This is the first release that follows our new release process. For more, see [our documentation](https://requests.readthedocs.io/en/latest/community/release-process/).
**Bugfixes**
- Updated urllib3 to 1.10.4, resolving several bugs involving chunked transfer encoding and response framing.
2.6.2
------------------
**Bugfixes**
- Fix regression where compressed data that was sent as chunked data was not properly decompressed. (\2561)
2.6.1
------------------
**Bugfixes**
- Remove VendorAlias import machinery introduced in v2.5.2. - Simplify the PreparedRequest.prepare API: We no longer require the user to pass an empty list to the hooks keyword argument. (c.f. \2552) - Resolve redirects now receives and forwards all of the original arguments to the adapter. (\2503) - Handle UnicodeDecodeErrors when trying to deal with a unicode URL that cannot be encoded in ASCII. (\2540) - Populate the parsed path of the URI field when performing Digest Authentication. (\2426) - Copy a PreparedRequest's CookieJar more reliably when it is not an instance of RequestsCookieJar. (\2527)
2.6.0
------------------
**Bugfixes**
- CVE-2015-2296: Fix handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing. This was disclosed privately by Matthew Daley of [BugFuzz](https://bugfuzz.com). This affects all versions of requests from v2.1.0 to v2.5.3 (inclusive on both ends). - Fix error when requests is an `install_requires` dependency and `python setup.py test` is run. (\2462) - Fix error when urllib3 is unbundled and requests continues to use the vendored import location. - Include fixes to `urllib3`'s header handling. - Requests' handling of unvendored dependencies is now more restrictive.
**Features and Improvements**
- Support bytearrays when passed as parameters in the `files` argument. (\2468) - Avoid data duplication when creating a request with `str`, `bytes`, or `bytearray` input to the `files` argument.
2.5.3
------------------
**Bugfixes**
- Revert changes to our vendored certificate bundle. For more context see (\2455, \2456, and <https://bugs.python.org/issue23476>)
2.5.2
------------------
**Features and Improvements**
- Add sha256 fingerprint support. ([shazow/urllib3\540](https://github.com/shazow/urllib3/pull/540)) - Improve the performance of headers. ([shazow/urllib3\544](https://github.com/shazow/urllib3/pull/544))
**Bugfixes**
- Copy pip's import machinery. When downstream redistributors remove requests.packages.urllib3 the import machinery will continue to let those same symbols work. Example usage in requests' documentation and 3rd-party libraries relying on the vendored copies of urllib3 will work without having to fallback to the system urllib3. - Attempt to quote parts of the URL on redirect if unquoting and then quoting fails. (\2356) - Fix filename type check for multipart form-data uploads. (\2411) - Properly handle the case where a server issuing digest authentication challenges provides both auth and auth-int qop-values. (\2408) - Fix a socket leak. ([shazow/urllib3\549](https://github.com/shazow/urllib3/pull/549)) - Fix multiple `Set-Cookie` headers properly. ([shazow/urllib3\534](https://github.com/shazow/urllib3/pull/534)) - Disable the built-in hostname verification. ([shazow/urllib3\526](https://github.com/shazow/urllib3/pull/526)) - Fix the behaviour of decoding an exhausted stream. ([shazow/urllib3\535](https://github.com/shazow/urllib3/pull/535))
**Security**
- Pulled in an updated `cacert.pem`. - Drop RC4 from the default cipher list. ([shazow/urllib3\551](https://github.com/shazow/urllib3/pull/551))