Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close


Published: 20 May 2024

Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.


On focal and earlier, the python-pip package bundles requests
binaries when built. After updating requests, a no-change
rebuild of python-pip is required.
On jammy and later, requests is bundled in the python-pip
package and needs to be patched.

The fix for this issue introduced regressions in certain other
applications, such as docker. See
and resulted in 2.32.0 and 2.32.1 in being yanked, see:

2.32.2 and 2.32.3 were subsequently released to fix those

Even with the regression fixes in 2.32.2 and 2.32.3, fixing this
may still break applications that subclass HTTPAdapter, for
example, cloud-init. See:
The CVE patch causes a regression. The patch enforced the URL scheme
to be either `http` or `https`. This broke users that used a custom
scheme (e.g. `http+docker`) by implementing a custom `get_connection` method
but used the default `send` method. Patching this CVE would require some
users to update their source code like:




Package Release Status
Launchpad, Ubuntu, Debian
bionic Needed

focal Needed

jammy Needed

mantic Ignored
(end of life, was needed)
noble Needed

trusty Needed

upstream Needs triage

xenial Needed

Launchpad, Ubuntu, Debian
bionic Ignored
(breaks users, requires source code updates)
focal Ignored
(breaks users, requires source code updates)
jammy Ignored
(breaks users, requires source code updates)
mantic Ignored
(end of life, was ignored [breaks users, requires source code updates])
noble Ignored
(breaks users, requires source code updates)
trusty Ignored
(breaks users, requires source code updates)
upstream Needs triage

xenial Ignored
(breaks users, requires source code updates)