Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 22 Jan 2019 11:14:18 +0000
From:      bugzilla-noreply@freebsd.org
To:        elastic@FreeBSD.org
Subject:   [Bug 229322] net/py-urllib3: Update to 1.24
Message-ID:  <bug-229322-37421-27MsKldeAd@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-229322-37421@https.bugs.freebsd.org/bugzilla/>
References:  <bug-229322-37421@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D229322

Kubilay Kocak <koobs@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |security
            Summary|net/py-urllib3: update to   |net/py-urllib3: Update to
                   |1.23                        |1.24
                 CC|                            |elastic@FreeBSD.org

--- Comment #9 from Kubilay Kocak <koobs@FreeBSD.org> ---
urllib3 < 1.23 has a similar (same?) vulnerability as requests < 2.20.0, wh=
o's
update to 2.21.0 just landed in ports r490937 ...

 - https://github.com/urllib3/urllib3/issues/1316
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-20060

On a somewhat more positive note, after looking through all ports that depe=
nd
on net/py-urllib3 (their upstream source code), the only ones that pin a max
version of urllib3 are:=20

./www/py-requests: setup.py: 'urllib3>=3D1.21.1,<1.23'
./textproc/py-elasticsearch5: setup.py: 'urllib3<1.23,>=3D1.21.1',
./devel/py-botocore: setup.py: requires.append('urllib3>=3D1.20,<1.25')

Of those, py-requests has bumped that to <1.24 as of 2.21.0 (already
committed), and py-botocore version is above (1.25) what we'll be updating
urllib3 to (1.24).

That leaves textproc/py-elasticsearch5 (maintainer CC'd) ...

I have a WIP patch to add QA TEST_DEPENDS/test target to py-elasticsearch5,
which required switching the sources to GitHub. After patching out the the =
max
version pin, the tests pass [1] after updating urllib3 to 1.24.

Finally, with the last py-requests update and a WIP urllib3 1.24 update in
place, cmake also does not regress (bug 228770) as expected.

[1] ~103 tests pass. Tests that require an local/live elasticsearch server,
which I don't have running, aren't run, but don't explicitly fail.

--=20
You are receiving this mail because:
You are on the CC list for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-229322-37421-27MsKldeAd>