32 lines
1.8 KiB
Plaintext
32 lines
1.8 KiB
Plaintext
<patchinfo incident="28">
|
|
<!-- generated from request(s) 331669 -->
|
|
<issue tracker="bnc" id="1224788">VUL-0: CVE-2024-35195: python-requests: session object does not verify requests after making first request with verify=False</issue>
|
|
<issue tracker="cve" id="2024-35195"/>
|
|
<packager>mcalabkova</packager>
|
|
<rating>moderate</rating>
|
|
<category>security</category>
|
|
<summary>Security update for python-requests</summary>
|
|
<description>This update for python-requests fixes the following issues:
|
|
|
|
- Update to 2.32.2
|
|
* To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0,
|
|
we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing
|
|
custom HTTPAdapters will need to migrate their code to use this new API. get_connection is
|
|
considered deprecated in all versions of Requests>=2.32.0.
|
|
|
|
- Update to 2.32.1
|
|
* Fixed an issue where setting verify=False on the first request from a Session
|
|
will cause subsequent requests to the same origin to also ignore cert verification,
|
|
regardless of the value of verify. (bsc#1224788, CVE-2024-35195)
|
|
* verify=True now reuses a global SSLContext which should improve request time
|
|
variance between first and subsequent requests.
|
|
* Requests now supports optional use of character detection (chardet or charset_normalizer)
|
|
when repackaged or vendored. This enables pip and other projects to minimize their
|
|
vendoring surface area.
|
|
* Requests has officially added support for CPython 3.12 and dropped support for CPython 3.7.
|
|
* Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system using hatchling.
|
|
</description>
|
|
<package>python-requests</package>
|
|
<package>python-requests:test</package>
|
|
<seperate_build_arch/>
|
|
</patchinfo> |