74f45d4d98
Version 2.6.0 fixes the following security issues:
* CVE-2025-66471 / GHSA-2xpw-w6gg-jr37 [1]:
Fixed a security issue where streaming API could improperly handle
highly compressed HTTP content ("decompression bombs") leading to
excessive resource consumption even when a small amount of data was
requested. Reading small chunks of compressed data is safer and much
more efficient now.
* CVE-2025-66418 / GHSA-gm62-xv2j-4w53 [2]:
Fixed a security issue where an attacker could compose an HTTP
response with virtually unlimited links in the Content-Encoding header,
potentially leading to a denial of service (DoS) attack by exhausting
system resources during decoding. The number of allowed chained
encodings is now limited to 5.
2.6.0 also contains the removal of a deprecated but apparently still
widely used API. 2.6.1 reintroduces this API. [3]
Full 2.6.0 Changelog: https://github.com/urllib3/urllib3/blob/main/CHANGES.rst#260-2025-12-05
[1] https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37
[2] https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53
[3] https://github.com/urllib3/urllib3/blob/main/CHANGES.rst#261-2025-12-08
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e73101a0c3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>