python-requests: allow urllib3 1.25.x #8807
Conversation
|
They appear to be preparing a release, not sure where it is being tracked though. |
|
It seems that it will be soon, so we will see, but the patch what I have included will be in their new release - kennethreitz/requests@d6b5b40 |
| @@ -0,0 +1,32 @@ | |||
| Pull request: https://github.com/kennethreitz/requests/pull/5063 | |||
There was a problem hiding this comment.
nitpick: one good practice about patches is to number them;
in this case, it should be fine to leave them as-is here, since it will be remove when requests updates;
There was a problem hiding this comment.
Right, I forget to do this.
There was a problem hiding this comment.
Added number, also added note about their commit, which they have prepared in their branch.
|
a global nitpick: i would have made this into 3 patches:
it is also fine (from my side) to leave these as-is here so, LGTM from my side :) |
BKPepe
force-pushed
the
requests
branch
3 times, most recently
from
aa84714
to
c1dbbac
Compare
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Add PKG_CPE_ID, PKG_LICENSE_FILES Reorder things in Makefile Update URL Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
|
As suggested, I made the following changes:
It is included in commit messages. |
|
this has been fine (from my side) to merge for some time now no idea about other blockers |
Maintainer: me and @commodo
Compile tested: Turris MOX, cortexa53, OpenWrt master
Run tested: Turris MOX, cortexa53, OpenWrt master
Description:
Version 1.25 of urllib3 was merged to master 2 days ago, which fixes CVE-2019-11324, but requests is still using the older version. AFAIK, there's no mention, when requests will release a new version.
I found on their website: