Update to 1.26.18.

Mitigates CVE-2023-45803 / GHSA-g4mx-q9vg-27p4.

(cherry picked from commit 0502dda222)

Ref: https://github.com/advisories/GHSA-g4mx-q9vg-27p4

.gitignore

@@ -37,3 +37,6 @@
 /urllib3-1.26.9.tar.gz
 /urllib3-1.26.12.tar.gz
 /urllib3-1.26.15.tar.gz
+/urllib3-1.26.16.tar.gz
+/urllib3-1.26.17.tar.gz
+/urllib3-1.26.18.tar.gz

4855d71.patch

@@ -1,28 +0,0 @@
-From 4855d71ad5535bdff47a0dc5cfe09fb610ff6576 Mon Sep 17 00:00:00 2001
-From: Thomas Grainger <tagrain@gmail.com>
-Date: Sat, 15 Apr 2023 20:41:24 +0100
-Subject: [PATCH] Fix test_ssl_object_attributes
-
-Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
----
- test/test_ssltransport.py | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/test/test_ssltransport.py b/test/test_ssltransport.py
-index a3b7381639..cace51db96 100644
---- a/test/test_ssltransport.py
-+++ b/test/test_ssltransport.py
-@@ -229,8 +229,11 @@ def test_ssl_object_attributes(self) -> None:
-             assert ssock.selected_npn_protocol() is None
- 
-             shared_ciphers = ssock.shared_ciphers()
--            assert type(shared_ciphers) == list
--            assert len(shared_ciphers) > 0
-+            # SSLContext.shared_ciphers() changed behavior completely in a patch version.
-+            # See: https://github.com/python/cpython/issues/96931
-+            assert shared_ciphers is None or (
-+                type(shared_ciphers) is list and len(shared_ciphers) > 0
-+            )
- 
-             assert ssock.compression() is None
- 

python-urllib3.spec

@@ -7,7 +7,7 @@
 %endif
 
 Name:           python-urllib3
-Version:        1.26.15
+Version:        1.26.18
 Release:        1%{?dist}
 Summary:        HTTP library with thread-safe connection pooling, file post, and more
 
@@ -16,10 +16,6 @@ License:        MIT
 URL:            https://github.com/urllib3/urllib3
 Source:         %{url}/archive/%{version}/urllib3-%{version}.tar.gz
 
-# Accomodate the test to the changed behavior of SSLContext.shared_ciphers() in CPython
-# See: https://github.com/python/cpython/issues/96931
-Patch:          https://github.com/urllib3/urllib3/commit/4855d71.patch
-
 BuildArch:      noarch
 
 BuildRequires:  python3-devel
@@ -96,7 +92,7 @@ Requires:       python3-urllib3+socks = %{version}-%{release}
 
 
 %prep
-%autosetup -p1 -n urllib3-%{version}
+%autosetup -n urllib3-%{version}
 # Make sure that the RECENT_DATE value doesn't get too far behind what the current date is.
 # RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date
 # (from test/test_connection.py) would fail. However, it shouldn't be to close to the build time either,
@@ -170,6 +166,16 @@ ignore="${ignore-} --ignore=test/test_no_ssl.py"
 
 
 %changelog
+* Tue Oct 17 2023 Maxwell G <maxwell@gtmx.me> - 1.26.18-1
+- Update to 1.26.18.
+- Mitigates CVE-2023-45803 / GHSA-g4mx-q9vg-27p4.
+
+* Mon Oct 02 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 1.26.17-1
+- Update to 1.26.17: fix CVE-2023-43804 (GHSA-v845-jxx5-vc9f)
+
+* Sat Jul 01 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 1.26.16-1
+- Update to 1.26.16
+
 * Thu May 18 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 1.26.15-1
 - Update to 1.26.15
 

sources

@@ -1 +1 @@
-SHA512 (urllib3-1.26.15.tar.gz) = edd52a05049a047b1bb913de1cc211a6f7b70802e9ddcb639a973fb910bf218210577a5375077b6569ef382c07668ad6057adb67a31475125c2e5517c603131d
+SHA512 (urllib3-1.26.18.tar.gz) = 62c0af4b11e797a85420ef3f0888f2e608334329eddd88b9fe563b5437189cbea8dbbcd53f999557d9828fcf4bf03b8ca9f6e3d401533bc4ae8ff96e3ece1557