diff options
| author | Cory Benfield <lukasaoz@gmail.com> | 2016-10-27 11:57:33 +0100 |
|---|---|---|
| committer | Cory Benfield <lukasaoz@gmail.com> | 2016-10-27 12:00:37 +0100 |
| commit | 0e1f2f9173a4395f77a911cd27d582299524a3de (patch) | |
| tree | 9b6bca3a6d3333cb2550b11d60af828635a77b31 | |
| parent | c32cdbc16a9634fa0f8c829d1270301570158715 (diff) | |
| download | urllib3-1.18-series.tar.gz | |
Merging new release version: 1.18.11.18.11.18-series
| -rw-r--r-- | CHANGES.rst | 14 | ||||
| -rw-r--r-- | urllib3/__init__.py | 2 |
2 files changed, 15 insertions, 1 deletions
diff --git a/CHANGES.rst b/CHANGES.rst index b1cac7a3..9ed4c3a0 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -1,6 +1,20 @@ Changes ======= +1.18.1 (2016-10-27) +------------------- + +* CVE-2016-9015. Users who are using urllib3 version 1.17 or 1.18 along with + PyOpenSSL injection and OpenSSL 1.1.0 *must* upgrade to this version. This + release fixes a vulnerability whereby urllib3 in the above configuration + would silently fail to validate TLS certificates due to erroneously setting + invalid flags in OpenSSL's ``SSL_CTX_set_verify`` function. These erroneous + flags do not cause a problem in OpenSSL versions before 1.1.0, which + interprets the presence of any flag as requesting certificate validation. + + There is no PR for this patch, as it was prepared for simultaneous disclosure + and release. There will be a PR for the equivalent fix in the master branch. + 1.18 (2016-09-26) ----------------- diff --git a/urllib3/__init__.py b/urllib3/__init__.py index e7e622cd..c47ed457 100644 --- a/urllib3/__init__.py +++ b/urllib3/__init__.py @@ -32,7 +32,7 @@ except ImportError: __author__ = 'Andrey Petrov (andrey.petrov@shazow.net)' __license__ = 'MIT' -__version__ = '1.18' +__version__ = '1.18.1' __all__ = ( 'HTTPConnectionPool', |