Bump urllib3 from 1.24.1 to 1.25.3

[sssoleileraaa]

Bumps urllib3 from 1.24.1 to 1.25.3.

Changelog

Sourced from urllib3's changelog.

1.25.3 (2019-05-23)

• Change HTTPSConnection to load system CA certificates
  when ca_certs, ca_cert_dir, and ssl_context are
  unspecified. (Pull #1608, Issue #1603)

• Upgrade bundled rfc3986 to v1.3.2. (Pull #1609, Issue #1605)

1.25.2 (2019-04-28)

• Change is_ipaddress to not detect IPvFuture addresses. (Pull #1583)

• Change parse_url to percent-encode invalid characters within the
  path, query, and target components. (Pull #1586)

1.25.1 (2019-04-24)

• Add support for Google's Brotli package. (Pull #1572, Pull #1579)

• Upgrade bundled rfc3986 to v1.3.1 (Pull #1578)

1.25 (2019-04-22)

• Require and validate certificates by default when using HTTPS (Pull #1507)

• Upgraded urllib3.utils.parse_url() to be RFC 3986 compliant. (Pull #1487)

• Added support for key_password for HTTPSConnectionPool to use
  encrypted key_file without creating your own SSLContext object. (Pull #1489)

• Add TLSv1.3 support to CPython, pyOpenSSL, and SecureTransport SSLContext
  implementations. (Pull #1496)

• Switched the default multipart header encoder from RFC 2231 to HTML 5 working draft. (Issue use split-gpg for dev env #303, PR #1492)

• Fixed issue where OpenSSL would block if an encrypted client private key was
  given and no password was given. Instead an SSLError is raised. (Pull #1489)

• Added support for Brotli content encoding. It is enabled automatically if
  brotlipy package is installed which can be requested with
  urllib3[brotli] extra. (Pull #1532)

• Drop ciphers using DSS key exchange from default TLS cipher suites.
  Improve default ciphers when using SecureTransport. (Pull #1496)

• Implemented a more efficient HTTPResponse.__iter__() method. (Issue #1483)

1.24.3 (2019-05-01)

• Apply fix for CVE-2019-9740. (Pull #1591)

1.24.2 (2019-04-17)

• Don't load system certificates by default when any other ca_certs, ca_certs_dir or
  ssl_context parameters are specified.

• Remove Authorization header regardless of case when redirecting to cross-site. (Issue #1510)

• Add support for IPv6 addresses in subjectAltName section of certificates. (Issue #1269)

See full diff

• compare view
• our copy of the diff to show that it was reviewed

Dependaallie will resolve any conflicts with this PR as long as you don't alter it yourself.

[sssoleileraaa]

@emkll had a good suggestion to switch over to using a requirements.txt file and use pip instead of pipenv to make it easier to only upgrade a single package so that we can make sure all code changes that land on dom0 are indeed reviewed.

It also came up that it might make sense to move the code that uploads signed RPMs outside of this repo.

I think this warrants a team-wide discussion (perhaps tomorrow).

[redshiftzero]

Let's move to requirements.txt (this is one of the few places we have Pipenv left) - want to do that as part of this PR (since a bunch of the hashes are changing)?

[redshiftzero]

In order to bump urllib3 up to the 1.25.x series, we do need to also bump up awscli, botocore, and s3transfer as they previously required urllib3 less than 1.25. I think since we're using these dependencies to upload signed packages and since they are widely used dependencies, I think we should include these with dev/test and focus our review efforts on dependencies that are running in production.

[emkll]

LGTM, thanks for the changes.

I agree, since these are requirements that are used in dev/ops-only context, and never used by production workstations themselves, we can forgo an extensive diff review.

Tested as follows:

• ran the pip install in a virtual env, installs and publish-rpm/aws cli works as expected
• ran pip freeze and ran the (unhashed) requirements through safety to make sure none had cves associated to them
• Requirements introduced are the same as those that were previously in the pip files (including version lock)

I opened #342 to discuss/track the removal/move of this tooling elsewhere, but this shouldn't block merge for this change