[Buildroot] [PATCH] package/python-urllib3: security bump to 1.25.9

Thomas Petazzoni thomas.petazzoni at bootlin.com
Tue Jul 14 20:10:28 UTC 2020


On Tue, 14 Jul 2020 15:02:02 -0500
Matt Weber <matthew.weber at rockwellcollins.com> wrote:

> Fixes CVE-2020-7212 (1.25.2 - 1.25.7)
> The _encode_invalid_chars function does not remove duplicate percent
> encodings in the _percent_encodings array, which combined with the
> normalization step could take O(N^2) time to compute for a URL of
> length N. This results in a marginally higher CPU consumption
> compared to the potential linear time achieved by deduplicating
> the _percent_encodings array.
> 
> CC: Peter Korsgaard <peter at korsgaard.com>
> Signed-off-by: Matthew Weber <matthew.weber at rockwellcollins.com>
> --
> 
> Also applies to 2020.02.x
> ---
>  package/python-urllib3/python-urllib3.hash | 5 ++---
>  package/python-urllib3/python-urllib3.mk   | 4 ++--
>  2 files changed, 4 insertions(+), 5 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com


More information about the buildroot mailing list