Sync from SUSE:SLFO:Main python-requests revision fc06f9bbd8a0b510b6e47aba6c6508a9

inject-default-ca-bundles.patch

@@ -0,0 +1,126 @@
+From 2769cb607d4e696e2fe70802d4246ccc5abd64a8 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Wed, 29 May 2024 12:48:48 -0700
+Subject: [PATCH 1/3] Consider cert settings when using default context
+
+---
+ src/requests/adapters.py | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/src/requests/adapters.py b/src/requests/adapters.py
+index 9a58b16025..991b7e21c9 100644
+--- a/src/requests/adapters.py
++++ b/src/requests/adapters.py
+@@ -87,6 +87,23 @@ def SOCKSProxyManager(*args, **kwargs):
+     _preloaded_ssl_context = None
+ 
+ 
++def _should_use_default_context(
++    verify: "bool | str | None",
++    client_cert: "typing.Tuple[str, str] | str | None",
++    poolmanager_kwargs: typing.Dict[str, typing.Any],
++) -> bool:
++    # Determine if we have and should use our default SSLContext
++    # to optimize performance on standard requests.
++    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
++    should_use_default_ssl_context = (
++        verify is True
++        and _preloaded_ssl_context is not None
++        and not has_poolmanager_ssl_context
++        and client_cert is None
++    )
++    return should_use_default_ssl_context
++
++
+ def _urllib3_request_context(
+     request: "PreparedRequest",
+     verify: "bool | str | None",
+@@ -98,19 +115,12 @@ def _urllib3_request_context(
+     parsed_request_url = urlparse(request.url)
+     scheme = parsed_request_url.scheme.lower()
+     port = parsed_request_url.port
+-
+-    # Determine if we have and should use our default SSLContext
+-    # to optimize performance on standard requests.
+     poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {})
+-    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
+-    should_use_default_ssl_context = (
+-        _preloaded_ssl_context is not None and not has_poolmanager_ssl_context
+-    )
+ 
+     cert_reqs = "CERT_REQUIRED"
+     if verify is False:
+         cert_reqs = "CERT_NONE"
+-    elif verify is True and should_use_default_ssl_context:
++    elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
+         pool_kwargs["ssl_context"] = _preloaded_ssl_context
+     elif isinstance(verify, str):
+         if not os.path.isdir(verify):
+
+From e341df3efa0323072fab5d16307e2a20295675b9 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Fri, 31 May 2024 11:41:48 -0700
+Subject: [PATCH 2/3] Set default ca_cert bundle if verify is True
+
+---
+ src/requests/adapters.py | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/src/requests/adapters.py b/src/requests/adapters.py
+index 991b7e21c9..ba5a0ec4f0 100644
+--- a/src/requests/adapters.py
++++ b/src/requests/adapters.py
+@@ -118,15 +118,23 @@ def _urllib3_request_context(
+     poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {})
+ 
+     cert_reqs = "CERT_REQUIRED"
++    cert_loc = None
+     if verify is False:
+         cert_reqs = "CERT_NONE"
+     elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
+         pool_kwargs["ssl_context"] = _preloaded_ssl_context
++    elif verify is True:
++        # Set default ca cert location if none provided
++        cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
+     elif isinstance(verify, str):
+-        if not os.path.isdir(verify):
+-            pool_kwargs["ca_certs"] = verify
++        cert_loc = verify
++
++    if cert_loc is not None:
++        if not os.path.isdir(cert_loc):
++            pool_kwargs["ca_certs"] = cert_loc
+         else:
+-            pool_kwargs["ca_cert_dir"] = verify
++            pool_kwargs["ca_cert_dir"] = cert_loc
++
+     pool_kwargs["cert_reqs"] = cert_reqs
+     if client_cert is not None:
+         if isinstance(client_cert, tuple) and len(client_cert) == 2:
+
+From da96a92e2eb6dfe7c74704267bcb8f9fd6fb92b0 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Fri, 31 May 2024 12:20:11 -0700
+Subject: [PATCH 3/3] Correct comment to match actual behavior
+
+---
+ src/requests/adapters.py | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/src/requests/adapters.py b/src/requests/adapters.py
+index ba5a0ec4f0..54143f9e6b 100644
+--- a/src/requests/adapters.py
++++ b/src/requests/adapters.py
+@@ -334,10 +334,8 @@ def cert_verify(self, conn, url, verify, cert):
+         if url.lower().startswith("https") and verify:
+             conn.cert_reqs = "CERT_REQUIRED"
+ 
+-            # Only load the CA certificates if 'verify' is a string indicating the CA bundle to use.
+-            # Otherwise, if verify is a boolean, we don't load anything since
+-            # the connection will be using a context with the default certificates already loaded,
+-            # and this avoids a call to the slow load_verify_locations()
++            # Only load the CA certificates if `verify` is a
++            # string indicating the CA bundle to use.
+             if verify is not True:
+                 # `verify` must be a str with a path then
+                 cert_loc = verify

python-requests.changes

@@ -1,23 +1,74 @@
+-------------------------------------------------------------------
+Mon Jul 14 09:20:12 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Add revert-caching-default-sslcontext.patch upstream patch to avoid
+  problems with certificate caching in sslcontext.
+  bsc#1246104, gh#psf/requests#6767
+
+-------------------------------------------------------------------
+Tue Jun 10 09:42:31 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.32.4:
+  * CVE-2024-47081 Fixed an issue where a maliciously crafted URL
+    and trusted environment will retrieve credentials for the wrong
+    hostname/machine from a netrc file
+  * Numerous documentation improvements
+  * Added support for pypy 3.11 for Linux and macOS.
+  * Dropped support for pypy 3.9 following its end of support.
+- drop CVE-2024-47081.patch (merged upstream)
+
+-------------------------------------------------------------------
+Thu Jun  5 07:22:39 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Add CVE-2024-47081.patch upstream patch, fixes netrc credential leak
+  (gh#psf/requests#6965, CVE-2024-47081, bsc#1244039)
+
+-------------------------------------------------------------------
+Thu Oct 24 07:48:08 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Switch to pyproject macros.
+
+-------------------------------------------------------------------
+Thu Oct 17 06:30:14 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Add patch inject-default-ca-bundles.patch:
+  * Inject the default CA bundles if they are not specified.
+    (bsc#1226321, bsc#1231500)
+
+-------------------------------------------------------------------
+Thu Aug 29 03:17:43 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Remove Requires on python-py, it should have been removed earlier.
+
+-------------------------------------------------------------------
+Thu Jun  6 19:38:03 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.32.3:
+  * Fixed bug breaking the ability to specify custom SSLContexts
+    in sub-classes of HTTPAdapter.
+  * Fixed issue where Requests started failing to run on Python
+    versions compiled without the `ssl` module.
+
 -------------------------------------------------------------------
 Wed May 22 14:00:50 UTC 2024 - Markéta Machová <mmachova@suse.com>
 
 - Update to 2.32.2
-  * To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, 
+  * To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0,
-    we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing 
+    we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing
-    custom HTTPAdapters will need to migrate their code to use this new API. get_connection is 
+    custom HTTPAdapters will need to migrate their code to use this new API. get_connection is
     considered deprecated in all versions of Requests>=2.32.0.
 
 -------------------------------------------------------------------
 Tue May 21 12:33:41 UTC 2024 - Markéta Machová <mmachova@suse.com>
 
 - Update to 2.32.1
-  * Fixed an issue where setting verify=False on the first request from a Session 
+  * Fixed an issue where setting verify=False on the first request from a Session
-    will cause subsequent requests to the same origin to also ignore cert verification, 
+    will cause subsequent requests to the same origin to also ignore cert verification,
     regardless of the value of verify. (bsc#1224788, CVE-2024-35195)
-  * verify=True now reuses a global SSLContext which should improve request time 
+  * verify=True now reuses a global SSLContext which should improve request time
     variance between first and subsequent requests.
-  * Requests now supports optional use of character detection (chardet or charset_normalizer) 
+  * Requests now supports optional use of character detection (chardet or charset_normalizer)
-    when repackaged or vendored. This enables pip and other projects to minimize their 
+    when repackaged or vendored. This enables pip and other projects to minimize their
     vendoring surface area.
   * Requests has officially added support for CPython 3.12 and dropped support for CPython 3.7.
   * Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system using hatchling.

python-requests.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-requests
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -26,14 +26,20 @@
 %endif
 %{?sle15_python_module_pythons}
 Name:           python-requests%{psuffix}
-Version:        2.32.2
+Version:        2.32.4
 Release:        0
 Summary:        Python HTTP Library
 License:        Apache-2.0
 URL:            https://docs.python-requests.org/
 Source:         https://files.pythonhosted.org/packages/source/r/requests/requests-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM gh#psf/requests#6731
+Patch0:         inject-default-ca-bundles.patch
+# PATCH-FIX-UPSTREAM revert-caching-default-sslcontext.patch gh#psf/requests#6767
+Patch1:         revert-caching-default-sslcontext.patch
 BuildRequires:  %{python_module base >= 3.7}
+BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}
+BuildRequires:  %{python_module wheel}
 BuildRequires:  fdupes
 BuildRequires:  python-rpm-macros
 Requires:       ca-certificates
@@ -41,7 +47,6 @@ Requires:       python
 Requires:       python-certifi >= 2017.4.17
 Requires:       python-charset-normalizer >= 2.0.0
 Requires:       python-idna >= 2.5
-Requires:       python-py
 Requires:       python-urllib3 >= 1.21.1
 BuildArch:      noarch
 %if 0%{?_no_weakdeps}
@@ -94,11 +99,11 @@ Features of Requests:
 sed -i "s#\(httpbin.*\), 'never'#\1#" tests/test_requests.py
 
 %build
-%python_build
+%pyproject_wheel
 
 %install
 %if !%{with test}
-%python_install
+%pyproject_install
 # check that urllib3 is not installed
 test ! -e %{buildroot}%{python3_sitelib}/requests/packages/urllib3
 %python_expand %fdupes %{buildroot}%{$python_sitelib}
@@ -118,8 +123,8 @@ touch Pipfile
 %files %{python_files}
 %license LICENSE
 %doc HISTORY.md README.md
-%{python_sitelib}/requests/
+%{python_sitelib}/requests
-%{python_sitelib}/requests-*
+%{python_sitelib}/requests-%{version}.dist-info
 %endif
 
 %changelog

revert-caching-default-sslcontext.patch

@@ -0,0 +1,109 @@
+From d520f46f94d0e637d440c6c0d55aa49240e2d46a Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Thu, 18 Jul 2024 09:51:10 -0700
+Subject: [PATCH] Revert caching a default SSLContext
+
+---
+ src/requests/adapters.py | 55 ++++++++++++----------------------------
+ 1 file changed, 16 insertions(+), 39 deletions(-)
+
+Index: requests-2.32.4/src/requests/adapters.py
+===================================================================
+--- requests-2.32.4.orig/src/requests/adapters.py
++++ requests-2.32.4/src/requests/adapters.py
+@@ -27,7 +27,6 @@ from urllib3.poolmanager import PoolMana
+ from urllib3.util import Timeout as TimeoutSauce
+ from urllib3.util import parse_url
+ from urllib3.util.retry import Retry
+-from urllib3.util.ssl_ import create_urllib3_context
+ 
+ from .auth import _basic_auth_str
+ from .compat import basestring, urlparse
+@@ -74,36 +73,6 @@ DEFAULT_RETRIES = 0
+ DEFAULT_POOL_TIMEOUT = None
+ 
+ 
+-try:
+-    import ssl  # noqa: F401
+-
+-    _preloaded_ssl_context = create_urllib3_context()
+-    _preloaded_ssl_context.load_verify_locations(
+-        extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
+-    )
+-except ImportError:
+-    # Bypass default SSLContext creation when Python
+-    # interpreter isn't built with the ssl module.
+-    _preloaded_ssl_context = None
+-
+-
+-def _should_use_default_context(
+-    verify: "bool | str | None",
+-    client_cert: "typing.Tuple[str, str] | str | None",
+-    poolmanager_kwargs: typing.Dict[str, typing.Any],
+-) -> bool:
+-    # Determine if we have and should use our default SSLContext
+-    # to optimize performance on standard requests.
+-    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
+-    should_use_default_ssl_context = (
+-        verify is True
+-        and _preloaded_ssl_context is not None
+-        and not has_poolmanager_ssl_context
+-        and client_cert is None
+-    )
+-    return should_use_default_ssl_context
+-
+-
+ def _urllib3_request_context(
+     request: "PreparedRequest",
+     verify: "bool | str | None",
+@@ -121,8 +90,6 @@ def _urllib3_request_context(
+     cert_loc = None
+     if verify is False:
+         cert_reqs = "CERT_NONE"
+-    elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
+-        pool_kwargs["ssl_context"] = _preloaded_ssl_context
+     elif verify is True:
+         # Set default ca cert location if none provided
+         cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
+@@ -332,24 +299,27 @@ class HTTPAdapter(BaseAdapter):
+         :param cert: The SSL certificate to verify.
+         """
+         if url.lower().startswith("https") and verify:
+-            conn.cert_reqs = "CERT_REQUIRED"
++            cert_loc = None
+ 
+-            # Only load the CA certificates if `verify` is a
+-            # string indicating the CA bundle to use.
++            # Allow self-specified cert location.
+             if verify is not True:
+-                # `verify` must be a str with a path then
+                 cert_loc = verify
+ 
+-                if not os.path.exists(cert_loc):
+-                    raise OSError(
+-                        f"Could not find a suitable TLS CA certificate bundle, "
+-                        f"invalid path: {cert_loc}"
+-                    )
+-
+-                if not os.path.isdir(cert_loc):
+-                    conn.ca_certs = cert_loc
+-                else:
+-                    conn.ca_cert_dir = cert_loc
++            if not cert_loc:
++                cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
++
++            if not cert_loc or not os.path.exists(cert_loc):
++                raise OSError(
++                    f"Could not find a suitable TLS CA certificate bundle, "
++                    f"invalid path: {cert_loc}"
++                )
++
++            conn.cert_reqs = "CERT_REQUIRED"
++
++            if not os.path.isdir(cert_loc):
++                conn.ca_certs = cert_loc
++            else:
++                conn.ca_cert_dir = cert_loc
+         else:
+             conn.cert_reqs = "CERT_NONE"
+             conn.ca_certs = None