[Buildroot] [git commit branch/2018.02.x] python-requests: security bump to version 2.20.0

Peter Korsgaard peter at korsgaard.com
Mon Dec 17 22:12:13 UTC 2018


commit: https://git.buildroot.net/buildroot/commit/?id=fa75b099568d3b183cd4d3c62f5b1def98cdc4f0
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2018.02.x

Fixes CVE-2018-18074: The Requests package before 2.20.0 for Python sends an
HTTP Authorization header to an http URI upon receiving a same-hostname
https-to-http redirect, which makes it easier for remote attackers to
discover credentials by sniffing the network.

LICENSE update: replaced http address with https.

Signed-off-by: Asaf Kahlon <asafka7 at gmail.com>
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
(cherry picked from commit 42bebd1e7ce07608967c36e2877f578f4c143e5c)
[Peter: mention security impact]
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
 package/python-requests/python-requests.hash | 6 +++---
 package/python-requests/python-requests.mk   | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package/python-requests/python-requests.hash b/package/python-requests/python-requests.hash
index b71fe86ee7..3aa8e1359f 100644
--- a/package/python-requests/python-requests.hash
+++ b/package/python-requests/python-requests.hash
@@ -1,5 +1,5 @@
 # md5, sha256 from https://pypi.org/pypi/requests/json
-md5	6c1a31afec9d614e2e71a91ee6ca2878  requests-2.19.1.tar.gz
-sha256	ec22d826a36ed72a7358ff3fe56cbd4ba69dd7a6718ffd450ff0e9df7a47ce6a  requests-2.19.1.tar.gz
+md5	cf034ab571854453719594120366f467  requests-2.20.0.tar.gz
+sha256	99dcfdaaeb17caf6e526f32b6a7b780461512ab3f1d992187801694cba42770c  requests-2.20.0.tar.gz
 # Locally computed sha256 checksums
-sha256	82a869fe4e967449956d26a546adc762acace028852ce81ba16c3c5b1d76b15b  LICENSE
+sha256	be41abac2c40f8530307e8d172c590b476f4a488bc6a68f8de57b7cf64786687  LICENSE
diff --git a/package/python-requests/python-requests.mk b/package/python-requests/python-requests.mk
index 881d196526..358835d816 100644
--- a/package/python-requests/python-requests.mk
+++ b/package/python-requests/python-requests.mk
@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-PYTHON_REQUESTS_VERSION = 2.19.1
+PYTHON_REQUESTS_VERSION = 2.20.0
 PYTHON_REQUESTS_SOURCE = requests-$(PYTHON_REQUESTS_VERSION).tar.gz
-PYTHON_REQUESTS_SITE = https://files.pythonhosted.org/packages/54/1f/782a5734931ddf2e1494e4cd615a51ff98e1879cbe9eecbdfeaf09aa75e9
+PYTHON_REQUESTS_SITE = https://files.pythonhosted.org/packages/97/10/92d25b93e9c266c94b76a5548f020f3f1dd0eb40649cb1993532c0af8f4c
 PYTHON_REQUESTS_SETUP_TYPE = setuptools
 PYTHON_REQUESTS_LICENSE = Apache-2.0
 PYTHON_REQUESTS_LICENSE_FILES = LICENSE


More information about the buildroot mailing list