Skip to content

Update urllib3 to avoid security vulnerability #17477

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 12, 2018
Merged

Update urllib3 to avoid security vulnerability #17477

merged 1 commit into from
Dec 12, 2018

Conversation

gnossen
Copy link
Contributor

@gnossen gnossen commented Dec 12, 2018

This PR updates urllib3 to avoid CVE-2018-20060. This update process will be automatic after #17177 is resolved.

(cherry-pick of #17476)

@gnossen gnossen added lang/Python release notes: yes Indicates if PR needs to be in release notes labels Dec 12, 2018
@grpc-testing
Copy link 

****************************************************************

libgrpc.so

     VM SIZE        FILE SIZE
 ++++++++++++++  ++++++++++++++

  [ = ]       0        0  [ = ]


****************************************************************

libgrpc++.so

     VM SIZE        FILE SIZE
 ++++++++++++++  ++++++++++++++

  [ = ]       0        0  [ = ]

@lidizheng
Copy link
Contributor

The urllib3 is not present in setup.py, and requirement.bazel.txt is used only by Bazel. I'm not sure if the CVE will affect our build or not.

@grpc-testing
Copy link 

[trickle] No significant performance differences

@gnossen
Copy link
Contributor Author

gnossen commented Dec 12, 2018

@lidizheng Agree. But a reference to a vulnerable version of a dependency on one of our release branches could be seen as tacit approval of that artifact, which could expose ourselves and our users to unnecessary risk.

@grpc-testing
Copy link 

Objective-C binary sizes
*****************STATIC******************
  New size                      Old size
 2,020,508      Total (=)      2,020,508

 No significant differences in binary sizes

***************FRAMEWORKS****************
  New size                      Old size
11,175,633      Total (<)     11,175,635

 No significant differences in binary sizes

@gnossen
Copy link
Contributor Author

gnossen commented Dec 12, 2018

Flake: #16497

@grpc-testing
Copy link 

Corrupt JSON data (indicates timeout or crash): 
    bm_call_create.BM_IsolatedFilter_ClientChannelFilter_NoOp_.counters.new: 10
    bm_call_create.BM_IsolatedFilter_ClientChannelFilter_NoOp_.counters.old: 10


[microbenchmarks] No significant performance differences

@srini100 srini100 merged commit 02df04e into v1.17.x Dec 12, 2018
@gnossen gnossen deleted the update-urllib-v1.17.x branch December 12, 2018 22:11
@lock lock bot locked as resolved and limited conversation to collaborators Mar 12, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@srini100 srini100 Awaiting requested review from srini100

2 more reviewers

@ericgribkoff ericgribkoff ericgribkoff approved these changes

@lidizheng lidizheng lidizheng approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@srini100 srini100

Labels
infra/Bazel lang/Python release notes: yes Indicates if PR needs to be in release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@gnossen @grpc-testing @lidizheng @ericgribkoff @srini100