Source: requests Version: 2.31.0+dfsg-2 Severity: important Tags: security upstream Forwarded: https://github.com/psf/requests/pull/6655 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for requests. CVE-2024-35195[0]: | Requests is a HTTP library. Prior to 2.32.0, when making requests | through a Requests `Session`, if the first request is made with | `verify=False` to disable cert verification, all subsequent requests | to the same host will continue to ignore cert verification | regardless of changes to the value of `verify`. This behavior will | continue for the lifecycle of the connection in the connection pool. | This vulnerability is fixed in 2.32.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-35195 https://www.cve.org/CVERecord?id=CVE-2024-35195 [1] https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56 [2] https://github.com/psf/requests/pull/6655 [3] https://github.com/psf/requests/commit/c0813a2d910ea6b4f8438b91d315b8d181302356 Please adjust the affected versions in the BTS as needed. Regards, Salvatore

