Source: requests
Version: 2.31.0+dfsg-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/psf/requests/pull/6655
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for requests.

CVE-2024-35195[0]:
| Requests is a HTTP library. Prior to 2.32.0, when making requests
| through a Requests `Session`, if the first request is made with
| `verify=False` to disable cert verification, all subsequent requests
| to the same host will continue to ignore cert verification
| regardless of changes to the value of `verify`. This behavior will
| continue for the lifecycle of the connection in the connection pool.
| This vulnerability is fixed in 2.32.0.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-35195
    https://www.cve.org/CVERecord?id=CVE-2024-35195
[1] https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56
[2] https://github.com/psf/requests/pull/6655
[3] 
https://github.com/psf/requests/commit/c0813a2d910ea6b4f8438b91d315b8d181302356

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to