diff --git a/python-requests.changes b/python-requests.changes index 8d2a5b9..d07c804 100644 --- a/python-requests.changes +++ b/python-requests.changes @@ -1,3 +1,29 @@ +------------------------------------------------------------------- +Mon Jun 12 12:02:29 UTC 2023 - Daniel Garcia + +- Security Update to 2.31.0 (bsc#1211674): + Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential + forwarding of Proxy-Authorization headers to destination servers when + following HTTPS redirects. + + When proxies are defined with user info (https://user:pass@proxy:8080), Requests + will construct a Proxy-Authorization header that is attached to the request to + authenticate with the proxy. + + In cases where Requests receives a redirect response, it previously reattached + the Proxy-Authorization header incorrectly, resulting in the value being + sent through the tunneled connection to the destination server. Users who rely on + defining their proxy credentials in the URL are strongly encouraged to upgrade + to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy + credentials once the change has been fully deployed. + + Users who do not use a proxy or do not supply their proxy credentials through + the user information portion of their proxy URL are not subject to this + vulnerability. + + Full details can be read in our Github Security Advisory + and CVE-2023-32681. + ------------------------------------------------------------------- Fri May 5 12:03:42 UTC 2023 - Johannes Kastl diff --git a/python-requests.spec b/python-requests.spec index 4a5a392..5a3f87e 100644 --- a/python-requests.spec +++ b/python-requests.spec @@ -26,14 +26,12 @@ %endif %{?sle15_python_module_pythons} Name: python-requests%{psuffix} -Version: 2.30.0 +Version: 2.31.0 Release: 0 Summary: Python HTTP Library License: Apache-2.0 URL: https://docs.python-requests.org/ Source: https://files.pythonhosted.org/packages/source/r/requests/requests-%{version}.tar.gz -# PATCH-FIX-UPSTREAM: Allow charset normalizer >=2 and <4, and don't strict require httpbin===1.0.0 -Patch0: requests-no-hardcoded-version.patch BuildRequires: %{python_module base >= 3.7} BuildRequires: %{python_module setuptools} BuildRequires: fdupes diff --git a/requests-2.30.0.tar.gz b/requests-2.30.0.tar.gz deleted file mode 100644 index 3b62e60..0000000 --- a/requests-2.30.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:239d7d4458afcb28a692cdd298d87542235f4ca8d36d03a15bfc128a6559a2f4 -size 108411 diff --git a/requests-2.31.0.tar.gz b/requests-2.31.0.tar.gz new file mode 100644 index 0000000..74eeead --- /dev/null +++ b/requests-2.31.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1 +size 110794 diff --git a/requests-no-hardcoded-version.patch b/requests-no-hardcoded-version.patch deleted file mode 100644 index 76cf772..0000000 --- a/requests-no-hardcoded-version.patch +++ /dev/null @@ -1,27 +0,0 @@ ---- - requirements-dev.txt | 2 +- - setup.py | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - ---- a/requirements-dev.txt -+++ b/requirements-dev.txt -@@ -1,7 +1,7 @@ - -e .[socks] - pytest>=2.8.0,<=6.2.5 - pytest-cov --pytest-httpbin==1.0.0 -+pytest-httpbin>=1.0.0 - pytest-mock==2.0.0 - httpbin==0.7.0 - trustme ---- a/setup.py -+++ b/setup.py -@@ -65,7 +65,7 @@ requires = [ - "certifi>=2017.4.17", - ] - test_requirements = [ -- "pytest-httpbin==0.0.7", -+ "pytest-httpbin>=0.0.7", - "pytest-cov", - "pytest-mock", - "pytest-xdist",