Compare commits
2 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
| 01c1e95c08 | |||
| bf1b546e9b |
@@ -1,3 +1,28 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 14 09:20:12 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
|
||||
|
||||
- Add revert-caching-default-sslcontext.patch upstream patch to avoid
|
||||
problems with certificate caching in sslcontext.
|
||||
bsc#1246104, gh#psf/requests#6767
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jun 10 09:42:31 UTC 2025 - Dirk Müller <dmueller@suse.com>
|
||||
|
||||
- update to 2.32.4:
|
||||
* CVE-2024-47081 Fixed an issue where a maliciously crafted URL
|
||||
and trusted environment will retrieve credentials for the wrong
|
||||
hostname/machine from a netrc file
|
||||
* Numerous documentation improvements
|
||||
* Added support for pypy 3.11 for Linux and macOS.
|
||||
* Dropped support for pypy 3.9 following its end of support.
|
||||
- drop CVE-2024-47081.patch (merged upstream)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jun 5 07:22:39 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
|
||||
|
||||
- Add CVE-2024-47081.patch upstream patch, fixes netrc credential leak
|
||||
(gh#psf/requests#6965, CVE-2024-47081, bsc#1244039)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 24 07:48:08 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package python-requests
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
# Copyright (c) 2025 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@@ -26,7 +26,7 @@
|
||||
%endif
|
||||
%{?sle15_python_module_pythons}
|
||||
Name: python-requests%{psuffix}
|
||||
Version: 2.32.3
|
||||
Version: 2.32.4
|
||||
Release: 0
|
||||
Summary: Python HTTP Library
|
||||
License: Apache-2.0
|
||||
@@ -34,6 +34,8 @@ URL: https://docs.python-requests.org/
|
||||
Source: https://files.pythonhosted.org/packages/source/r/requests/requests-%{version}.tar.gz
|
||||
# PATCH-FIX-UPSTREAM gh#psf/requests#6731
|
||||
Patch0: inject-default-ca-bundles.patch
|
||||
# PATCH-FIX-UPSTREAM revert-caching-default-sslcontext.patch gh#psf/requests#6767
|
||||
Patch1: revert-caching-default-sslcontext.patch
|
||||
BuildRequires: %{python_module base >= 3.7}
|
||||
BuildRequires: %{python_module pip}
|
||||
BuildRequires: %{python_module setuptools}
|
||||
|
||||
BIN
requests-2.32.3.tar.gz
(Stored with Git LFS)
BIN
requests-2.32.3.tar.gz
(Stored with Git LFS)
Binary file not shown.
BIN
requests-2.32.4.tar.gz
(Stored with Git LFS)
Normal file
BIN
requests-2.32.4.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
109
revert-caching-default-sslcontext.patch
Normal file
109
revert-caching-default-sslcontext.patch
Normal file
@@ -0,0 +1,109 @@
|
||||
From d520f46f94d0e637d440c6c0d55aa49240e2d46a Mon Sep 17 00:00:00 2001
|
||||
From: Nate Prewitt <nate.prewitt@gmail.com>
|
||||
Date: Thu, 18 Jul 2024 09:51:10 -0700
|
||||
Subject: [PATCH] Revert caching a default SSLContext
|
||||
|
||||
---
|
||||
src/requests/adapters.py | 55 ++++++++++++----------------------------
|
||||
1 file changed, 16 insertions(+), 39 deletions(-)
|
||||
|
||||
Index: requests-2.32.4/src/requests/adapters.py
|
||||
===================================================================
|
||||
--- requests-2.32.4.orig/src/requests/adapters.py
|
||||
+++ requests-2.32.4/src/requests/adapters.py
|
||||
@@ -27,7 +27,6 @@ from urllib3.poolmanager import PoolMana
|
||||
from urllib3.util import Timeout as TimeoutSauce
|
||||
from urllib3.util import parse_url
|
||||
from urllib3.util.retry import Retry
|
||||
-from urllib3.util.ssl_ import create_urllib3_context
|
||||
|
||||
from .auth import _basic_auth_str
|
||||
from .compat import basestring, urlparse
|
||||
@@ -74,36 +73,6 @@ DEFAULT_RETRIES = 0
|
||||
DEFAULT_POOL_TIMEOUT = None
|
||||
|
||||
|
||||
-try:
|
||||
- import ssl # noqa: F401
|
||||
-
|
||||
- _preloaded_ssl_context = create_urllib3_context()
|
||||
- _preloaded_ssl_context.load_verify_locations(
|
||||
- extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
|
||||
- )
|
||||
-except ImportError:
|
||||
- # Bypass default SSLContext creation when Python
|
||||
- # interpreter isn't built with the ssl module.
|
||||
- _preloaded_ssl_context = None
|
||||
-
|
||||
-
|
||||
-def _should_use_default_context(
|
||||
- verify: "bool | str | None",
|
||||
- client_cert: "typing.Tuple[str, str] | str | None",
|
||||
- poolmanager_kwargs: typing.Dict[str, typing.Any],
|
||||
-) -> bool:
|
||||
- # Determine if we have and should use our default SSLContext
|
||||
- # to optimize performance on standard requests.
|
||||
- has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
|
||||
- should_use_default_ssl_context = (
|
||||
- verify is True
|
||||
- and _preloaded_ssl_context is not None
|
||||
- and not has_poolmanager_ssl_context
|
||||
- and client_cert is None
|
||||
- )
|
||||
- return should_use_default_ssl_context
|
||||
-
|
||||
-
|
||||
def _urllib3_request_context(
|
||||
request: "PreparedRequest",
|
||||
verify: "bool | str | None",
|
||||
@@ -121,8 +90,6 @@ def _urllib3_request_context(
|
||||
cert_loc = None
|
||||
if verify is False:
|
||||
cert_reqs = "CERT_NONE"
|
||||
- elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
|
||||
- pool_kwargs["ssl_context"] = _preloaded_ssl_context
|
||||
elif verify is True:
|
||||
# Set default ca cert location if none provided
|
||||
cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
|
||||
@@ -332,24 +299,27 @@ class HTTPAdapter(BaseAdapter):
|
||||
:param cert: The SSL certificate to verify.
|
||||
"""
|
||||
if url.lower().startswith("https") and verify:
|
||||
- conn.cert_reqs = "CERT_REQUIRED"
|
||||
+ cert_loc = None
|
||||
|
||||
- # Only load the CA certificates if `verify` is a
|
||||
- # string indicating the CA bundle to use.
|
||||
+ # Allow self-specified cert location.
|
||||
if verify is not True:
|
||||
- # `verify` must be a str with a path then
|
||||
cert_loc = verify
|
||||
|
||||
- if not os.path.exists(cert_loc):
|
||||
- raise OSError(
|
||||
- f"Could not find a suitable TLS CA certificate bundle, "
|
||||
- f"invalid path: {cert_loc}"
|
||||
- )
|
||||
-
|
||||
- if not os.path.isdir(cert_loc):
|
||||
- conn.ca_certs = cert_loc
|
||||
- else:
|
||||
- conn.ca_cert_dir = cert_loc
|
||||
+ if not cert_loc:
|
||||
+ cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
|
||||
+
|
||||
+ if not cert_loc or not os.path.exists(cert_loc):
|
||||
+ raise OSError(
|
||||
+ f"Could not find a suitable TLS CA certificate bundle, "
|
||||
+ f"invalid path: {cert_loc}"
|
||||
+ )
|
||||
+
|
||||
+ conn.cert_reqs = "CERT_REQUIRED"
|
||||
+
|
||||
+ if not os.path.isdir(cert_loc):
|
||||
+ conn.ca_certs = cert_loc
|
||||
+ else:
|
||||
+ conn.ca_cert_dir = cert_loc
|
||||
else:
|
||||
conn.cert_reqs = "CERT_NONE"
|
||||
conn.ca_certs = None
|
||||
Reference in New Issue
Block a user