diff options
author | Kai Knoblich <kai@FreeBSD.org> | 2019-11-26 18:37:58 +0000 |
---|---|---|
committer | Kai Knoblich <kai@FreeBSD.org> | 2019-11-26 18:37:58 +0000 |
commit | cd672417a043a2500385dd4ba8557aba03c8eb0b (patch) | |
tree | 205174eafc30fa895eae6bfc8fc23f42d99911c4 | |
parent | Update to 2.13.0 (diff) |
net/py-urllib3: Update to 1.25.6
* Convert the RUN_DEPENDS into separate OPTIONS as they are listed as extra
dependencies in setup.py. Also set those as default that contain the
previous RUN_DEPENDS to allow a clean transition.
* Remove the Python-specific version limitation for security/py-certifi
because it's required for all Python versions.
* Also remove the info about the broken IPv6 support of net/py-socks (was
broken in 1.5.7) and the relevant patch as both are obsolete.
* Update the TEST_DEPENDS and add a "do-test" target to make future QA easier.
Please note that a MFH won't be done as it didn't get an approval because
there are too much changes to make it work in the 2019Q4 branch. [1]
Notable changes since 1.22:
* Require and validate certificates by default when using HTTPS.
* Add mitigation for BPO-37428 affecting Python < 3.7.4 and OpenSSL 1.1.1+
which caused certificate verification to be enabled when using
"cert_reqs=CERT_NONE".
* Add TLSv1.3 support to CPython, pyOpenSSL and SecureTransport "SSLContext"
implementations.
https://github.com/urllib3/urllib3/blob/1.25.6/CHANGES.rst
Exp-run by: antoine
PR: 229322 [1]
Reported by: Patrice Clement <monsieurp@gentoo.org>
Security: 87270ba5-03d3-11ea-b81f-3085a9a95629
Notes
Notes:
svn path=/head/; revision=518476
-rw-r--r-- | UPDATING | 22 | ||||
-rw-r--r-- | net/py-urllib3/Makefile | 33 | ||||
-rw-r--r-- | net/py-urllib3/distinfo | 6 | ||||
-rw-r--r-- | net/py-urllib3/files/patch-setup.py | 11 | ||||
-rw-r--r-- | net/py-urllib3/files/pkg-message.in | 18 |
5 files changed, 60 insertions, 30 deletions
@@ -5,6 +5,28 @@ they are unavoidable. You should get into the habit of checking this file for changes each time you update your ports collection, before attempting any port upgrades. +20191126: + AFFECTS: consumers of net/py-urllib3 + AUTHOR: kai@FreeBSD.org + + Since version 1.25 HTTPS connections are now verified by default which is + done via "cert_reqs = 'CERT_REQUIRED'". While certificate verification + can be disabled via "cert_reqs = 'CERT_NONE'", it's highly recommended to + leave it on. + + Various consumers of net/py-urllib3 already have implemented routines that + either explicitly enable or disable HTTPS certificate verification (e.g. + via configuration settings, CLI arguments, etc.). + + Yet it may happen that there are still some consumers which don't + explicitly enable/disable certificate verification for HTTPS connections + which could then lead to errors (as is often the case with self-signed + certificates). + + In case of an error one should try first to temporarily disable + certificate verification of the problematic urllib3 consumer to see if + this approach will remedy the issue. + 20191125: AFFECTS: users of emulators/qemu AUTHOR: bofh@FreeBSD.org diff --git a/net/py-urllib3/Makefile b/net/py-urllib3/Makefile index efc9a7282dbb..89f0ddbcebd3 100644 --- a/net/py-urllib3/Makefile +++ b/net/py-urllib3/Makefile @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= urllib3 -PORTVERSION= 1.22 +PORTVERSION= 1.25.6 PORTEPOCH= 1 CATEGORIES= net python MASTER_SITES= CHEESESHOP @@ -14,25 +14,30 @@ COMMENT= HTTP library with thread-safe connection pooling, file post, and more LICENSE= MIT LICENSE_FILE= ${WRKSRC}/LICENSE.txt -RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}cryptography>=1.3.4:security/py-cryptography@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}idna>=2.0:dns/py-idna@${PY_FLAVOR} \ - ${PY_IPADDRESS} \ - ${PYTHON_PKGNAMEPREFIX}openssl>=16.0:security/py-openssl@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}pysocks>=1.5.7:net/py-pysocks@${PY_FLAVOR} TEST_DEPENDS= ${PYTHON_PKGNAMEPREFIX}mock>=0:devel/py-mock@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}nose>=0:devel/py-nose@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}pytest>=0:devel/py-pytest@${PY_FLAVOR} -#TEST_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}tornado>=0:www/py-tornado@${PY_FLAVOR} + ${PYTHON_PKGNAMEPREFIX}pytest>=0:devel/py-pytest@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}tornado>=0:www/py-tornado@${PY_FLAVOR} USES= python USE_PYTHON= autoplist concurrent distutils + NO_ARCH= yes SUB_FILES= pkg-message -.include <bsd.port.pre.mk> +OPTIONS_DEFINE= BROTLI SOCKS SSL +OPTIONS_DEFAULT=SOCKS SSL + +BROTLI_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}brotlipy>=0.6.0:archivers/py-brotlipy@${PY_FLAVOR} +SOCKS_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}pysocks>=1.5.6:net/py-pysocks@${PY_FLAVOR} +SSL_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}idna>=2.0:dns/py-idna@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}certifi>=0:security/py-certifi@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}cryptography>=1.3.4:security/py-cryptography@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}openssl>=0.14:security/py-openssl@${PY_FLAVOR} \ + ${PY_IPADDRESS} -.if ${PYTHON_REL} < 3400 -RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}certifi>=0:security/py-certifi@${PY_FLAVOR} -.endif +# Test 'test_ssl_read_timeout' fails with FreeBSD >= 12.0. That was already the +# case with earlier versions of net/py-urllib3. +do-test: + @cd ${WRKSRC} && ${SETENV} LC_ALL=en_US.UTF-8 ${PYTHON_CMD} -m pytest -v -rs -k 'not test_ssl_read_timeout' -.include <bsd.port.post.mk> +.include <bsd.port.mk> diff --git a/net/py-urllib3/distinfo b/net/py-urllib3/distinfo index 7846d2109f69..ac8c85648d74 100644 --- a/net/py-urllib3/distinfo +++ b/net/py-urllib3/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1500642203 -SHA256 (urllib3-1.22.tar.gz) = cc44da8e1145637334317feebd728bd869a35285b93cbb4cca2577da7e62db4f -SIZE (urllib3-1.22.tar.gz) = 226083 +TIMESTAMP = 1574013088 +SHA256 (urllib3-1.25.6.tar.gz) = 9a107b99a5393caf59c7aa3c1249c16e6879447533d0887f4336dde834c7be86 +SIZE (urllib3-1.25.6.tar.gz) = 248292 diff --git a/net/py-urllib3/files/patch-setup.py b/net/py-urllib3/files/patch-setup.py deleted file mode 100644 index eff6df0398d2..000000000000 --- a/net/py-urllib3/files/patch-setup.py +++ /dev/null @@ -1,11 +0,0 @@ ---- setup.py.orig 2016-09-06 14:39:59 UTC -+++ setup.py -@@ -61,7 +61,7 @@ setup(name='urllib3', - 'certifi', - ], - 'socks': [ -- 'PySocks>=1.5.6,<2.0,!=1.5.7', -+ 'PySocks>=1.5.6', - ] - }, - ) diff --git a/net/py-urllib3/files/pkg-message.in b/net/py-urllib3/files/pkg-message.in index 4a619c6a094d..4aa5b9e1f1d9 100644 --- a/net/py-urllib3/files/pkg-message.in +++ b/net/py-urllib3/files/pkg-message.in @@ -1,7 +1,21 @@ [ -{ type: install +{ message: <<EOM -Be careful, support of IPv6 is broken with PySocks 1.5.7. +Since version 1.25 HTTPS connections are now verified by default which is done +via "cert_reqs = 'CERT_REQUIRED'". While certificate verification can be +disabled via "cert_reqs = 'CERT_NONE'", it's highly recommended to leave it on. + +Various consumers of net/py-urllib3 already have implemented routines that +either explicitly enable or disable HTTPS certificate verification (e.g. via +configuration settings, CLI arguments, etc.). + +Yet it may happen that there are still some consumers which don't explicitly +enable/disable certificate verification for HTTPS connections which could then +lead to errors (as is often the case with self-signed certificates). + +In case of an error one should try first to temporarily disable certificate +verification of the problematic urllib3 consumer to see if that approach will +remedy the issue. EOM } ] |