Update Python dependency - urllib3 from v1.25.8 to v1.25.9 #1123

PeterDaveHello · 2022-06-30T09:50:41Z

Description

Update Python dependency - urllib3 from v1.25.8 to v1.25.9

Motivation and Context

There's a high severity CVE in current version of urllib3

https://www.cve.org/CVERecord?id=CVE-2020-26137

urllib3 before 1.25.9 allows CRLF injection if the attacker controls
the HTTP request method, as demonstrated by inserting CR and LF
control characters in the first argument of putrequest().

NOTE: this is similar to CVE-2020-26116.

How Has This Been Tested?

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

My change requires a change to the documentation.
I have updated the documentation accordingly.

yubiuser · 2022-06-30T10:32:41Z

Please sign-off your commit.

https://docs.pi-hole.net/guides/github/how-to-signoff/#how-to-amend-a-sign-off

https://www.cve.org/CVERecord?id=CVE-2020-26137 > urllib3 before 1.25.9 allows CRLF injection if the attacker controls > the HTTP request method, as demonstrated by inserting CR and LF > control characters in the first argument of putrequest(). NOTE: this > is similar to CVE-2020-26116. Signed-off-by: Peter Dave Hello <hsu@peterdavehello.org>