74f45d4d98
Version 2.6.0 fixes the following security issues:
* CVE-2025-66471 / GHSA-2xpw-w6gg-jr37 [1]:
Fixed a security issue where streaming API could improperly handle
highly compressed HTTP content ("decompression bombs") leading to
excessive resource consumption even when a small amount of data was
requested. Reading small chunks of compressed data is safer and much
more efficient now.
* CVE-2025-66418 / GHSA-gm62-xv2j-4w53 [2]:
Fixed a security issue where an attacker could compose an HTTP
response with virtually unlimited links in the Content-Encoding header,
potentially leading to a denial of service (DoS) attack by exhausting
system resources during decoding. The number of allowed chained
encodings is now limited to 5.
2.6.0 also contains the removal of a deprecated but apparently still
widely used API. 2.6.1 reintroduces this API. [3]
Full 2.6.0 Changelog: https://github.com/urllib3/urllib3/blob/main/CHANGES.rst#260-2025-12-05
[1] https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37
[2] https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53
[3] https://github.com/urllib3/urllib3/blob/main/CHANGES.rst#261-2025-12-08
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e73101a0c3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
6 lines
331 B
Plaintext
6 lines
331 B
Plaintext
# md5, sha256 from https://pypi.org/pypi/urllib3/json
|
|
md5 52150787074f43057a0e691c7ebe00d8 urllib3-2.6.1.tar.gz
|
|
sha256 5379eb6e1aba4088bae84f8242960017ec8d8e3decf30480b3a1abdaa9671a3f urllib3-2.6.1.tar.gz
|
|
# Locally computed sha256 checksums
|
|
sha256 130e3a64d5fdd5d096a752694634a7d9df284469de86e5732100268041e3d686 LICENSE.txt
|