diff --git a/data/insecure.json b/data/insecure.json index 5be47c28c..c6831fdb2 100644 --- a/data/insecure.json +++ b/data/insecure.json @@ -827,6 +827,7 @@ ], "ruffruffs": [ "<2.3.0", + "<2.5.2", "<2.6.0" ], "sentry": [ diff --git a/data/insecure_full.json b/data/insecure_full.json index ffdc1f766..dfc9e0d08 100644 --- a/data/insecure_full.json +++ b/data/insecure_full.json @@ -4604,6 +4604,10 @@ "changelog": "++++++++++++++++++\n\n**API Changes**\n\n- New ``Response`` property ``is_redirect``, which is true when the\n library could have processed this response as a redirection (whether\n or not it actually did).\n- The ``timeout`` parameter now affects requests with both ``stream=True`` and\n ``stream=False`` equally.\n- The change in v2.0.0 to mandate explicit proxy schemes has been reverted.\n Proxy schemes now default to ``http://``.\n- The ``CaseInsensitiveDict`` used for HTTP headers now behaves like a normal\n dictionary when references as string or viewed in the interpreter.\n\n**Bugfixes**\n\n- No longer expose Authorization or Proxy-Authorization headers on redirect.\n Fix CVE-2014-1829 and CVE-2014-1830 respectively.\n- Authorization is re-evaluated each redirect.\n- On redirect, pass url as native strings.\n- Fall-back to autodetected encoding for JSON when Unicode detection fails.\n- Headers set to ``None`` on the ``Session`` are now correctly not sent.\n- Correctly honor ``decode_unicode`` even if it wasn't used earlier in the same\n response.\n- Stop advertising ``compress`` as a supported Content-Encoding.\n- The ``Response.history`` parameter is now always a list.\n- Many, many ``urllib3`` bugfixes.\n\n", "v": "<2.3.0" }, + { + "changelog": "++++++++++++++++++\n\n**Features and Improvements**\n\n- Add sha256 fingerprint support. (`shazow/urllib3540`_)\n\n- Improve the performance of headers. (`shazow/urllib3544`_)\n\n**Bugfixes**\n\n- Copy pip's import machinery. When downstream redistributors remove\n requests.packages.urllib3 the import machinery will continue to let those\n same symbols work. Example usage in requests' documentation and 3rd-party\n libraries relying on the vendored copies of urllib3 will work without having\n to fallback to the system urllib3.\n\n- Attempt to quote parts of the URL on redirect if unquoting and then quoting\n fails. (2356)\n\n- Fix filename type check for multipart form-data uploads. (2411)\n\n- Properly handle the case where a server issuing digest authentication\n challenges provides both auth and auth-int qop-values. (2408)\n\n- Fix a socket leak. (`shazow/urllib3549`_)\n\n- Fix multiple ``Set-Cookie`` headers properly. (`shazow/urllib3534`_)\n\n- Disable the built-in hostname verification. (`shazow/urllib3526`_)\n\n- Fix the behaviour of decoding an exhausted stream. (`shazow/urllib3535`_)\n\n**Security**\n\n- Pulled in an updated ``cacert.pem``.\n\n- Drop RC4 from the default cipher list. (`shazow/urllib3551`_)\n\n.. _shazow/urllib3551: https://github.com/shazow/urllib3/pull/551\n.. _shazow/urllib3549: https://github.com/shazow/urllib3/pull/549\n.. _shazow/urllib3544: https://github.com/shazow/urllib3/pull/544\n.. _shazow/urllib3540: https://github.com/shazow/urllib3/pull/540\n.. _shazow/urllib3535: https://github.com/shazow/urllib3/pull/535\n.. _shazow/urllib3534: https://github.com/shazow/urllib3/pull/534\n.. _shazow/urllib3526: https://github.com/shazow/urllib3/pull/526\n\n", + "v": "<2.5.2" + }, { "changelog": "++++++++++++++++++\n\n**Bugfixes**\n\n- CVE-2015-2296: Fix handling of cookies on redirect. Previously a cookie\n without a host value set would use the hostname for the redirected URL\n exposing requests users to session fixation attacks and potentially cookie\n stealing. This was disclosed privately by Matthew Daley of\n `BugFuzz `_. This affects all versions of requests from\n v2.1.0 to v2.5.3 (inclusive on both ends).\n\n- Fix error when requests is an ``install_requires`` dependency and ``python\n setup.py test`` is run. (2462)\n\n- Fix error when urllib3 is unbundled and requests continues to use the\n vendored import location.\n\n- Include fixes to ``urllib3``'s header handling.\n\n- Requests' handling of unvendored dependencies is now more restrictive.\n\n**Features and Improvements**\n\n- Support bytearrays when passed as parameters in the ``files`` argument.\n (2468)\n\n- Avoid data duplication when creating a request with ``str``, ``bytes``, or\n ``bytearray`` input to the ``files`` argument.\n\n", "v": "<2.6.0"