[Security] Bump requests from 2.31.0 to 2.32.2
Bumps requests from 2.31.0 to 2.32.2. This update includes a security fix.
Vulnerabilities fixed
Requests
Session
object does not verify requests after making first request with verify=False When making requests through a RequestsSession
, if the first request is made withverify=False
to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value ofverify
. This behavior will continue for the lifecycle of the connection in the connection pool.Remediation
Any of these options can be used to remediate the current issue, we highly recommend upgrading as the preferred mitigation.
- Upgrade to
requests>=2.32.0
.- For
requests<2.32.0
, avoid settingverify=False
for the first request to a host while using a Requests Session.- For
requests<2.32.0
, callclose()
onSession
objects to clear existing connections ifverify=False
is used.Related Links
Patched versions: 2.32.0 Affected versions: < 2.32.0
Release notes
Sourced from requests's releases.
v2.32.2
2.32.2 (2024-05-21)
Deprecations
To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed
_get_connection
to a new public API,get_connection_with_tls_context
. Existing custom HTTPAdapters will need to migrate their code to use this new API.get_connection
is considered deprecated in all versions of Requests>=2.32.0.A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)
v2.32.1
2.32.1 (2024-05-20)
Bugfixes
- Add missing test certs to the sdist distributed on PyPI.
v2.32.0
2.32.0 (2024-05-20)
🐍 PYCON US 2024 EDITION🐍 Security
- Fixed an issue where setting
verify=False
on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value ofverify
. (https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)Improvements
verify=True
now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)- Requests now supports optional use of character detection (
chardet
orcharset_normalizer
) when repackaged or vendored. This enablespip
and other projects to minimize their vendoring surface area. TheResponse.text()
andapparent_encoding
APIs will default toutf-8
if neither library is present. (#6702)Bugfixes
... (truncated)
Changelog
Sourced from requests's changelog.
2.32.2 (2024-05-21)
Deprecations
To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed
_get_connection
to a new public API,get_connection_with_tls_context
. Existing custom HTTPAdapters will need to migrate their code to use this new API.get_connection
is considered deprecated in all versions of Requests>=2.32.0.A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710)
2.32.1 (2024-05-20)
Bugfixes
- Add missing test certs to the sdist distributed on PyPI.
2.32.0 (2024-05-20)
Security
- Fixed an issue where setting
verify=False
on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value ofverify
. (https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)Improvements
verify=True
now reuses a global SSLContext which should improve request time variance between first and subsequent requests. It should also minimize certificate load time on Windows systems when using a Python version built with OpenSSL 3.x. (#6667)- Requests now supports optional use of character detection (
chardet
orcharset_normalizer
) when repackaged or vendored. This enablespip
and other projects to minimize their vendoring surface area. TheResponse.text()
andapparent_encoding
APIs will default toutf-8
if neither library is present. (#6702)Bugfixes
- Fixed bug in length detection where emoji length was incorrectly calculated in the request content-length. (#6589)
- Fixed deserialization bug in JSONDecodeError. (#6629)
- Fixed bug where an extra leading
/
(path separator) could lead urllib3 to unnecessarily reparse the request URI. (#6644)Deprecations
... (truncated)
Commits
-
88dce9d
v2.32.2 -
c98e4d1
Merge pull request #6710 from nateprewitt/api_rename -
92075b3
Add deprecation warning -
aa1461b
Move _get_connection to get_connection_with_tls_context -
970e8ce
v2.32.1 -
d6ebc4a
v2.32.0 -
9a40d12
Avoid reloading root certificates to improve concurrent performance (#6667) -
0c030f7
Merge pull request #6702 from nateprewitt/no_char_detection -
555b870
Allow character detection dependencies to be optional in post-packaging steps -
d6dded3
Merge pull request #6700 from franekmagiera/update-redirect-to-invalid-uri-test - Additional commits viewable in compare view