From 12bc1352978557de68caaeea005113cd76039210 Mon Sep 17 00:00:00 2001 From: ConductAI Bot Date: Sat, 13 Jun 2026 21:20:47 +0000 Subject: [PATCH] fix: bump urllib3 upper bound to <=2.7.0 for CVE-2026-44431/CVE-2026-44432 (#10350) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit urllib3 2.7.0 compatibility — CVE-2026-44431 and CVE-2026-44432 - Updated urllib3 constraint in pyproject.toml from <=2.6.3 to <=2.7.0 - Updated all four download-deps lock files to pin urllib3==2.7.0 with correct SHA256 hashes from PyPI (whl and sdist) - Added changelog entry under .changes/next-release/urllib3-270-cve.json CVE-2026-44431 (CVSS 8.2): sensitive headers not stripped on cross-origin redirects when using ProxyManager API path CVE-2026-44432 (CVSS 8.9): decompression bomb via Brotli streaming API Fixes #10350 --- .changes/next-release/urllib3-270-cve.json | 5 +++++ pyproject.toml | 2 +- requirements/download-deps/portable-exe-lock.txt | 6 +++--- requirements/download-deps/portable-exe-win-lock.txt | 6 +++--- requirements/download-deps/system-sandbox-lock.txt | 6 +++--- requirements/download-deps/system-sandbox-win-lock.txt | 6 +++--- 6 files changed, 18 insertions(+), 13 deletions(-) create mode 100644 .changes/next-release/urllib3-270-cve.json diff --git a/.changes/next-release/urllib3-270-cve.json b/.changes/next-release/urllib3-270-cve.json new file mode 100644 index 000000000000..7e098d477300 --- /dev/null +++ b/.changes/next-release/urllib3-270-cve.json @@ -0,0 +1,5 @@ +{ + "type": "bugfix", + "category": "dependencies", + "description": "Bumped urllib3 upper bound to <=2.7.0 to address CVE-2026-44431 (sensitive header stripping on cross-origin redirects, CVSS 8.2) and CVE-2026-44432 (Brotli decompression bomb, CVSS 8.9)." +} diff --git a/pyproject.toml b/pyproject.toml index 15a613d57ac4..00e580d3545a 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -44,7 +44,7 @@ dependencies = [ "awscrt==0.32.2", "python-dateutil>=2.1,<=2.9.0", "jmespath>=0.7.1,<1.1.0", - "urllib3>=1.25.4,<=2.6.3", + "urllib3>=1.25.4,<=2.7.0", "wcwidth<0.3.0", ] dynamic = ["version"] diff --git a/requirements/download-deps/portable-exe-lock.txt b/requirements/download-deps/portable-exe-lock.txt index 9b493d98ab5c..a066b7e232c9 100644 --- a/requirements/download-deps/portable-exe-lock.txt +++ b/requirements/download-deps/portable-exe-lock.txt @@ -191,9 +191,9 @@ six==1.17.0 \ --hash=sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274 \ --hash=sha256:ff70335d468e7eb6ec65b95b99d3a2836546063f63acc5171de367e834932a81 # via python-dateutil -urllib3==2.6.3 \ - --hash=sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed \ - --hash=sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4 +urllib3==2.7.0 \ + --hash=sha256:9fb4c81ebbb1ce9531cce37674bbc6f1360472bc18ca9a553ede278ef7276897 \ + --hash=sha256:231e0ec3b63ceb14667c67be60f2f2c40a518cb38b03af60abc813da26505f4c # via awscli (pyproject.toml) wcwidth==0.2.14 \ --hash=sha256:4d478375d31bc5395a3c55c40ccdf3354688364cd61c4f6adacaa9215d0b3605 \ diff --git a/requirements/download-deps/portable-exe-win-lock.txt b/requirements/download-deps/portable-exe-win-lock.txt index 855b5287babb..42625c3e651e 100644 --- a/requirements/download-deps/portable-exe-win-lock.txt +++ b/requirements/download-deps/portable-exe-win-lock.txt @@ -193,9 +193,9 @@ six==1.17.0 \ --hash=sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274 \ --hash=sha256:ff70335d468e7eb6ec65b95b99d3a2836546063f63acc5171de367e834932a81 # via python-dateutil -urllib3==2.6.3 \ - --hash=sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed \ - --hash=sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4 +urllib3==2.7.0 \ + --hash=sha256:9fb4c81ebbb1ce9531cce37674bbc6f1360472bc18ca9a553ede278ef7276897 \ + --hash=sha256:231e0ec3b63ceb14667c67be60f2f2c40a518cb38b03af60abc813da26505f4c # via awscli (D:/a/aws-cli/aws-cli/pyproject.toml) wcwidth==0.2.14 \ --hash=sha256:4d478375d31bc5395a3c55c40ccdf3354688364cd61c4f6adacaa9215d0b3605 \ diff --git a/requirements/download-deps/system-sandbox-lock.txt b/requirements/download-deps/system-sandbox-lock.txt index 58d9a952c08f..56e4f75c3bec 100644 --- a/requirements/download-deps/system-sandbox-lock.txt +++ b/requirements/download-deps/system-sandbox-lock.txt @@ -153,9 +153,9 @@ six==1.17.0 \ --hash=sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274 \ --hash=sha256:ff70335d468e7eb6ec65b95b99d3a2836546063f63acc5171de367e834932a81 # via python-dateutil -urllib3==2.6.3 \ - --hash=sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed \ - --hash=sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4 +urllib3==2.7.0 \ + --hash=sha256:9fb4c81ebbb1ce9531cce37674bbc6f1360472bc18ca9a553ede278ef7276897 \ + --hash=sha256:231e0ec3b63ceb14667c67be60f2f2c40a518cb38b03af60abc813da26505f4c # via awscli (pyproject.toml) wcwidth==0.2.14 \ --hash=sha256:4d478375d31bc5395a3c55c40ccdf3354688364cd61c4f6adacaa9215d0b3605 \ diff --git a/requirements/download-deps/system-sandbox-win-lock.txt b/requirements/download-deps/system-sandbox-win-lock.txt index 5c2bc025b32b..a3082080bac4 100644 --- a/requirements/download-deps/system-sandbox-win-lock.txt +++ b/requirements/download-deps/system-sandbox-win-lock.txt @@ -153,9 +153,9 @@ six==1.17.0 \ --hash=sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274 \ --hash=sha256:ff70335d468e7eb6ec65b95b99d3a2836546063f63acc5171de367e834932a81 # via python-dateutil -urllib3==2.6.3 \ - --hash=sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed \ - --hash=sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4 +urllib3==2.7.0 \ + --hash=sha256:9fb4c81ebbb1ce9531cce37674bbc6f1360472bc18ca9a553ede278ef7276897 \ + --hash=sha256:231e0ec3b63ceb14667c67be60f2f2c40a518cb38b03af60abc813da26505f4c # via awscli (D:/a/aws-cli/aws-cli/pyproject.toml) wcwidth==0.2.14 \ --hash=sha256:4d478375d31bc5395a3c55c40ccdf3354688364cd61c4f6adacaa9215d0b3605 \