Skip to content

Update urllib3 (indirectly - used by Conan) to fix vulnerabilities#131

Merged
kse3hi merged 2 commits into
mainfrom
fix_urllib_vulnerabilities
Dec 15, 2025
Merged

Update urllib3 (indirectly - used by Conan) to fix vulnerabilities#131
kse3hi merged 2 commits into
mainfrom
fix_urllib_vulnerabilities

Conversation

@BjoernAtBosch
Copy link
Copy Markdown
Member

@BjoernAtBosch BjoernAtBosch commented Dec 15, 2025

  • urllib3 streaming API improperly handles highly compressed data
  • urllib3 allows an unbounded number of links in the decompression chain
  • urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation
  • urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects

Describe your changes

Issue ticket number and link

Checklist - Manual tasks

  • Examples are executing successfully

  • Created/updated unit tests. Code Coverage percentage on new code shall be >= 80%.

  • Created/updated integration tests.

  • Devcontainer can be opened successfully

  • Devcontainer can be opened successfully behind a corporate proxy

  • Devcontainer can be re-built successfully

  • Extended the documentation (e.g. README.md, CONTRIBUTING.md, Velocitas Docs)

@BjoernAtBosch
Fix vulnerabilities in urllib3 (used by Conan):
ec294b3 
- urllib3 streaming API improperly handles highly compressed data
- urllib3 allows an unbounded number of links in the decompression chain
- urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation
- urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects
@BjoernAtBosch
Update notice file
6bc212e
@BjoernAtBosch BjoernAtBosch changed the title Fix vulnerabilities in urllib3 (used by Conan) Update urllib3 (indirectly - used by Conan) to fix vulnerabilities Dec 15, 2025
kse3hi
kse3hi approved these changes Dec 15, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@kse3hi kse3hi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGFM

@kse3hi kse3hi merged commit 6323b65 into main Dec 15, 2025
5 checks passed
@kse3hi kse3hi deleted the fix_urllib_vulnerabilities branch December 15, 2025 14:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kse3hi kse3hi kse3hi approved these changes

@erikbosch erikbosch Awaiting requested review from erikbosch

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BjoernAtBosch @kse3hi