Merging new release version: 1.18.1

urllib3 · Oct 27, 2016 · 0e1f2f9 · 0e1f2f9
1 parent c32cdbc
commit 0e1f2f9
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -1,6 +1,20 @@
 Changes
 =======
 
+1.18.1 (2016-10-27)
+-------------------
+
+* CVE-2016-9015. Users who are using urllib3 version 1.17 or 1.18 along with
+  PyOpenSSL injection and OpenSSL 1.1.0 *must* upgrade to this version. This
+  release fixes a vulnerability whereby urllib3 in the above configuration
+  would silently fail to validate TLS certificates due to erroneously setting
+  invalid flags in OpenSSL's ``SSL_CTX_set_verify`` function. These erroneous
+  flags do not cause a problem in OpenSSL versions before 1.1.0, which
+  interprets the presence of any flag as requesting certificate validation.
+
+  There is no PR for this patch, as it was prepared for simultaneous disclosure
+  and release. There will be a PR for the equivalent fix in the master branch.
+
 1.18 (2016-09-26)
 -----------------
 

diff --git a/urllib3/__init__.py b/urllib3/__init__.py
@@ -32,7 +32,7 @@ def emit(self, record):
 
 __author__ = 'Andrey Petrov (andrey.petrov@shazow.net)'
 __license__ = 'MIT'
-__version__ = '1.18'
+__version__ = '1.18.1'
 
 __all__ = (
     'HTTPConnectionPool',