[Bug 229322] net/py-urllib3: Update to 1.24
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Jan 22 11:14:20 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229322
Kubilay Kocak <koobs at FreeBSD.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |security
Summary|net/py-urllib3: update to |net/py-urllib3: Update to
|1.23 |1.24
CC| |elastic at FreeBSD.org
--- Comment #9 from Kubilay Kocak <koobs at FreeBSD.org> ---
urllib3 < 1.23 has a similar (same?) vulnerability as requests < 2.20.0, who's
update to 2.21.0 just landed in ports r490937 ...
- https://github.com/urllib3/urllib3/issues/1316
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20060
On a somewhat more positive note, after looking through all ports that depend
on net/py-urllib3 (their upstream source code), the only ones that pin a max
version of urllib3 are:
./www/py-requests: setup.py: 'urllib3>=1.21.1,<1.23'
./textproc/py-elasticsearch5: setup.py: 'urllib3<1.23,>=1.21.1',
./devel/py-botocore: setup.py: requires.append('urllib3>=1.20,<1.25')
Of those, py-requests has bumped that to <1.24 as of 2.21.0 (already
committed), and py-botocore version is above (1.25) what we'll be updating
urllib3 to (1.24).
That leaves textproc/py-elasticsearch5 (maintainer CC'd) ...
I have a WIP patch to add QA TEST_DEPENDS/test target to py-elasticsearch5,
which required switching the sources to GitHub. After patching out the the max
version pin, the tests pass [1] after updating urllib3 to 1.24.
Finally, with the last py-requests update and a WIP urllib3 1.24 update in
place, cmake also does not regress (bug 228770) as expected.
[1] ~103 tests pass. Tests that require an local/live elasticsearch server,
which I don't have running, aren't run, but don't explicitly fail.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the freebsd-elastic
mailing list