- Notifications
You must be signed in to change notification settings - Fork321
Commitbfd9d8d
chore(deps): update dependency urllib3 to v2.6.0 [security] (#2342)
This PR contains the following updates:| Package | Change |[Age](https://docs.renovatebot.com/merge-confidence/) |[Confidence](https://docs.renovatebot.com/merge-confidence/) ||---|---|---|---|| [urllib3](https://redirect.github.com/urllib3/urllib3)([changelog](https://redirect.github.com/urllib3/urllib3/blob/main/CHANGES.rst))| `==2.5.0` -> `==2.6.0` |||### GitHub Vulnerability Alerts####[CVE-2025-66418](https://redirect.github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53)## Impacturllib3 supports chained HTTP encoding algorithms for response contentaccording to RFC 9110 (e.g., `Content-Encoding: gzip, zstd`).However, the number of links in the decompression chain was unboundedallowing a malicious server to insert a virtually unlimited number ofcompression steps leading to high CPU usage and massive memoryallocation for the decompressed data.## Affected usagesApplications and libraries using urllib3 version 2.5.0 and earlier forHTTP requests to untrusted sources unless they disable content decodingexplicitly.## RemediationUpgrade to at least urllib3 v2.6.0 in which the library limits thenumber of links to 5.If upgrading is not immediately possible, use[`preload_content=False`](https://urllib3.readthedocs.io/en/2.5.0/advanced-usage.html#streaming-and-i-o)and ensure that `resp.headers["content-encoding"]` contains a safenumber of encodings before reading the response content.####[CVE-2025-66471](https://redirect.github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37)### Impacturllib3's [streamingAPI](https://urllib3.readthedocs.io/en/2.5.0/advanced-usage.html#streaming-and-i-o)is designed for the efficient handling of large HTTP responses byreading the content in chunks, rather than loading the entire responsebody into memory at once.When streaming a compressed response, urllib3 can perform decoding ordecompression based on the HTTP `Content-Encoding` header (e.g., `gzip`,`deflate`, `br`, or `zstd`). The library must read compressed data fromthe network and decompress it until the requested chunk size is met. Anyresulting decompressed data that exceeds the requested amount is held inan internal buffer for the next read operation.The decompression logic could cause urllib3 to fully decode a smallamount of highly compressed data in a single operation. This can resultin excessive resource consumption (high CPU usage and massive memoryallocation for the decompressed data; CWE-409) on the client side, evenif the application only requested a small chunk of data.### Affected usagesApplications and libraries using urllib3 version 2.5.0 and earlier tostream large compressed responses or content from untrusted sources.`stream()`, `read(amt=256)`, `read1(amt=256)`, `read_chunked(amt=256)`,`readinto(b)` are examples of `urllib3.HTTPResponse` method calls usingthe affected logic unless decoding is disabled explicitly.### RemediationUpgrade to at least urllib3 v2.6.0 in which the library avoidsdecompressing data that exceeds the requested amount.If your environment contains a package facilitating the Brotli encoding,upgrade to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 too. Theseversions are enforced by the `urllib3[brotli]` extra in the patchedversions of urllib3.### CreditsThe issue was reported by @​Cycloctane.Supplemental information was provided by @​stamparm during asecurity audit performed by [7ASecurity](https://7asecurity.com/) andfacilitated by [OSTIF](https://ostif.org/).---### Release Notes<details><summary>urllib3/urllib3 (urllib3)</summary>###[`v2.6.0`](https://redirect.github.com/urllib3/urllib3/blob/HEAD/CHANGES.rst#260-2025-12-05)[CompareSource](https://redirect.github.com/urllib3/urllib3/compare/2.5.0...2.6.0)\==================## Security- Fixed a security issue where streaming API could improperly handlehighlycompressed HTTP content ("decompression bombs") leading to excessiveresourceconsumption even when a small amount of data was requested. Readingsmall chunks of compressed data is safer and much more efficient now.(`GHSA-2xpw-w6gg-jr37<https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>`\_\_)- Fixed a security issue where an attacker could compose an HTTPresponse withvirtually unlimited links in the `Content-Encoding` header, potentiallyleading to a denial of service (DoS) attack by exhausting systemresourcesduring decoding. The number of allowed chained encodings is now limitedto 5.(`GHSA-gm62-xv2j-4w53<https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>`\_\_).. caution::- If urllib3 is not installed with the optional `urllib3[brotli]` extra,butyour environment contains a Brotli/brotlicffi/brotlipy package anyway,make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using`urllib3[brotli]` to install a compatible Brotli package automatically.- If you use custom decompressors, please make sure to update them to respect the changed API of `urllib3.response.ContentDecoder`.## Features- Enabled retrieval, deletion, and membership testing in`HTTPHeaderDict` using bytes keys. (`#​3653<https://github.com/urllib3/urllib3/issues/3653>`\_\_)- Added host and port information to string representations of`HTTPConnection`. (`#​3666<https://github.com/urllib3/urllib3/issues/3666>`\_\_)- Added support for Python 3.14 free-threading builds explicitly.(`#​3696 <https://github.com/urllib3/urllib3/issues/3696>`\_\_)## Removals- Removed the `HTTPResponse.getheaders()` method in favor of`HTTPResponse.headers`.Removed the `HTTPResponse.getheader(name, default)` method in favor of`HTTPResponse.headers.get(name, default)`. (`#​3622<https://github.com/urllib3/urllib3/issues/3622>`\_\_)## Bugfixes- Fixed redirect handling in `urllib3.PoolManager` when an integer ispassedfor the retries parameter. (`#​3649<https://github.com/urllib3/urllib3/issues/3649>`\_\_)- Fixed `HTTPConnectionPool` when used in Emscripten with no explicitport. (`#​3664<https://github.com/urllib3/urllib3/issues/3664>`\_\_)- Fixed handling of `SSLKEYLOGFILE` with expandable variables.(`#​3700 <https://github.com/urllib3/urllib3/issues/3700>`\_\_)## Misc- Changed the `zstd` extra to install `backports.zstd` instead of`zstandard` on Python 3.13 and before. (`#​3693<https://github.com/urllib3/urllib3/issues/3693>`\_\_)- Improved the performance of content decoding by optimizing`BytesQueueBuffer` class. (`#​3710<https://github.com/urllib3/urllib3/issues/3710>`\_\_)- Allowed building the urllib3 package with newer setuptools-scm v9.x.(`#​3652 <https://github.com/urllib3/urllib3/issues/3652>`\_\_)- Ensured successful urllib3 builds by setting Hatchling requirement to>= 1.27.0. (`#​3638<https://github.com/urllib3/urllib3/issues/3638>`\_\_)</details>---### Configuration📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (noschedule defined).🚦 **Automerge**: Disabled by config. Please merge this manually once youare satisfied.♻ **Rebasing**: Whenever PR becomes conflicted, or you tick therebase/retry checkbox.🔕 **Ignore**: Close this PR and you won't be reminded about this updateagain.---- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, checkthis box---This PR was generated by [Mend Renovate](https://mend.io/renovate/).View the [repository joblog](https://developer.mend.io/github/googleapis/python-bigquery).<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4zMi4yIiwidXBkYXRlZEluVmVyIjoiNDIuMzIuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->Co-authored-by: Lingqing Gan <lingqing.gan@gmail.com>1 parent8634630 commitbfd9d8d
1 file changed
+1
-1
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
41 | 41 | | |
42 | 42 | | |
43 | 43 | | |
44 | | - | |
| 44 | + | |
0 commit comments
Comments
(0)