In current boto3, if you use a session (and correspondingly an HTTP connection pool), some messages will be logged at INFO level that should be logged at DEBUG level. For example:
2018-11-26 17:53:48,231:INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): route53.amazonaws.com
and
2018-10-10 08:51:44,033:INFO:requests.packages.urllib3.connectionpool:Resetting dropped connection: route53.amazonaws.com
This was fixed in https://github.com/urllib3/urllib3/commit/5c729531137c836f7ec6ec325a423b40aae8742c, which is incorporated into v1.17 of urllib. Could botocore update its vendored version? This caused some confusion on a Let's Encrypt forum thread where the "Resetting dropped connection" message (which is harmless) bubbled up at INFO level, making it seem like the cause of an unrelated error.
Unfortunately, we can't update the vendored urllib3 as we don't use it in botocore anymore. We just keep it around for legacy purposes in case customers are using it.
I can confirm that, after upgrading to latest versions of everything, the problem I reported is gone. Thanks for your attention!
Hey,
I see that you're keeping urllib3 for legacy problem.
We use your boto3 lib and found out that its opening our code (and anyone else who is including botocore) to a high severity vulnerability CVE2018-20060
Please could you reconsider removing (or updating) this library, to remove the vulnerability?
Most helpful comment
Hey,
I see that you're keeping urllib3 for legacy problem.
We use your boto3 lib and found out that its opening our code (and anyone else who is including botocore) to a high severity vulnerability CVE2018-20060
Please could you reconsider removing (or updating) this library, to remove the vulnerability?