Forum: >>> Magnum BBS <<<

Bug#1101417: pydantic-core - upcoming rust-idna update

From Peter Green@21:1/5 to All on Thu Mar 27 09:50:01 2025

This is a multi-part message in MIME format.
Package: pydantic-core
version: 2.27.2-1

I hope to update rust-idna soon to version 1.0.3 to fix CVE-2024-12224,
the Debian build-dependencies for your package allow the new version
but the Cargo dependency does not.

After relaxing the cargo dependency, I ran into some test failures,
I think these are just oversensitive tests, but any feedback would
be appreciated.

An example of one of the errors is

E AssertionError: Regex pattern did not match.
E Regex: 'Input\\ should\\ be\\ a\\ valid\\ URL,\\ invalid\\ domain\\ character\\ \\[type=url_parsing,'
E Input: "1 validation error for url\n Input should be a valid URL, invalid international domain name [type=url_parsing, input_valu e='http://127.0.0.1%0d%0aConnection%3a%

20keep-alive', input_type=str]\n For further information visit https://errors.pydantic.dev/latest/v/url_parsing"

The new versions of rust-idna and rust-url have been uploaded to
experimental.

ZGlmZiAtTnJ1IHB5ZGFudGljLWNvcmUtMi4yNy4yL2RlYmlhbi9jYXJnb19ob21lL2NvbmZp Zy50b21sIHB5ZGFudGljLWNvcmUtMi4yNy4yL2RlYmlhbi9jYXJnb19ob21lL2NvbmZpZy50 b21sCi0tLSBweWRhbnRpYy1jb3JlLTIuMjcuMi9kZWJpYW4vY2FyZ29faG9tZS9jb25maWcu dG9tbAkyMDI0LTEyLTE4IDIzOjExOjA5LjAwMDAwMDAwMCArMDAwMAorKysgcHlkYW50aWMt Y29yZS0yLjI3LjIvZGViaWFuL2NhcmdvX2hvbWUvY29uZmlnLnRvbWwJMjAyNS0wMy0yNyAw ODoxNzo0MS4wMDAwMDAwMDAgKzAwMDAKQEAgLTEsOCArMSwxMSBAQAotW3NvdXJjZV0KK1tz b3VyY2UuY3JhdGVzLWlvXQorcmVwbGFjZS13aXRoID0gImRoLWNhcmdvLXJlZ2lzdHJ5Igog Ci1bc291cmNlLmRlYmlhbl0KLWRpcmVjdG9yeSA9ICIvdXNyL3NoYXJlL2NhcmdvL3JlZ2lz dHJ5LyIKK1tzb3VyY2UuZGgtY2FyZ28tcmVnaXN0cnldCitkaXJlY3RvcnkgPSAiL3B5ZGFu dGljLWNvcmUtMi4yNy4yL2RlYmlhbi9jYXJnb19yZWdpc3RyeSIKIAotW3NvdXJjZS5jcmF0 ZXMtaW9dCi1yZXBsYWNlLXdpdGggPSAiZGViaWFuIgorW2J1aWxkXQorcnVzdGZsYWdzID0g WyctQycsICdkZWJ1Z2luZm89MicsICctQycsICdzdHJpcD1ub25lJywgJy0tY2FwLWxpbnRz JywgJ3dhcm4nLCAnLUMnLCAnbGlua2VyPXg4Nl82NC1saW51eC1nbnUtZ2NjJywgJy1DJywg J2xpbmstYXJnPS1XbCwteixyZWxybycsICctQycsICdsaW5rLWFyZz0tV2wsLXosbm93Jywg Jy0tcmVtYXAtcGF0aC1wcmVmaXgnLCAnL3B5ZGFudGljLWNvcmUtMi4yNy4yPS91c3Ivc2hh cmUvY2FyZ28vcmVnaXN0cnkvcHlkYW50aWMtY29yZS0yLjI3LjInLCAnLS1yZW1hcC1wYXRo LXByZWZpeCcsICcvcHlkYW50aWMtY29yZS0yLjI3LjIvZGViaWFuL2NhcmdvX3JlZ2lzdHJ5 PS91c3Ivc2hhcmUvY2FyZ28vcmVnaXN0cnknXQogCitbcHJvZmlsZS5yZWxlYXNlXQorZGVi dWcgPSB0cnVlCmRpZmYgLU5ydSBweWRhbnRpYy1jb3JlLTIuMjcuMi9kZWJpYW4vY2hhbmdl bG9nIHB5ZGFudGljLWNvcmUtMi4yNy4yL2RlYmlhbi9jaGFuZ2Vsb2cKLS0tIHB5ZGFudGlj LWNvcmUtMi4yNy4yL2RlYmlhbi9jaGFuZ2Vsb2cJMjAyNC0xMi0xOCAyMzoxMTowOS4wMDAw MDAwMDAgKzAwMDAKKysrIHB5ZGFudGljLWNvcmUtMi4yNy4yL2RlYmlhbi9jaGFuZ2Vsb2cJ MjAyNS0wMy0yNyAwODoyMzozMC4wMDAwMDAwMDAgKzAwMDAKQEAgLTEsMyArMSwxMCBAQAor cHlkYW50aWMtY29yZSAoMi4yNy4yLTEuMSkgVU5SRUxFQVNFRDsgdXJnZW5jeT1tZWRpdW0K KworICAqIE5vbi1tYWludGFpbmVyIHVwbG9hZC4KKyAgKiBSZWxheCBjYXJnbyBkZXBlbmRl bmN5IG9uIGlkbmEgY3JhdGUuCisKKyAtLSByb290IDxjandhdHNvbkBkZWJpYW4ub3JnPiAg VGh1LCAyNyBNYXIgMjAyNSAwODoyMzozMCArMDAwMAorCiBweWRhbnRpYy1jb3JlICgyLjI3 LjItMSkgdW5zdGFibGU7IHVyZ2VuY3k9bWVkaXVtCiAKICAgKiBUZWFtIHVwbG9hZC4KZGlm ZiAtTnJ1IHB5ZGFudGljLWNvcmUtMi4yNy4yL2RlYmlhbi8uZ2l0aWdub3JlIHB5ZGFudGlj LWNvcmUtMi4yNy4yL2RlYmlhbi8uZ2l0aWdub3JlCi0tLSBweWRhbnRpYy1jb3JlLTIuMjcu Mi9kZWJpYW4vLmdpdGlnbm9yZQkyMDI0LTEyLTE4IDIzOjExOjA5LjAwMDAwMDAwMCArMDAw MAorKysgcHlkYW50aWMtY29yZS0yLjI3LjIvZGViaWFuLy5naXRpZ25vcmUJMTk3MC0wMS0w MSAwMDowMDowMC4wMDAwMDAwMDAgKzAwMDAKQEAgLTEsMiArMCwwIEBACi0vY2FyZ29fcmVn aXN0cnkKLS9maWxlcwpkaWZmIC1OcnUgcHlkYW50aWMtY29yZS0yLjI3LjIvZGViaWFuL3Bh dGNoZXMvMDAwMS1GdWRnZS1ydXN0LWNyYXRlLXZlcnNpb24tcmVxdWlyZW1lbnRzLnBhdGNo IHB5ZGFudGljLWNvcmUtMi4yNy4yL2RlYmlhbi9wYXRjaGVzLzAwMDEtRnVkZ2UtcnVzdC1j cmF0ZS12ZXJzaW9uLXJlcXVpcmVtZW50cy5wYXRjaAotLS0gcHlkYW50aWMtY29yZS0yLjI3 LjIvZGViaWFuL3BhdGNoZXMvMDAwMS1GdWRnZS1ydXN0LWNyYXRlLXZlcnNpb24tcmVxdWly ZW1lbnRzLnBhdGNoCTIwMjQtMTItMTggMjM6MTE6MDkuMDAwMDAwMDAwICswMDAwCisrKyBw eWRhbnRpYy1jb3JlLTIuMjcuMi9kZWJpYW4vcGF0Y2hlcy8wMDAxLUZ1ZGdlLXJ1c3QtY3Jh dGUtdmVyc2lvbi1yZXF1aXJlbWVudHMucGF0Y2gJMjAyNS0wMy0yNyAwNzo1NjozMy4wMDAw MDAwMDAgKzAwMDAKQEAgLTE2LDcgKzE2LDcgQEAKICB1cmwgPSAiMi41LjAiCiAgIyBpZG5h IGlzIGFscmVhZHkgcmVxdWlyZWQgYnkgdXJsLCBhZGRlZCBoZXJlIHRvIGJlIGV4cGxpY2l0 CiAtaWRuYSA9ICIxLjAuMiIKLStpZG5hID0gIjAuNC4wIgorK2lkbmEgPSAiPj0gMC40LjAi CiAgYmFzZTY0ID0gIjAuMjIuMSIKICBudW0tYmlnaW50ID0gIjAuNC42IgogIHB5dGhvbjMt ZGxsLWEgPSAiMC4yLjEwIgo=

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Colin Watson@21:1/5 to Peter Green on Thu Mar 27 12:10:02 2025

Control: forwarded -1 https://github.com/pydantic/pydantic-core/pull/1585 Control: tag -1 fixed-upstream

On Thu, Mar 27, 2025 at 08:42:26AM +0000, Peter Green wrote:

I hope to update rust-idna soon to version 1.0.3 to fix CVE-2024-12224,
the Debian build-dependencies for your package allow the new version
but the Cargo dependency does not.

After relaxing the cargo dependency, I ran into some test failures,
I think these are just oversensitive tests, but any feedback would
be appreciated.

An example of one of the errors is

E AssertionError: Regex pattern did not match.
E Regex: 'Input\\ should\\ be\\ a\\ valid\\ URL,\\ invalid\\ domain\\ character\\ \\[type=url_parsing,'
E Input: "1 validation error for url\n Input should be a valid URL, invalid international domain name [type=url_parsing, input_valu e='http://127.0.0.1%0d%0aConnection%3a%

20keep-alive', input_type=str]\n For further information visit https://errors.pydantic.dev/latest/v/url_parsing"

This was fixed upstream in
https://github.com/pydantic/pydantic-core/pull/1585. Since the new
tests won't work with the old rust-url, unless you object, I think it
would be simplest for us to just cherry-pick that at the same time as
doing the rust-url update in unstable, and maybe have the new
librust-url-dev declare Breaks on previous versions of
python3-pydantic-core so that britney knows to migrate them together.

(Although this is in pydantic-core >= 2.30.0, I deliberately haven't
upgraded to that yet because I'm waiting for a compatible pydantic
release.)

--
Colin Watson (he/him) [cjwatson@debian.org]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Peter Michael Green@21:1/5 to Colin Watson on Sun Apr 6 02:10:01 2025

severity 1101417 serious
thanks

On 27/03/2025 11:06, Colin Watson wrote:

This was fixed upstream in https://github.com/pydantic/pydantic-core/pull/1585. Since the new
tests won't work with the old rust-url, unless you object, I think it
would be simplest for us to just cherry-pick that at the same time as
doing the rust-url update in unstable,

The new rust-idna and rust-url are now in unstable. Please go ahead with
the update
to pydantic-core.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online
Recent Visitors
- Plume
  Thu Jun 12 15:10:05 2025
  from Uk via SSH
- Miguel Fonseca
  Wed Jun 11 20:46:30 2025
  from London via Telnet
- Plume
  Wed Jun 11 09:17:59 2025
  from Uk via Telnet
- Bob Worm
  Wed Jun 11 08:48:42 2025
  from Wales, Uk via Telnet
- Centurion
  Tue Jun 10 22:39:19 2025
  from Berea, Ohio via Telnet
- Bob Worm
  Tue Jun 10 22:08:07 2025
  from Wales, Uk via Telnet
- Rick V
  Tue Jun 10 21:42:39 2025
  from Plymouth, Mn via Telnet
- Bob Worm
  Tue Jun 10 18:05:17 2025
  from Wales, Uk via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	491
Nodes:	16 (2 / 14)
Uptime:	98:59:40
Calls:	9,680
Calls today:	1
Files:	13,725
Messages:	6,174,723

Bug#1101417: pydantic-core - upcoming rust-idna update

Who's Online

Recent Visitors

System Info