Skip to content

SG-43679 Fix urllib3, requests, and idna security vulnerabilities#105

Draft
stevelittlefish wants to merge 1 commit into
masterfrom
ticket/SG-43679-fix-urllib3-requests-idna-vulnerabilities
Draft

SG-43679 Fix urllib3, requests, and idna security vulnerabilities#105
stevelittlefish wants to merge 1 commit into
masterfrom
ticket/SG-43679-fix-urllib3-requests-idna-vulnerabilities

Conversation

@stevelittlefish

Copy link
Copy Markdown
Contributor

Summary

Fixes security vulnerabilities reported in SG-43679 across all supported Python versions.

Python 3.10, 3.11, 3.13 - all CVEs fixed:

  • urllib3 2.6.3 -> 2.7.0 - fixes CVE-2026-44432 (decompression-bomb bypass) and sensitive headers forwarded across origins
  • requests 2.32.5 -> 2.33.0 - fixes insecure temp file reuse in extract_zipped_paths()
  • idna 3.7 -> 3.15 - fixes CVE-2024-3651 bypass

Python 3.9 - partial fix only:

  • idna 3.7 -> 3.15 only
  • urllib3 and requests patches require Python 3.10+ - the fix versions dropped Python 3.9 support

Also fixes update_python_packages.py to handle top-level .pyd/.so binary extension files installed by charset-normalizer 3.4.7 (mypyc-compiled extensions), which caused an assertion failure in the package count check.

Addresses dependabot alerts: #68, #65-#67, #69-#73 (urllib3), #64, #57-#63 (requests), #83, #75-#82 (idna).

Upgrades for Python 3.10, 3.11, and 3.13:
- urllib3 2.6.3 -> 2.7.0 (CVE-2026-44432, sensitive headers CVE)
- requests 2.32.5 -> 2.33.0 (insecure temp file reuse)
- idna 3.7 -> 3.15 (CVE-2024-3651 bypass)

Python 3.9 partial fix (urllib3 and requests dropped Python 3.9 support
in the patched versions):
- idna 3.7 -> 3.15 only

Also fixes update_python_packages.py to exclude top-level .pyd/.so binary
extension files (mypyc-compiled extensions from charset-normalizer 3.4.7)
from the package count assertion.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant