib3
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 21 Oct 2023 17:05:33 +0200
Source: python-urllib3
Architecture: source
Version: 1.26.18-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Stefano Rivera <[email protected]>
Closes: 1054212 1054226
Changes:
python-urllib3 (1.26.18-1) unstable; urgency=medium
.
* Team upload.
* New upstream release.
- Fix CVE-2023-45803 (Closes: #1054226)
* Drop patch 02_require-cert-verification.patch, no longer needed.
(Closes: #1054212)
* Refresh patches.
Checksums-Sha1:
cc39c351dbaf32c4cb56a11ae5e57f20c59ff495 1735 python-urllib3_1.26.18-1.dsc
84e2852d8da1655373f7ce5e7d5d3e256b62b4e4 305687
python-urllib3_1.26.18.orig.tar.gz
26a0d1a7f0bc9c54aa936fa1a7b43bc4cf3c4940 12516
python-urllib3_1.26.18-1.debian.tar.xz
0e97fd0538596e84a50c906f7818ad0c9fad267e 6611
python-urllib3_1.26.18-1_source.buildinfo
Checksums-Sha256:
5ad0a9868daf0452ca2dd0dbb045bace157a33eb3620f21d453a7e437d951a40 1735
python-urllib3_1.26.18-1.dsc
f8ecc1bba5667413457c529ab955bf8c67b45db799d159066261719e328580a0 305687
python-urllib3_1.26.18.orig.tar.gz
0810726b20e65b5c6f836f2f669892f63dd6b00f1a17042581b9a5e3991572f9 12516
python-urllib3_1.26.18-1.debian.tar.xz
ba4ffcb7f32bf78df7e7fdfa17df1461790e30704c3ab6155001563c9ab48be0 6611
python-urllib3_1.26.18-1_source.buildinfo
Files:
4c71f67774926d23b988ce61c47c8458 1735 python optional
python-urllib3_1.26.18-1.dsc
f986d8e9616d2a43389f678d5dad9893 305687 python optional
python-urllib3_1.26.18.orig.tar.gz
5de6b8aad0d3cd3bbffb468c9847c35d 12516 python optional
python-urllib3_1.26.18-1.debian.tar.xz
e1261cc3e7c7cbc1f7c7276f42da933e 6611 python optional
python-urllib3_1.26.18-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iIoEARYKADIWIQTumtb5BSD6EfafSCRHew2wJjpU2AUCZTPpVxQcc3RlZmFub3JA
ZGViaWFuLm9yZwAKCRBHew2wJjpU2PHLAQDsIAw9mSjVCgxMX11AV7EgoCJG5Mz5
cwEWQMl5hySc2AD+PhfG6G34mZK2zPKSiCC1PSxHl3fTQr+QLDhpsO3MBQM=
=HKyL
-----END PGP SIGNATURE-----
--- End Message ---
