sync/ports
1
0
Fork 0
mirror of https://git.freebsd.org/ports.git synced 2025-05-07 03:16:44 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
ports/net/py-urllib3/files/pkg-message.in
Kai Knoblich cd672417a0 net/py-urllib3: Update to 1.25.6 
* Convert the RUN_DEPENDS into separate OPTIONS as they are listed as extra
  dependencies in setup.py.  Also set those as default that contain the
  previous RUN_DEPENDS to allow a clean transition.

* Remove the Python-specific version limitation for security/py-certifi
  because it's required for all Python versions.

* Also remove the info about the broken IPv6 support of net/py-socks (was
  broken in 1.5.7) and the relevant patch as both are obsolete.

* Update the TEST_DEPENDS and add a "do-test" target to make future QA easier.

Please note that a MFH won't be done as it didn't get an approval because
there are too much changes to make it work in the 2019Q4 branch. [1]

Notable changes since 1.22:

* Require and validate certificates by default when using HTTPS.

* Add mitigation for BPO-37428 affecting Python < 3.7.4 and OpenSSL 1.1.1+
  which caused certificate verification to be enabled when using
  "cert_reqs=CERT_NONE".

* Add TLSv1.3 support to CPython, pyOpenSSL and SecureTransport "SSLContext"
  implementations.

https://github.com/urllib3/urllib3/blob/1.25.6/CHANGES.rst

Exp-run by:	antoine
PR:		229322 [1]
Reported by:	Patrice Clement <monsieurp@gentoo.org>
Security:	87270ba5-03d3-11ea-b81f-3085a9a95629
2019-11-26 18:37:58 +00:00

21 lines
861 B
Text
Raw Blame History

[
{
message: <<EOM
Since version 1.25 HTTPS connections are now verified by default which is done
via "cert_reqs = 'CERT_REQUIRED'". While certificate verification can be
disabled via "cert_reqs = 'CERT_NONE'", it's highly recommended to leave it on.
Various consumers of net/py-urllib3 already have implemented routines that
either explicitly enable or disable HTTPS certificate verification (e.g. via
configuration settings, CLI arguments, etc.).
Yet it may happen that there are still some consumers which don't explicitly
enable/disable certificate verification for HTTPS connections which could then
lead to errors (as is often the case with self-signed certificates).
In case of an error one should try first to temporarily disable certificate
verification of the problematic urllib3 consumer to see if that approach will
remedy the issue.
EOM
}
]
Reference in a new issue View git blame Copy permalink