[Bug 229322] net/py-urllib3: Update to 1.24

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Jan 22 11:14:20 UTC 2019


https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229322

Kubilay Kocak <koobs at FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |security
            Summary|net/py-urllib3: update to   |net/py-urllib3: Update to
                   |1.23                        |1.24
                 CC|                            |elastic at FreeBSD.org

--- Comment #9 from Kubilay Kocak <koobs at FreeBSD.org> ---
urllib3 < 1.23 has a similar (same?) vulnerability as requests < 2.20.0, who's
update to 2.21.0 just landed in ports r490937 ...

 - https://github.com/urllib3/urllib3/issues/1316
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20060

On a somewhat more positive note, after looking through all ports that depend
on net/py-urllib3 (their upstream source code), the only ones that pin a max
version of urllib3 are: 

./www/py-requests: setup.py: 'urllib3>=1.21.1,<1.23'
./textproc/py-elasticsearch5: setup.py: 'urllib3<1.23,>=1.21.1',
./devel/py-botocore: setup.py: requires.append('urllib3>=1.20,<1.25')

Of those, py-requests has bumped that to <1.24 as of 2.21.0 (already
committed), and py-botocore version is above (1.25) what we'll be updating
urllib3 to (1.24).

That leaves textproc/py-elasticsearch5 (maintainer CC'd) ...

I have a WIP patch to add QA TEST_DEPENDS/test target to py-elasticsearch5,
which required switching the sources to GitHub. After patching out the the max
version pin, the tests pass [1] after updating urllib3 to 1.24.

Finally, with the last py-requests update and a WIP urllib3 1.24 update in
place, cmake also does not regress (bug 228770) as expected.

[1] ~103 tests pass. Tests that require an local/live elasticsearch server,
which I don't have running, aren't run, but don't explicitly fail.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the freebsd-elastic mailing list