Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2024-35195

Published: 20 May 2024

Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.

Notes

AuthorNote
mdeslaur
On focal and earlier, the python-pip package bundles requests
binaries when built. After updating requests, a no-change
rebuild of python-pip is required.
On jammy and later, requests is bundled in the python-pip
package and needs to be patched.

The fix for this issue introduced regressions in certain other
applications, such as docker. See
https://github.com/docker/docker-py/pull/3257
and resulted in 2.32.0 and 2.32.1 in being yanked, see:
https://pypi.org/project/requests/#history

2.32.2 and 2.32.3 were subsequently released to fix those
regressions.

Even with the regression fixes in 2.32.2 and 2.32.3, fixing this
may still break applications that subclass HTTPAdapter, for
example, cloud-init. See:
https://github.com/canonical/cloud-init/pull/5435
vyomydv
The CVE patch causes a regression. The patch enforced the URL scheme
to be either `http` or `https`. This broke users that used a custom
scheme (e.g. `http+docker`) by implementing a custom `get_connection` method
but used the default `send` method. Patching this CVE would require some
users to update their source code like:
https://github.com/docker/docker-py/pull/3257

Priority

Medium

Status

Package Release Status
python-pip
Launchpad, Ubuntu, Debian
bionic Needed

focal Needed

jammy Needed

mantic Ignored
(end of life, was needed)
noble Needed

trusty Needed

upstream Needs triage

xenial Needed

requests
Launchpad, Ubuntu, Debian
bionic Ignored
(breaks users, requires source code updates)
focal Ignored
(breaks users, requires source code updates)
jammy Ignored
(breaks users, requires source code updates)
mantic Ignored
(end of life, was ignored [breaks users, requires source code updates])
noble Ignored
(breaks users, requires source code updates)
trusty Ignored
(breaks users, requires source code updates)
upstream Needs triage

xenial Ignored
(breaks users, requires source code updates)
Patches:
upstream: https://github.com/psf/requests/pull/6655
upstream: https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac
upstream: https://github.com/psf/requests/commit/aa1461b68aa73e2f6ec0e78c8853b635c76fd099
upstream: https://github.com/psf/requests/commit/e18879932287c2bf4bcee4ddf6ccb8a69b6fc656