From 0e1f2f9173a4395f77a911cd27d582299524a3de Mon Sep 17 00:00:00 2001
From: Cory Benfield <lukasaoz@gmail.com>
Date: Thu, 27 Oct 2016 11:57:33 +0100
Subject: [PATCH] Merging new release version: 1.18.1

---
 CHANGES.rst         | 14 ++++++++++++++
 urllib3/__init__.py |  2 +-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index b1cac7a381..9ed4c3a005 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -1,6 +1,20 @@
 Changes
 =======
 
+1.18.1 (2016-10-27)
+-------------------
+
+* CVE-2016-9015. Users who are using urllib3 version 1.17 or 1.18 along with
+  PyOpenSSL injection and OpenSSL 1.1.0 *must* upgrade to this version. This
+  release fixes a vulnerability whereby urllib3 in the above configuration
+  would silently fail to validate TLS certificates due to erroneously setting
+  invalid flags in OpenSSL's ``SSL_CTX_set_verify`` function. These erroneous
+  flags do not cause a problem in OpenSSL versions before 1.1.0, which
+  interprets the presence of any flag as requesting certificate validation.
+
+  There is no PR for this patch, as it was prepared for simultaneous disclosure
+  and release. There will be a PR for the equivalent fix in the master branch.
+
 1.18 (2016-09-26)
 -----------------
 
diff --git a/urllib3/__init__.py b/urllib3/__init__.py
index e7e622cd6a..c47ed457e2 100644
--- a/urllib3/__init__.py
+++ b/urllib3/__init__.py
@@ -32,7 +32,7 @@ def emit(self, record):
 
 __author__ = 'Andrey Petrov (andrey.petrov@shazow.net)'
 __license__ = 'MIT'
-__version__ = '1.18'
+__version__ = '1.18.1'
 
 __all__ = (
     'HTTPConnectionPool',