Update urllib3 version due to vulnerabilities#12
Open
sestremlcvista wants to merge 1 commit intoRusticiSoftware:masterfrom
Open
Update urllib3 version due to vulnerabilities#12sestremlcvista wants to merge 1 commit intoRusticiSoftware:masterfrom
sestremlcvista wants to merge 1 commit intoRusticiSoftware:masterfrom
Conversation
Contributor
|
Hello! We appreciate you taking the time to contribute to our client libraries, however since we generate them with swagger-codegen, we are not able to merge changes directly into this repo as they would be lost when the client is regenerated. We are in the midst of updating the templates now to account for these types of issues across all of our libraries. The updates should be coming in the next week or so as we are just wrapping up the last language we support. Let me know if you have any additional questions, I'd be happy to help. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Code Changes Needed
On December 5, a deployment triggered a breaking change in an upstream dependency (urllib3) required by the SCORM Cloud SDK. The SCORM SDK (rustici_software_cloud_v2) depends on HTTPResponse.getheader(), a method that was removed in urllib3 v2.6. The deployment inadvertently upgraded urllib3 from version 2.5 to version 2.6, immediately breaking SCORM API calls.
Impact
urllib3 supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, zstd).
However, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data.
Affected usages
Applications and libraries using urllib3 version 2.5.0 and earlier for HTTP requests to untrusted sources unless they disable content decoding explicitly.
Remediation
Upgrade to at least urllib3 v2.6.3 in which the library limits the number of links to 5.
If upgrading is not immediately possible, use preload_content=False and ensure that resp.headers["content-encoding"] contains a safe number of encodings before reading the response content.