python3Packages.urllib3: 1.26.3 -> 1.26.4, python2Packages.urllib3: add patch for CVE-2021-28363

[risicle]

Motivation for this change

https://nvd.nist.gov/vuln/detail/CVE-2021-28363

We keep two urllib3 s, one for py3, one for py2. Bumped the py3 one, applied the patch for the py2 one.

Temporarily enabling tests gets same ~4 unrelated flaky failures as my machine got before, both for the bump and the patched urllib3.

I'm quite confident in the patch because:

• it's a single line code addition
• it includes a test which passes when tests are temporarily enabled wait, no, it is skipped for py2 - I will try to think if there's anything I can do about it...

(there still exists another urllib3 for kodi, not addressed here, I assume people who have boutique dependencies know what they're getting themselves in for...)

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

[aanderse]

Hi @mweinelt thanks for the ping. The CVE listing states:

The urllib3 library 1.26.x before 1.26.4

The version for kodi.packages.urllib3 is 1.25.8+matrix.1 (so a patched version of 1.25) which doesn't appear to be impacted by this 👍 Let me know if you have reason to believe otherwise.

[risicle]

• it includes a test which passes when tests are temporarily enabled wait, no, it is skipped for py2 - I will try to think if there's anything I can do about it...

Digging into it a bit, I actually have a feeling that the vulnerable feature isn't supported in py2, so this may just not be vulnerable. Not confident enough to just skip patching though.

[SuperSandro2000]

@ofborg eval

[r-rmcgibbo]

Result of nixpkgs-review pr 117891 at e7d4edf run on x86_64-linux 1

133 packages marked as broken and skipped:

• agdaPackages.iowa-stdlib
• aqemu
• awsebcli
• bareos
• bonfire
• cassandra_2_1
• cassandra_2_2
• couchdb
• hadoop
• hadoop_2_7
• ...

9478 packages skipped due to time constraints:

• EBTKS
• R
• abcl
• acd-cli
• adapta-gtk-theme
• adoptopenjdk-icedtea-web
• aerc
• afew
• agda (agdaPackages.agda)
• agda-pkg
• ...

8 packages built successfully:

• python38Packages.betamax
• python38Packages.flask
• python38Packages.pytest-localserver
• python38Packages.requests
• python38Packages.responses
• python38Packages.sphinx
• python38Packages.urllib3
• python38Packages.werkzeug

2 suggestions:

• warning: unused-argument

  Unused argument: pythonOlder.
  Near pkgs/development/python-modules/urllib3/default.nix:15:3:

     |
  15 | , pythonOlder
     |   ^
  

• warning: unused-argument

  Unused argument: pythonOlder.
  Near pkgs/development/python-modules/urllib3/default.nix:15:3:

     |
  15 | , pythonOlder
     |   ^