[Buildroot] [PATCH 1/1] package/python-urllib3: security bump to version 1.26.4
Peter Korsgaard
peter at korsgaard.com
Sat Apr 3 10:18:48 UTC 2021
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice at gmail.com> writes:
> Fix CVE-2021-28363: The urllib3 library 1.26.x before 1.26.4 for Python
> omits SSL certificate validation in some cases involving HTTPS to HTTPS
> proxies. The initial connection to the HTTPS proxy (if an SSLContext
> isn't given via proxy_config) doesn't verify the hostname of the
> certificate. This means certificates for different servers that still
> validate properly with the default urllib3 SSLContext will be silently
> accepted.
> https://github.com/urllib3/urllib3/blob/1.26.4/CHANGES.rst
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Committed to 2021.02.x, thanks (2020.02.x / 2020.11.x use 1.25.x)
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list