Skip to content

Update urllib3 to avoid security vulnerability#17477

Merged
srini100 merged 1 commit intov1.17.xfrom
update-urllib-v1.17.x
Dec 12, 2018
Merged

Update urllib3 to avoid security vulnerability#17477
srini100 merged 1 commit intov1.17.xfrom
update-urllib-v1.17.x

Conversation

@gnossen
Copy link
Copy Markdown
Contributor

@gnossen gnossen commented Dec 12, 2018

This PR updates urllib3 to avoid CVE-2018-20060. This update process will be automatic after #17177 is resolved.

(cherry-pick of #17476)

@gnossen gnossen added lang/Python release notes: yes Indicates if PR needs to be in release notes labels Dec 12, 2018
@grpc-testing
Copy link
Copy Markdown

grpc-testing commented Dec 12, 2018 

****************************************************************

libgrpc.so

     VM SIZE        FILE SIZE
 ++++++++++++++  ++++++++++++++

  [ = ]       0        0  [ = ]


****************************************************************

libgrpc++.so

     VM SIZE        FILE SIZE
 ++++++++++++++  ++++++++++++++

  [ = ]       0        0  [ = ]

@lidizheng
Copy link
Copy Markdown
Contributor

lidizheng commented Dec 12, 2018

The urllib3 is not present in setup.py, and requirement.bazel.txt is used only by Bazel. I'm not sure if the CVE will affect our build or not.

@grpc-testing
Copy link
Copy Markdown

grpc-testing commented Dec 12, 2018 

[trickle] No significant performance differences

@gnossen
Copy link
Copy Markdown
Contributor Author

gnossen commented Dec 12, 2018

@lidizheng Agree. But a reference to a vulnerable version of a dependency on one of our release branches could be seen as tacit approval of that artifact, which could expose ourselves and our users to unnecessary risk.

@grpc-testing
Copy link
Copy Markdown

grpc-testing commented Dec 12, 2018 

Objective-C binary sizes
*****************STATIC******************
  New size                      Old size
 2,020,508      Total (=)      2,020,508

 No significant differences in binary sizes

***************FRAMEWORKS****************
  New size                      Old size
11,175,633      Total (<)     11,175,635

 No significant differences in binary sizes

@gnossen
Copy link
Copy Markdown
Contributor Author

gnossen commented Dec 12, 2018

Flake: #16497

@grpc-testing
Copy link
Copy Markdown

grpc-testing commented Dec 12, 2018 

Corrupt JSON data (indicates timeout or crash): 
    bm_call_create.BM_IsolatedFilter_ClientChannelFilter_NoOp_.counters.new: 10
    bm_call_create.BM_IsolatedFilter_ClientChannelFilter_NoOp_.counters.old: 10


[microbenchmarks] No significant performance differences

@srini100 srini100 merged commit 02df04e into v1.17.x Dec 12, 2018
@gnossen gnossen deleted the update-urllib-v1.17.x branch December 12, 2018 22:11
@lock lock bot locked as resolved and limited conversation to collaborators Mar 12, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@srini100 srini100 Awaiting requested review from srini100

2 more reviewers

@ericgribkoff ericgribkoff ericgribkoff approved these changes

@lidizheng lidizheng lidizheng approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@srini100 srini100

Labels

infra/Bazel lang/Python release notes: yes Indicates if PR needs to be in release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@gnossen @grpc-testing @lidizheng @ericgribkoff @srini100