package/python-httplib2: security bump to version 0.19.1

- Fix CVE-2021-21240: httplib2 is a comprehensive HTTP client library
  for Python. In httplib2 before version 0.19.0, a malicious server
  which responds with long series of "\xa0" characters in the
  "www-authenticate" header may cause Denial of Service (CPU burn while
  parsing header) of the httplib2 client accessing said server. This is
  fixed in version 0.19.0 which contains a new implementation of auth
  headers parsing using the pyparsing library.
- Fix CVE-2020-11078: In httplib2 before version 0.18.0, an attacker
  controlling unescaped part of uri for `httplib2.Http.request()` could
  change request headers and body, send additional hidden requests to
  same server. This vulnerability impacts software that uses httplib2
  with uri constructed by string concatenation, as opposed to proper
  urllib building with escaping. This has been fixed in 0.18.0.
- Use LICENSE file instead of PKG-INFO
- pyparsing is a runtime dependency since version 0.19.0 and
  https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc

https://github.com/httplib2/httplib2/blob/v0.19.1/CHANGELOG

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

diff --git a/package/python-httplib2/Config.in b/package/python-httplib2/Config.in
index e42f5132b7eff4425fef8ee89bd957ca7c0ac41b..39671f2386cb5805d06976c416fb95f4372d66f6 100644 (file)
--- a/package/python-httplib2/Config.in
+++ b/package/python-httplib2/Config.in
@@ -4,6 +4,7 @@ config BR2_PACKAGE_PYTHON_HTTPLIB2
        select BR2_PACKAGE_PYTHON_SSL if BR2_PACKAGE_PYTHON
        select BR2_PACKAGE_PYTHON3_ZLIB if BR2_PACKAGE_PYTHON3
        select BR2_PACKAGE_PYTHON3_SSL if BR2_PACKAGE_PYTHON3
+       select BR2_PACKAGE_PYTHON_PYPARSING # runtime
        help
          httplib2 is a comprehensive HTTP client library, httplib2.py
          supports many features left out of other HTTP libraries.

diff --git a/package/python-httplib2/python-httplib2.hash b/package/python-httplib2/python-httplib2.hash
index c272d8517c5c4e504f4a009dfec290b3b9ac74ea..2c5914c5f6c4432d33c4285ab68764fd5d15fae3 100644 (file)
--- a/package/python-httplib2/python-httplib2.hash
+++ b/package/python-httplib2/python-httplib2.hash
@@ -1,5 +1,5 @@
 # md5, sha256 from https://pypi.org/pypi/httplib2/json
-md5  4c05b09eb6f6c20a31ca488c7a87dda9  httplib2-0.17.2.tar.gz
-sha256  eb7a6b137ae31e61c5f429083c5bebb71fe5fd1958e7f3d5c39b21b11cd4b290  httplib2-0.17.2.tar.gz
-# Locally computer sha256 checksums
-sha256  4205f0d88e04380ba13b9c60e2f85771196b66ee84bf48971d30d82a78e84c3f  PKG-INFO
+md5  de7f5e3a4adb3105889867327bdd39dc  httplib2-0.19.1.tar.gz
+sha256  0b12617eeca7433d4c396a100eaecfa4b08ee99aa881e6df6e257a7aad5d533d  httplib2-0.19.1.tar.gz
+# Locally computed sha256 checksums
+sha256  589eec38f72df2be203711d3b8cbece9b908c5e7ff00bc3cab7f63bae9e366b4  LICENSE

diff --git a/package/python-httplib2/python-httplib2.mk b/package/python-httplib2/python-httplib2.mk
index fbdb6d83c431d47f2540c2a49d14ad3e7f017974..7b9b400241344b48e5690880dff1946bc61ee6a3 100644 (file)
--- a/package/python-httplib2/python-httplib2.mk
+++ b/package/python-httplib2/python-httplib2.mk
@@ -4,11 +4,11 @@
 #
 ################################################################################
 
-PYTHON_HTTPLIB2_VERSION = 0.17.2
+PYTHON_HTTPLIB2_VERSION = 0.19.1
 PYTHON_HTTPLIB2_SOURCE = httplib2-$(PYTHON_HTTPLIB2_VERSION).tar.gz
-PYTHON_HTTPLIB2_SITE = https://files.pythonhosted.org/packages/1b/f0/a35a448afea308aeb6a1430dbcfb46f4cef11360cbc18f22af6e567bb847
+PYTHON_HTTPLIB2_SITE = https://files.pythonhosted.org/packages/ed/cd/533a1e9e04671bcee5d2854b4f651a3fab9586d698de769d93b05ee2bff1
 PYTHON_HTTPLIB2_SETUP_TYPE = setuptools
 PYTHON_HTTPLIB2_LICENSE = MIT
-PYTHON_HTTPLIB2_LICENSE_FILES = PKG-INFO
+PYTHON_HTTPLIB2_LICENSE_FILES = LICENSE
 
 $(eval $(python-package))