This is a security fix release for the 2.2.x release branch. Note that 2.3.x is the currently supported release branch; please upgrade to the latest version if possible.
This is a feature release, which includes new features and removes previously deprecated code. The 2.2.x branch is now the supported bug fix branch, the 2.1.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades.
Fixed a bug appearing in Python 3.12 where "RuntimeError: can't create new thread at interpreter shutdown"
could be written to stderr when a MongoClient's thread starts as the python interpreter is shutting down.
Issues Resolved
...............
See the PyMongo 4.6.2 release notes in JIRA_ for the list of resolved issues
in this release.
To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed _get_connection to
a new public API, get_connection_with_tls_context. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
get_connection is considered deprecated in all versions of Requests>=2.32.0.
A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (#6710)
v2.32.1
2.32.1 (2024-05-20)
Bugfixes
Add missing test certs to the sdist distributed on PyPI.
verify=True now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a Python
version built with OpenSSL 3.x. (#6667)
Requests now supports optional use of character detection
(chardet or charset_normalizer) when repackaged or vendored.
This enables pip and other projects to minimize their vendoring
surface area. The Response.text() and apparent_encoding APIs
will default to utf-8 if neither library is present. (#6702)
Bugfixes
Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (#6589)
Fixed deserialization bug in JSONDecodeError. (#6629)
Fixed bug where an extra leading / (path separator) could lead
urllib3 to unnecessarily reparse the request URI. (#6644)
To provide a more stable migration for custom HTTPAdapters impacted
by the CVE changes in 2.32.0, we've renamed _get_connection to
a new public API, get_connection_with_tls_context. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
get_connection is considered deprecated in all versions of Requests>=2.32.0.
A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (#6710)
2.32.1 (2024-05-20)
Bugfixes
Add missing test certs to the sdist distributed on PyPI.
verify=True now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a Python
version built with OpenSSL 3.x. (#6667)
Requests now supports optional use of character detection
(chardet or charset_normalizer) when repackaged or vendored.
This enables pip and other projects to minimize their vendoring
surface area. The Response.text() and apparent_encoding APIs
will default to utf-8 if neither library is present. (#6702)
Bugfixes
Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length. (#6589)
Fixed deserialization bug in JSONDecodeError. (#6629)
Fixed bug where an extra leading / (path separator) could lead
urllib3 to unnecessarily reparse the request URI. (#6644)
This is the Werkzeug 3.0.3 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.
Only allow localhost, .localhost, 127.0.0.1, or the specified hostname when running the dev server, to make debugger requests. Additional hosts can be added by using the debugger middleware directly. The debugger UI makes requests using the full URL rather than only the path. GHSA-2g68-c3qc-8985
Make reloader more robust when "" is in sys.path. #2823
Better TLS cert format with adhoc dev certs. #2891
Inform Python < 3.12 how to handle itms-services URIs correctly, rather than using an overly-broad workaround in Werkzeug that caused some redirect URIs to be passed on without encoding. #2828
Type annotation for Rule.endpoint and other uses of endpoint is Any. #2836
3.0.2
This is a fix release for the 3.0.x feature branch.
This is a feature release, which includes new features, removes previously deprecated code, and adds new deprecations. The 3.0.x branch is now the supported fix branch, the 2.3.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.
Only allow localhost, .localhost, 127.0.0.1, or the specified
hostname when running the dev server, to make debugger requests. Additional
hosts can be added by using the debugger middleware directly. The debugger
UI makes requests using the full URL rather than only the path.
:ghsa:2g68-c3qc-8985
Make reloader more robust when "" is in sys.path. :pr:2823
Better TLS cert format with adhoc dev certs. :pr:2891
Inform Python < 3.12 how to handle itms-services URIs correctly, rather
than using an overly-broad workaround in Werkzeug that caused some redirect
URIs to be passed on without encoding. :issue:2828
Type annotation for Rule.endpoint and other uses of endpoint is
Any. :issue:2836
Make reloader more robust when "" is in sys.path. :pr:2823
Version 3.0.2
Released 2024-04-01
Ensure setting merge_slashes to False results in NotFound for
repeated-slash requests against single slash routes. :issue:2834
Fix handling of TypeError in TypeConversionDict.get() to match
ValueError. :issue:2843
Fix response_wrapper type check in test client. :issue:2831
Make the return type of MultiPartParser.parse more precise.
:issue:2840
Raise an error if converter arguments cannot be parsed. :issue:2822
Version 3.0.1
Released 2023-10-24
Fix slow multipart parsing for large parts potentially enabling DoS attacks.
urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support for 2023. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.
Thank you for your support.
Changes
Added the Proxy-Authorization header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.
Added the Proxy-Authorization header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect.
Fixed handling of OpenSSL 3.2.0 new error message for misconfiguring an HTTP proxy as HTTPS. ([#3405](https://github.com/urllib3/urllib3/issues/3405) <https://github.com/urllib3/urllib3/issues/3405>__)
This is a bug fix release for 2.6.0 where the "TuDoor" fix erroneously
suppressed legitimate Truncated exceptions. This caused the stub
resolver to timeout instead of failing over to TCP when a legitimate
truncated response was received over UDP.
This release addresses the potential DoS issue discussed in the
"TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is
vulnerable to a potential DoS if a bad-in-some-way response from the
right address and port forged by an attacker arrives before a
legitimate one on the UDP port dnspython is using for that query. In
this situation, dnspython might switch to querying another resolver or
give up entirely, possibly denying service for that resolution. This
release addresses the issue by adopting the recommended mitigation,
which is ignoring the bad packets and continuing to listen for a
legitimate response until the timeout for the query has expired.
Thank you to all the contributors to this release, and, as usual,
thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian
Wellington.
This release addresses the potential DoS issue discussed in the "TuDoor" paper (CVE-2023-29483). The dnspython stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the right address and port forged by an attacker arrives before a legitimate one on the UDP port dnspython is using for that query. In this situation, dnspython might switch to querying another resolver or give up entirely, possibly denying service for that resolution. This release addresses the issue by adopting the recommended mitigation, which is ignoring the bad packets and continuing to listen for a legitimate response until the timeout for the query has expired.
Thank you to all the contributors to this release, and, as usual, thanks to my co-maintainers: Tomáš Křížek, Petr Špaček, and Brian Wellington.
The Tudoor fix ate legitimate Truncated exceptions, preventing the resolver from
failing over to TCP and causing the query to timeout #1053.
2.6.0
As mentioned in the "TuDoor" paper and the associated CVE-2023-29483, the dnspython
stub resolver is vulnerable to a potential DoS if a bad-in-some-way response from the
right address and port forged by an attacker arrives before a legitimate one on the
UDP port dnspython is using for that query.
This release addresses the issue by adopting the recommended mitigation, which is
ignoring the bad packets and continuing to listen for a legitimate response until
the timeout for the query has expired.
Added support for the NSID EDNS option.
Dnspython now looks for version metadata for optional packages and will not
use them if they are too old. This prevents possible exceptions when a
feature like DoH is not desired in dnspython, but an old httpx is installed
along with dnspython for some other purpose.
The DoHNameserver class now allows GET to be used instead of the default POST,
and also passes source and source_port correctly to the underlying query
methods.
Bumps the pip group with 13 updates in the / directory:
2.0.32.2.54.0.04.0.10.35.10.35.20.37.00.38.14.3.34.6.32.31.02.32.24.66.24.66.32.3.73.0.31.26.181.26.192.5.02.6.12024.2.22024.7.43.63.73.17.03.19.1Bumps the pip group with 4 updates in the /buildscripts/cost_model directory: pymongo, dnspython, pillow and scikit-learn.
Updates
flaskfrom 2.0.3 to 2.2.5Release notes
Sourced from flask's releases.
... (truncated)
Changelog
Sourced from flask's changelog.
... (truncated)
Commits
47af817release version 2.2.5afd63b1Merge pull request #5109 from pallets/backport-vary-cookie8646edcsetVary: Cookieheader consistently for sessiona6367daMerge pull request #5108 from pallets/werkzeug-compat3fbfbadwerkzeug 2.3.3 compatibility726d3f4start version 2.2.5ddc7accMerge pull request #5081 from pallets/release-2.2.474e0329release version 2.2.42d46068update dev env64bc458update dev dependenciesUpdates
flask-corsfrom 4.0.0 to 4.0.1Release notes
Sourced from flask-cors's releases.
Changelog
Sourced from flask-cors's changelog.
Commits
1df178cRelease 0.4.1 (#353)5090b4aUpdate CI to include Python 3.12 and flask 3.0.3 (#354)6172c20Update extension.py to clean request.path before logging it (#351)cadade9Fix Read the Docs builds (#345)Updates
eventletfrom 0.35.1 to 0.35.2Changelog
Sourced from eventlet's changelog.
Commits
edd9e7eUpdate changelog for version 0.35.2 (#920)a23fd0eFix tool.setuptools/packages list (#921)51e3c49Dnspython 2.6.1 - Address DoS via the Tudoor mechanism (CVE-2023-29483)b6f6e7cadd asyncio into the doc hub page (#918)96a3940clean obsolete python 2 code from the ssl module (#915)06ec630Add get_server_info to db_pool.py (#324)dfcc939wsgi: Handle Timeouts from applications (#911)799dabc[Fix] shrinks window before connecting (#905)Updates
wheelfrom 0.37.0 to 0.38.1Changelog
Sourced from wheel's changelog.
... (truncated)
Commits
6f1608dCreated a new releasecf8f5efMoved news item from PR #484 to its proper place9ec2016Removed install dependency on setuptools (#483)747e1f6Fixed PyPy SOABI parsing (#484)7627548[pre-commit.ci] pre-commit autoupdate (#480)7b9e8e1Test on Python 3.11 finala04dfefUpdated the pypi-publish action94bb62cFixed docs not building due to code style changesd635664Updated the codecov action to the latest versionfcb94cdUpdated version to match the releaseUpdates
pymongofrom 4.3.3 to 4.6.3Release notes
Sourced from pymongo's releases.
Changelog
Sourced from pymongo's changelog.
... (truncated)
Commits
8da192fBUMP 4.6.356b6b6dPYTHON-4305 Fix bson size check (#1564)449d0f3BUMP to 4.6.3.dev0e04576dDEVPROD-3871 Use teardown_task when there is one function/command (#1533)cf1c6a1PYTHON-4219 Prep for 4.6.2 Release (#1530)d29b2b7PYTHON-4147 [v4.6]: Silence noisy thread.start() RuntimeError at shutdown (#1...0477b9bPYTHON-4077 [v4.6]: Ensure there is a MacOS wheel for Python 3.7 (#1527)ecad17dBUMP 4.6.2.dev0485e0a5BUMP 4.6.1995365cPYTHON-4038 [v4.6]: Ensure retryable readOperationFailures re-raise except...Updates
requestsfrom 2.31.0 to 2.32.2Release notes
Sourced from requests's releases.
... (truncated)
Changelog
Sourced from requests's changelog.
... (truncated)
Commits
88dce9dv2.32.2c98e4d1Merge pull request #6710 from nateprewitt/api_rename92075b3Add deprecation warningaa1461bMove _get_connection to get_connection_with_tls_context970e8cev2.32.1d6ebc4av2.32.09a40d12Avoid reloading root certificates to improve concurrent performance (#6667)0c030f7Merge pull request #6702 from nateprewitt/no_char_detection555b870Allow character detection dependencies to be optional in post-packaging stepsd6dded3Merge pull request #6700 from franekmagiera/update-redirect-to-invalid-uri-testUpdates
tqdmfrom 4.66.2 to 4.66.3Release notes
Sourced from tqdm's releases.
Commits
4e613f8Merge pull request from GHSA-g7vv-2v7x-gj9pb53348ccli: eval safetyUpdates
werkzeugfrom 2.3.7 to 3.0.3Release notes
Sourced from werkzeug's releases.
Changelog
Sourced from werkzeug's changelog.
... (truncated)
Commits
f9995e9release version 3.0.33386395Merge pull request from GHSA-2g68-c3qc-8985890b6b6only require trusted host for evalex71b69dfrestrict debugger trusted hostsd2d3869endpoint type is Any (#2895)7080b55endpoint type is Any7555effremove iri_to_uri redirect workaround (#2894)97fb2f7remove _invalid_iri_to_uri workaround249527fmake cn field a valid single hostname, and use wildcard in SANs field. (#2892)793be47update adhoc tls dev cert formatUpdates
urllib3from 1.26.18 to 1.26.19Release notes
Sourced from urllib3's releases.
Changelog
Sourced from urllib3's changelog.
Commits
d9d85c8Release 1.26.198528b63[1.26] Fix downstream tests (#3409)40b6d16Merge pull request from GHSA-34jh-p97f-mpxf29cfd02Fix handling of OpenSSL 3.2.0 new error message "record layer failure" (#3405)b600643[1.26] Bump RECENT_DATE (#3404)7e2d389[1.26] Fix running CPython 2.7 tests in CI (#3137)Updates
dnspythonfrom 2.5.0 to 2.6.1Release notes
Sourced from dnspython's releases.
Changelog
Sourced from dnspython's changelog.
Commits
0a742b9update CI0ea5ad0The Tudoor fix should not eat valid Truncated exceptions #1053 (#1054)f12d3982.6.1 version prepcecb853Further improve CVE fix coverage to 100% for sync and async.7952e31test IgnoreErrorse093299For the Tudoor fix, we also need the UDP nameserver to ignore_unexpected.3af9f782.6.0 versioningca63d95Require cryptography >=41 instead of 42.902cbf3Create CODE_OF_CONDUCT.mded9795fgithub contributing and pull request templateUpdates
certififrom 2024.2.2 to 2024.7.4Commits
bd815382024.07.04 (#295)06a2cbfBump peter-evans/create-pull-request from 6.0.5 to 6.1.0 (#294)13bba02Bump actions/checkout from 4.1.6 to 4.1.7 (#293)e8abcd0Bump pypa/gh-action-pypi-publish from 1.8.14 to 1.9.0 (#292)124f4ad2024.06.02 (#291)c2196ce--- (#290)fefdeecBump actions/checkout from 4.1.4 to 4.1.5 (#289)3c5fb15Bump actions/download-artifact from 4.1.6 to 4.1.7 (#286)4a9569aBump actions/checkout from 4.1.2 to 4.1.4 (#287)1fc8086Bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 (#288)Updates
idnafrom 3.6 to 3.7Release notes
Sourced from idna's releases.
Changelog
Sourced from idna's changelog.
Commits
1d365e1Release v3.7c1b3154Merge pull request #172 from kjd/optimize-contextj0394ec7Merge branch 'master' into optimize-contextjcd58a23Merge pull request #152 from elliotwutingfeng/dev5beb28bMore efficient resolution of joiner contexts1b12148Update ossf/scorecard-action to v2.3.1d516b87Update Github actions/checkout to v4c095c75Merge branch 'master' into dev60a0a4cFix typo in GitHub Actions workflow key5918a0eMerge branch 'master' into devUpdates
zippfrom 3.17.0 to 3.19.1Changelog
Sourced from zipp's changelog.
Commits
6d1cb72Finalizefd604bdMerge pull request #120 from jaraco/bugfix/119-malformed-pathsc18417eAdd news fragment.58115d2Employ SanitizedNames in CompleteDirs. Fixes broken test.564fcc1Add SanitizedNames mixin.79a309fAdd some assertions about malformed paths.2d015c2Merge https://github.com/jaraco/skeletona595a0fRename extras to align with core metadata spec.608f90aFinalize3a22d72Merge pull request #118 from jaraco/feature/is-symlinkUpdates
pymongofrom 4.5.0 to 4.6.3Release notes
Sourced from pymongo's releases.
Changelog
Sourced from pymongo's changelog.