When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
urllib3/urllib3
### [`v1.26.5`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#1265-2021-05-26)
[Compare Source](https://togithub.com/urllib3/urllib3/compare/1.26.4...1.26.5)
\===================
- Fixed deprecation warnings emitted in Python 3.10.
- Updated vendored `six` library to 1.16.0.
- Improved performance of URL parser when splitting
the authority component.
### [`v1.26.4`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#1264-2021-03-15)
[Compare Source](https://togithub.com/urllib3/urllib3/compare/1.26.3...1.26.4)
\===================
- Changed behavior of the default `SSLContext` when connecting to HTTPS proxy
during HTTPS requests. The default `SSLContext` now sets `check_hostname=True`.
### [`v1.26.3`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#1263-2021-01-26)
[Compare Source](https://togithub.com/urllib3/urllib3/compare/1.26.2...1.26.3)
\===================
- Fixed bytes and string comparison issue with headers (Pull [#2141](https://togithub.com/urllib3/urllib3/issues/2141))
- Changed `ProxySchemeUnknown` error message to be
more actionable if the user supplies a proxy URL without
a scheme. (Pull [#2107](https://togithub.com/urllib3/urllib3/issues/2107))
Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
[x] If you want to rebase/retry this PR, click this checkbox.
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
==1.26.2->==1.26.5GitHub Vulnerability Alerts
CVE-2021-33503
Impact
When provided with a URL containing many
@characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.Patches
The issue has been fixed in urllib3 v1.26.5.
References
For more information
If you have any questions or comments about this advisory:
Release Notes
urllib3/urllib3
### [`v1.26.5`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#1265-2021-05-26) [Compare Source](https://togithub.com/urllib3/urllib3/compare/1.26.4...1.26.5) \=================== - Fixed deprecation warnings emitted in Python 3.10. - Updated vendored `six` library to 1.16.0. - Improved performance of URL parser when splitting the authority component. ### [`v1.26.4`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#1264-2021-03-15) [Compare Source](https://togithub.com/urllib3/urllib3/compare/1.26.3...1.26.4) \=================== - Changed behavior of the default `SSLContext` when connecting to HTTPS proxy during HTTPS requests. The default `SSLContext` now sets `check_hostname=True`. ### [`v1.26.3`](https://togithub.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#1263-2021-01-26) [Compare Source](https://togithub.com/urllib3/urllib3/compare/1.26.2...1.26.3) \=================== - Fixed bytes and string comparison issue with headers (Pull [#2141](https://togithub.com/urllib3/urllib3/issues/2141)) - Changed `ProxySchemeUnknown` error message to be more actionable if the user supplies a proxy URL without a scheme. (Pull [#2107](https://togithub.com/urllib3/urllib3/issues/2107))Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.