Package: python-urllib3 | Debian Sources

Package: python-urllib3 / 2.3.0-3+deb13u1

Metadata

Package	Version	Patches format
python-urllib3	2.3.0-3+deb13u1	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
test_http2_probe_blocked_per_thread requires_network.patch \| (download)	test/with_dummyserver/test_https.py \| 1 1 + 0 - 0 ! 1 file changed, 1 insertion(+)	mark test_http2_probe_blocked_per_thread with requires_network It fails if it can't connect to `TARPIT_HOST`.
openssl 3.4.0.patch \| (download)	test/test_ssltransport.py \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	singletlslayertestcase: catch brokenpipeerror OpenSSL 3.4.0 returns `ERR_LIB_SYS` in some more situations than it used to. In the case exercised by `SingleTLSLayerTestCase.test_close_after_handshake`, https://github.com/python/cpython/pull/127361 (also backported to the 3.12 and 3.13 branches) turns this into `BrokenPipeError`. It seems reasonable to treat this in the same way as `ConnectionAbortedError` and `ConnectionResetError`.
httpx 0.28.patch \| (download)	dummyserver/asgi_proxy.py \| 8 6 + 2 - 0 ! 1 file changed, 6 insertions(+), 2 deletions(-)	ensure compatibility with httpx>=0.28 Version 0.28 of httpx removed support for supplying a path (of string type) to verify, only a bool or an SSL context is now supported. See: https://github.com/encode/httpx/releases/tag/0.28.0 Running the test suite with httpx 0.28 will break the dummy server and a such number of tests in test/with_dummyserver/. To resolve this, create an SSL context in the ProxyApp init function and supply that to AsyncClient, instead of a raw string. This change is backwards compatible, i.e. the test suite will still succeed against the currently pinned version of httpx, 0.25.2.
CVE 2025 50181.patch \| (download)	docs/reference/contrib/emscripten.rst \| 2 1 + 1 - 0 ! dummyserver/app.py \| 1 1 + 0 - 0 ! src/urllib3/poolmanager.py \| 18 17 + 1 - 0 ! test/contrib/emscripten/test_emscripten.py \| 16 16 + 0 - 0 ! test/test_poolmanager.py \| 5 3 + 2 - 0 ! test/with_dummyserver/test_poolmanager.py \| 101 101 + 0 - 0 ! 6 files changed, 139 insertions(+), 4 deletions(-)	merge commit from fork * Apply Quentin's suggestion Co-authored-by: Quentin Pradet <quentin.pradet@gmail.com> * Add tests for disabled redirects in the pool manager * Add a possible fix for the issue with not raised `MaxRetryError` * Make urllib3 handle redirects instead of JS when JSPI is used * Fix info in the new comment * State that redirects with XHR are not controlled by urllib3 * Remove excessive params from new test requests * Add tests reaching max non-0 redirects * Test redirects with Emscripten * Fix `test_merge_pool_kwargs` * Add a changelog entry * Parametrize tests * Drop a fix for Emscripten * Apply Seth's suggestion to docs Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com> * Use a minor release instead of the patch one
CVE 2025 50182.patch \| (download)	docs/reference/contrib/emscripten.rst \| 2 1 + 1 - 0 ! src/urllib3/contrib/emscripten/fetch.py \| 20 20 + 0 - 0 ! test/contrib/emscripten/test_emscripten.py \| 46 46 + 0 - 0 ! 3 files changed, 67 insertions(+), 1 deletion(-)	merge commit from fork
CVE 2025 66418.patch \| (download)	changelog/GHSA-gm62-xv2j-4w53.security.rst \| 4 4 + 0 - 0 ! src/urllib3/response.py \| 12 11 + 1 - 0 ! test/test_response.py \| 10 10 + 0 - 0 ! 3 files changed, 25 insertions(+), 1 deletion(-)	merge commit from fork
CVE 2026 21441.patch \| (download)	dummyserver/app.py \| 8 7 + 1 - 0 ! src/urllib3/response.py \| 6 5 + 1 - 0 ! test/with_dummyserver/test_connectionpool.py \| 19 19 + 0 - 0 ! 3 files changed, 31 insertions(+), 2 deletions(-)	merge commit from fork

1