Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use TLS settings in selecting connection pool #6655

Merged
merged 1 commit into from
Mar 11, 2024

Conversation

sigmavirus24
Copy link
Contributor

Previously, if someone made a request with verify=False then made a request where they expected verification to be enabled to the same host, they would potentially reuse a connection where TLS had not been verified.

This fixes that issue.

@sigmavirus24 sigmavirus24 force-pushed the fix-tls-floppy branch 3 times, most recently from 3423966 to 238dc2f Compare March 6, 2024 17:22
Previously, if someone made a request with `verify=False` then made a
request where they expected verification to be enabled to the same host,
they would potentially reuse a connection where TLS had not been
verified.

This fixes that issue.
Comment on lines +65 to +66
if typing.TYPE_CHECKING:
from .models import PreparedRequest
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not against this, but I think this is the first time we're introducing typing into Requests. I'm curious if we want to start that or push it into typeshed since this will be precedent for future inline typing?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is for a private method (that I fully anticipate people abusing) but we're not advertising things are typed and so it's not something I'm concerned with.

Comment on lines +2831 to +2836
def test_different_connection_pool_for_tls_settings(self):
s = requests.Session()
r1 = s.get("https://invalid.badssl.com", verify=False)
assert r1.status_code == 421
with pytest.raises(requests.exceptions.SSLError):
s.get("https://invalid.badssl.com")
Copy link
Member

@nateprewitt nateprewitt Mar 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There may not be a better way to test this but I don't know if we have other tests that require contacting a live site with TLS disabled. That may have some durability issues and means we're going to take the first response we get back. Probably minor, but figured I'd call it out.

Copy link
Contributor Author

@sigmavirus24 sigmavirus24 Mar 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are many alternatives here, but those are all significantly more effort and this shows the behaviour is fixed before and after handily. I'm sure Linux folks will get pissed but I'm not as bothered about finding time later to do this a different way after we have fixed this

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll try to prioritize better (offline) tests soon

Copy link
Member

@nateprewitt nateprewitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@sigmavirus24 sigmavirus24 merged commit a58d7f2 into psf:main Mar 11, 2024
25 checks passed
@sigmavirus24 sigmavirus24 deleted the fix-tls-floppy branch March 11, 2024 11:22
@nateprewitt nateprewitt added this to the 2.32.0 milestone May 15, 2024
lettuce-bot bot referenced this pull request in lettuce-financial/github-bot-signed-commit May 20, 2024
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [requests](https://requests.readthedocs.io)
([source](https://togithub.com/psf/requests),
[changelog](https://togithub.com/psf/requests/blob/master/HISTORY.md)) |
`==2.31.0` -> `==2.32.0` |
[![age](https://developer.mend.io/api/mc/badges/age/pypi/requests/2.32.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/requests/2.32.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/requests/2.31.0/2.32.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/requests/2.31.0/2.32.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-35195](https://togithub.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)

When making requests through a Requests `Session`, if the first request
is made with `verify=False` to disable cert verification, all subsequent
requests to the same origin will continue to ignore cert verification
regardless of changes to the value of `verify`. This behavior will
continue for the lifecycle of the connection in the connection pool.

### Remediation
Any of these options can be used to remediate the current issue, we
highly recommend upgrading as the preferred mitigation.

* Upgrade to `requests>=2.32.0`.
* For `requests<2.32.0`, avoid setting `verify=False` for the first
request to a host while using a Requests Session.
* For `requests<2.32.0`, call `close()` on `Session` objects to clear
existing connections if `verify=False` is used.

### Related Links
*
[https://github.com/psf/requests/pull/6655](https://togithub.com/psf/requests/pull/6655)

---

### Release Notes

<details>
<summary>psf/requests (requests)</summary>

###
[`v2.32.0`](https://togithub.com/psf/requests/blob/HEAD/HISTORY.md#2320-2024-05-20)

[Compare
Source](https://togithub.com/psf/requests/compare/v2.31.0...v2.32.0)

**Security**

- Fixed an issue where setting `verify=False` on the first request from
a
Session will cause subsequent requests to the *same origin* to also
ignore
    cert verification, regardless of the value of `verify`.

(GHSA-9wx4-h78v-vm56)

**Improvements**

-   `verify=True` now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a
Python
version built with OpenSSL 3.x.
([#&#8203;6667](https://togithub.com/psf/requests/issues/6667))
-   Requests now supports optional use of character detection
    (`chardet` or `charset_normalizer`) when repackaged or vendored.
    This enables `pip` and other projects to minimize their vendoring
    surface area. The `Response.text()` and `apparent_encoding` APIs
will default to `utf-8` if neither library is present.
([#&#8203;6702](https://togithub.com/psf/requests/issues/6702))

**Bugfixes**

-   Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length.
([#&#8203;6589](https://togithub.com/psf/requests/issues/6589))
- Fixed deserialization bug in JSONDecodeError.
([#&#8203;6629](https://togithub.com/psf/requests/issues/6629))
-   Fixed bug where an extra leading `/` (path separator) could lead
urllib3 to unnecessarily reparse the request URI.
([#&#8203;6644](https://togithub.com/psf/requests/issues/6644))

**Deprecations**

- Requests has officially added support for CPython 3.12
([#&#8203;6503](https://togithub.com/psf/requests/issues/6503))
- Requests has officially added support for PyPy 3.9 and 3.10
([#&#8203;6641](https://togithub.com/psf/requests/issues/6641))
- Requests has officially dropped support for CPython 3.7
([#&#8203;6642](https://togithub.com/psf/requests/issues/6642))
- Requests has officially dropped support for PyPy 3.7 and 3.8
([#&#8203;6641](https://togithub.com/psf/requests/issues/6641))

**Documentation**

-   Various typo fixes and doc improvements.

**Packaging**

-   Requests has started adopting some modern packaging practices.
The source files for the projects (formerly `requests`) is now located
in `src/requests` in the Requests sdist.
([#&#8203;6506](https://togithub.com/psf/requests/issues/6506))
- Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build
system
using `hatchling`. This should not impact the average user, but
extremely old
versions of packaging utilities may have issues with the new packaging
format.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/lettuce-financial/github-bot-signed-commit).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zNjMuNSIsInVwZGF0ZWRJblZlciI6IjM3LjM2My41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
kodiakhq bot referenced this pull request in cloudquery/cloudquery May 21, 2024
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [requests](https://requests.readthedocs.io) ([source](https://togithub.com/psf/requests), [changelog](https://togithub.com/psf/requests/blob/master/HISTORY.md)) | minor | `==2.31.0` -> `==2.32.0` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

### GitHub Vulnerability Alerts

#### [CVE-2024-35195](https://togithub.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)

When making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool.

### Remediation
Any of these options can be used to remediate the current issue, we highly recommend upgrading as the preferred mitigation.

* Upgrade to `requests>=2.32.0`.
* For `requests<2.32.0`, avoid setting `verify=False` for the first request to a host while using a Requests Session.
* For `requests<2.32.0`, call `close()` on `Session` objects to clear existing connections if `verify=False` is used.

### Related Links
* [https://github.com/psf/requests/pull/6655](https://togithub.com/psf/requests/pull/6655)

---

### Release Notes

<details>
<summary>psf/requests (requests)</summary>

### [`v2.32.0`](https://togithub.com/psf/requests/blob/HEAD/HISTORY.md#2320-2024-05-20)

[Compare Source](https://togithub.com/psf/requests/compare/v2.31.0...v2.32.0)

**Security**

-   Fixed an issue where setting `verify=False` on the first request from a
    Session will cause subsequent requests to the *same origin* to also ignore
    cert verification, regardless of the value of `verify`.
    (GHSA-9wx4-h78v-vm56)

**Improvements**

-   `verify=True` now reuses a global SSLContext which should improve
    request time variance between first and subsequent requests. It should
    also minimize certificate load time on Windows systems when using a Python
    version built with OpenSSL 3.x. ([#&#8203;6667](https://togithub.com/psf/requests/issues/6667))
-   Requests now supports optional use of character detection
    (`chardet` or `charset_normalizer`) when repackaged or vendored.
    This enables `pip` and other projects to minimize their vendoring
    surface area. The `Response.text()` and `apparent_encoding` APIs
    will default to `utf-8` if neither library is present. ([#&#8203;6702](https://togithub.com/psf/requests/issues/6702))

**Bugfixes**

-   Fixed bug in length detection where emoji length was incorrectly
    calculated in the request content-length. ([#&#8203;6589](https://togithub.com/psf/requests/issues/6589))
-   Fixed deserialization bug in JSONDecodeError. ([#&#8203;6629](https://togithub.com/psf/requests/issues/6629))
-   Fixed bug where an extra leading `/` (path separator) could lead
    urllib3 to unnecessarily reparse the request URI. ([#&#8203;6644](https://togithub.com/psf/requests/issues/6644))

**Deprecations**

-   Requests has officially added support for CPython 3.12 ([#&#8203;6503](https://togithub.com/psf/requests/issues/6503))
-   Requests has officially added support for PyPy 3.9 and 3.10 ([#&#8203;6641](https://togithub.com/psf/requests/issues/6641))
-   Requests has officially dropped support for CPython 3.7 ([#&#8203;6642](https://togithub.com/psf/requests/issues/6642))
-   Requests has officially dropped support for PyPy 3.7 and 3.8 ([#&#8203;6641](https://togithub.com/psf/requests/issues/6641))

**Documentation**

-   Various typo fixes and doc improvements.

**Packaging**

-   Requests has started adopting some modern packaging practices.
    The source files for the projects (formerly `requests`) is now located
    in `src/requests` in the Requests sdist. ([#&#8203;6506](https://togithub.com/psf/requests/issues/6506))
-   Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system
    using `hatchling`. This should not impact the average user, but extremely old
    versions of packaging utilities may have issues with the new packaging format.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate).
JoeWang1127 referenced this pull request in googleapis/sdk-platform-java May 21, 2024
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [requests](https://requests.readthedocs.io)
([source](https://togithub.com/psf/requests),
[changelog](https://togithub.com/psf/requests/blob/master/HISTORY.md)) |
`==2.31.0` -> `==2.32.0` |
[![age](https://developer.mend.io/api/mc/badges/age/pypi/requests/2.32.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/requests/2.32.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/requests/2.31.0/2.32.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/requests/2.31.0/2.32.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

### GitHub Vulnerability Alerts

####
[CVE-2024-35195](https://togithub.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)

When making requests through a Requests `Session`, if the first request
is made with `verify=False` to disable cert verification, all subsequent
requests to the same origin will continue to ignore cert verification
regardless of changes to the value of `verify`. This behavior will
continue for the lifecycle of the connection in the connection pool.

### Remediation
Any of these options can be used to remediate the current issue, we
highly recommend upgrading as the preferred mitigation.

* Upgrade to `requests>=2.32.0`.
* For `requests<2.32.0`, avoid setting `verify=False` for the first
request to a host while using a Requests Session.
* For `requests<2.32.0`, call `close()` on `Session` objects to clear
existing connections if `verify=False` is used.

### Related Links
*
[https://github.com/psf/requests/pull/6655](https://togithub.com/psf/requests/pull/6655)

---

### Release Notes

<details>
<summary>psf/requests (requests)</summary>

###
[`v2.32.0`](https://togithub.com/psf/requests/blob/HEAD/HISTORY.md#2320-2024-05-20)

[Compare
Source](https://togithub.com/psf/requests/compare/v2.31.0...v2.32.0)

**Security**

- Fixed an issue where setting `verify=False` on the first request from
a
Session will cause subsequent requests to the *same origin* to also
ignore
    cert verification, regardless of the value of `verify`.

(GHSA-9wx4-h78v-vm56)

**Improvements**

-   `verify=True` now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a
Python
version built with OpenSSL 3.x.
([#&#8203;6667](https://togithub.com/psf/requests/issues/6667))
-   Requests now supports optional use of character detection
    (`chardet` or `charset_normalizer`) when repackaged or vendored.
    This enables `pip` and other projects to minimize their vendoring
    surface area. The `Response.text()` and `apparent_encoding` APIs
will default to `utf-8` if neither library is present.
([#&#8203;6702](https://togithub.com/psf/requests/issues/6702))

**Bugfixes**

-   Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length.
([#&#8203;6589](https://togithub.com/psf/requests/issues/6589))
- Fixed deserialization bug in JSONDecodeError.
([#&#8203;6629](https://togithub.com/psf/requests/issues/6629))
-   Fixed bug where an extra leading `/` (path separator) could lead
urllib3 to unnecessarily reparse the request URI.
([#&#8203;6644](https://togithub.com/psf/requests/issues/6644))

**Deprecations**

- Requests has officially added support for CPython 3.12
([#&#8203;6503](https://togithub.com/psf/requests/issues/6503))
- Requests has officially added support for PyPy 3.9 and 3.10
([#&#8203;6641](https://togithub.com/psf/requests/issues/6641))
- Requests has officially dropped support for CPython 3.7
([#&#8203;6642](https://togithub.com/psf/requests/issues/6642))
- Requests has officially dropped support for PyPy 3.7 and 3.8
([#&#8203;6641](https://togithub.com/psf/requests/issues/6641))

**Documentation**

-   Various typo fixes and doc improvements.

**Packaging**

-   Requests has started adopting some modern packaging practices.
The source files for the projects (formerly `requests`) is now located
in `src/requests` in the Requests sdist.
([#&#8203;6506](https://togithub.com/psf/requests/issues/6506))
- Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build
system
using `hatchling`. This should not impact the average user, but
extremely old
versions of packaging utilities may have issues with the new packaging
format.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/googleapis/sdk-platform-java).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zNjguMTAiLCJ1cGRhdGVkSW5WZXIiOiIzNy4zNjguMTAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->
sigmavirus24 added a commit to sigmavirus24/requests that referenced this pull request May 22, 2024
This re-enables the use case of providing a custom SSLContext via a
Transport Adapter as broken in psf#6655 and reported in psf#6715

Closes psf#6715
lqiu96 referenced this pull request in googleapis/sdk-platform-java May 22, 2024
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [requests](https://requests.readthedocs.io)
([source](https://togithub.com/psf/requests),
[changelog](https://togithub.com/psf/requests/blob/master/HISTORY.md)) |
`==2.31.0` -> `==2.32.0` |
[![age](https://developer.mend.io/api/mc/badges/age/pypi/requests/2.32.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/requests/2.32.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/requests/2.31.0/2.32.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/requests/2.31.0/2.32.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

### GitHub Vulnerability Alerts

####
[CVE-2024-35195](https://togithub.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)

When making requests through a Requests `Session`, if the first request
is made with `verify=False` to disable cert verification, all subsequent
requests to the same origin will continue to ignore cert verification
regardless of changes to the value of `verify`. This behavior will
continue for the lifecycle of the connection in the connection pool.

### Remediation
Any of these options can be used to remediate the current issue, we
highly recommend upgrading as the preferred mitigation.

* Upgrade to `requests>=2.32.0`.
* For `requests<2.32.0`, avoid setting `verify=False` for the first
request to a host while using a Requests Session.
* For `requests<2.32.0`, call `close()` on `Session` objects to clear
existing connections if `verify=False` is used.

### Related Links
*
[https://github.com/psf/requests/pull/6655](https://togithub.com/psf/requests/pull/6655)

---

### Release Notes

<details>
<summary>psf/requests (requests)</summary>

###
[`v2.32.0`](https://togithub.com/psf/requests/blob/HEAD/HISTORY.md#2320-2024-05-20)

[Compare
Source](https://togithub.com/psf/requests/compare/v2.31.0...v2.32.0)

**Security**

- Fixed an issue where setting `verify=False` on the first request from
a
Session will cause subsequent requests to the *same origin* to also
ignore
    cert verification, regardless of the value of `verify`.

(GHSA-9wx4-h78v-vm56)

**Improvements**

-   `verify=True` now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a
Python
version built with OpenSSL 3.x.
([#&#8203;6667](https://togithub.com/psf/requests/issues/6667))
-   Requests now supports optional use of character detection
    (`chardet` or `charset_normalizer`) when repackaged or vendored.
    This enables `pip` and other projects to minimize their vendoring
    surface area. The `Response.text()` and `apparent_encoding` APIs
will default to `utf-8` if neither library is present.
([#&#8203;6702](https://togithub.com/psf/requests/issues/6702))

**Bugfixes**

-   Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length.
([#&#8203;6589](https://togithub.com/psf/requests/issues/6589))
- Fixed deserialization bug in JSONDecodeError.
([#&#8203;6629](https://togithub.com/psf/requests/issues/6629))
-   Fixed bug where an extra leading `/` (path separator) could lead
urllib3 to unnecessarily reparse the request URI.
([#&#8203;6644](https://togithub.com/psf/requests/issues/6644))

**Deprecations**

- Requests has officially added support for CPython 3.12
([#&#8203;6503](https://togithub.com/psf/requests/issues/6503))
- Requests has officially added support for PyPy 3.9 and 3.10
([#&#8203;6641](https://togithub.com/psf/requests/issues/6641))
- Requests has officially dropped support for CPython 3.7
([#&#8203;6642](https://togithub.com/psf/requests/issues/6642))
- Requests has officially dropped support for PyPy 3.7 and 3.8
([#&#8203;6641](https://togithub.com/psf/requests/issues/6641))

**Documentation**

-   Various typo fixes and doc improvements.

**Packaging**

-   Requests has started adopting some modern packaging practices.
The source files for the projects (formerly `requests`) is now located
in `src/requests` in the Requests sdist.
([#&#8203;6506](https://togithub.com/psf/requests/issues/6506))
- Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build
system
using `hatchling`. This should not impact the average user, but
extremely old
versions of packaging utilities may have issues with the new packaging
format.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/googleapis/sdk-platform-java).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zNjguMTAiLCJ1cGRhdGVkSW5WZXIiOiIzNy4zNjguMTAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->
justuswilhelm added a commit to jwpconsulting/projectify that referenced this pull request May 26, 2024
justuswilhelm added a commit to jwpconsulting/projectify that referenced this pull request May 26, 2024
justuswilhelm added a commit to jwpconsulting/projectify that referenced this pull request May 26, 2024
trini added a commit to trini/u-boot that referenced this pull request May 29, 2024
The issue described in psf/requests#6655 has
been assigned as a security issue. While unlikely to be exploited in our
usage, update to the current release to fix it.

Reported-by: GitHub dependabot
Signed-off-by: Tom Rini <[email protected]>
lucyli-ca added a commit to lucyli-ca/llvm that referenced this pull request Jun 3, 2024
Bumps requests (pip) from 2.32.0 to resolve identified security vulnerability in 3rd party dependency.

When making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of verify. This behavior will continue for the lifecycle of the connection in the connection pool.

Upgrading will resolve this issue.

Refer to psf/requests#6655
sarnex pushed a commit to intel/llvm that referenced this pull request Jun 3, 2024
…14022)

Bumps requests (pip) from 2.32.0 to resolve identified security
vulnerability in 3rd party dependency.

When making requests through a Requests Session, if the first request is
made with verify=False to disable cert verification, all subsequent
requests to the same origin will continue to ignore cert verification
regardless of changes to the value of verify. This behavior will
continue for the lifecycle of the connection in the connection pool.

Upgrading will resolve this issue.

Refer to psf/requests#6655
trini added a commit to trini/u-boot that referenced this pull request Jun 6, 2024
The issue described in psf/requests#6655 has
been assigned as a security issue. While unlikely to be exploited in our
usage, update to the current release to fix it. Furthermore, upstream
has now moved on to v2.23.2 as the release to use which has all of the
issues resolved.

Reported-by: GitHub dependabot
Signed-off-by: Tom Rini <[email protected]>
---
Changes in v2:
- Switch from 2.23.0 to 2.23.2 to use most recent upstream.
trini added a commit to trini/u-boot that referenced this pull request Jun 13, 2024
The issue described in psf/requests#6655 has
been assigned as a security issue. While unlikely to be exploited in our
usage, update to the current release to fix it. Furthermore, upstream
has now moved on to v2.23.2 as the release to use which has all of the
issues resolved.

Reported-by: GitHub dependabot
Signed-off-by: Tom Rini <[email protected]>
jooola referenced this pull request in libretime/libretime Jun 22, 2024
…3032)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [requests](https://requests.readthedocs.io)
([source](https://togithub.com/psf/requests),
[changelog](https://togithub.com/psf/requests/blob/master/HISTORY.md)) |
`>=2.31.0,<2.32` -> `>=2.32.2,<2.33` |
[![age](https://developer.mend.io/api/mc/badges/age/pypi/requests/2.32.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/requests/2.32.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/requests/2.31.0/2.32.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/requests/2.31.0/2.32.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-35195](https://togithub.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)

When making requests through a Requests `Session`, if the first request
is made with `verify=False` to disable cert verification, all subsequent
requests to the same origin will continue to ignore cert verification
regardless of changes to the value of `verify`. This behavior will
continue for the lifecycle of the connection in the connection pool.

### Remediation
Any of these options can be used to remediate the current issue, we
highly recommend upgrading as the preferred mitigation.

* Upgrade to `requests>=2.32.0`.
* For `requests<2.32.0`, avoid setting `verify=False` for the first
request to a host while using a Requests Session.
* For `requests<2.32.0`, call `close()` on `Session` objects to clear
existing connections if `verify=False` is used.

### Related Links
*
[https://github.com/psf/requests/pull/6655](https://togithub.com/psf/requests/pull/6655)

---

### Release Notes

<details>
<summary>psf/requests (requests)</summary>

###
[`v2.32.2`](https://togithub.com/psf/requests/blob/HEAD/HISTORY.md#2322-2024-05-21)

[Compare
Source](https://togithub.com/psf/requests/compare/v2.32.1...v2.32.2)

**Deprecations**

-   To provide a more stable migration for custom HTTPAdapters impacted
    by the CVE changes in 2.32.0, we've renamed `_get_connection` to
    a new public API, `get_connection_with_tls_context`. Existing custom
    HTTPAdapters will need to migrate their code to use this new API.
`get_connection` is considered deprecated in all versions of
Requests>=2.32.0.

A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom
adapter
is subject to the same issue described in CVE-2024-35195.
([#&#8203;6710](https://togithub.com/psf/requests/issues/6710))

###
[`v2.32.1`](https://togithub.com/psf/requests/blob/HEAD/HISTORY.md#2321-2024-05-20)

[Compare
Source](https://togithub.com/psf/requests/compare/v2.32.0...v2.32.1)

**Bugfixes**

-   Add missing test certs to the sdist distributed on PyPI.

###
[`v2.32.0`](https://togithub.com/psf/requests/blob/HEAD/HISTORY.md#2320-2024-05-20)

[Compare
Source](https://togithub.com/psf/requests/compare/v2.31.0...v2.32.0)

**Security**

- Fixed an issue where setting `verify=False` on the first request from
a
Session will cause subsequent requests to the *same origin* to also
ignore
    cert verification, regardless of the value of `verify`.

(GHSA-9wx4-h78v-vm56)

**Improvements**

-   `verify=True` now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a
Python
version built with OpenSSL 3.x.
([#&#8203;6667](https://togithub.com/psf/requests/issues/6667))
-   Requests now supports optional use of character detection
    (`chardet` or `charset_normalizer`) when repackaged or vendored.
    This enables `pip` and other projects to minimize their vendoring
    surface area. The `Response.text()` and `apparent_encoding` APIs
will default to `utf-8` if neither library is present.
([#&#8203;6702](https://togithub.com/psf/requests/issues/6702))

**Bugfixes**

-   Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length.
([#&#8203;6589](https://togithub.com/psf/requests/issues/6589))
- Fixed deserialization bug in JSONDecodeError.
([#&#8203;6629](https://togithub.com/psf/requests/issues/6629))
-   Fixed bug where an extra leading `/` (path separator) could lead
urllib3 to unnecessarily reparse the request URI.
([#&#8203;6644](https://togithub.com/psf/requests/issues/6644))

**Deprecations**

- Requests has officially added support for CPython 3.12
([#&#8203;6503](https://togithub.com/psf/requests/issues/6503))
- Requests has officially added support for PyPy 3.9 and 3.10
([#&#8203;6641](https://togithub.com/psf/requests/issues/6641))
- Requests has officially dropped support for CPython 3.7
([#&#8203;6642](https://togithub.com/psf/requests/issues/6642))
- Requests has officially dropped support for PyPy 3.7 and 3.8
([#&#8203;6641](https://togithub.com/psf/requests/issues/6641))

**Documentation**

-   Various typo fixes and doc improvements.

**Packaging**

-   Requests has started adopting some modern packaging practices.
The source files for the projects (formerly `requests`) is now located
in `src/requests` in the Requests sdist.
([#&#8203;6506](https://togithub.com/psf/requests/issues/6506))
- Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build
system
using `hatchling`. This should not impact the average user, but
extremely old
versions of packaging utilities may have issues with the new packaging
format.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/libretime/libretime).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MTAuMSIsInVwZGF0ZWRJblZlciI6IjM3LjQxMy4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJweXRob24iXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
G82ft added a commit to G82ft/e926-2-tg that referenced this pull request Jul 8, 2024
@eugrin eugrin mentioned this pull request Jul 15, 2024
2 tasks
JoshuaWierenga added a commit to UTAS-Programming-Club/DiscordBot that referenced this pull request Jul 17, 2024
Older versions have a security issue.
psf/requests#6655
tylerezimmerman referenced this pull request in DelineaXPM/python-dsv-sdk Jul 25, 2024
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [requests](https://requests.readthedocs.io)
([source](https://togithub.com/psf/requests),
[changelog](https://togithub.com/psf/requests/blob/master/HISTORY.md)) |
`==2.28.2` -> `==2.32.2` |
[![age](https://developer.mend.io/api/mc/badges/age/pypi/requests/2.32.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/requests/2.32.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/requests/2.28.2/2.32.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/requests/2.28.2/2.32.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2023-32681](https://togithub.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q)

### Impact

Since Requests v2.3.0, Requests has been vulnerable to potentially
leaking `Proxy-Authorization` headers to destination servers,
specifically during redirects to an HTTPS origin. This is a product of
how `rebuild_proxies` is used to recompute and [reattach the
`Proxy-Authorization`
header](https://togithub.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/sessions.py#L319-L328)
to requests when redirected. Note this behavior has _only_ been observed
to affect proxied requests when credentials are supplied in the URL user
information component (e.g. `https://username:password@proxy:8080`).

**Current vulnerable behavior(s):**

1. HTTP → HTTPS: **leak**
2. HTTPS → HTTP: **no leak**
3. HTTPS → HTTPS: **leak**
4. HTTP → HTTP: **no leak**

For HTTP connections sent through the proxy, the proxy will identify the
header in the request itself and remove it prior to forwarding to the
destination server. However when sent over HTTPS, the
`Proxy-Authorization` header must be sent in the CONNECT request as the
proxy has no visibility into further tunneled requests. This results in
Requests forwarding the header to the destination server
unintentionally, allowing a malicious actor to potentially exfiltrate
those credentials.

The reason this currently works for HTTPS connections in Requests is the
`Proxy-Authorization` header is also handled by urllib3 with our usage
of the ProxyManager in adapters.py with
[`proxy_manager_for`](https://togithub.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/adapters.py#L199-L235).
This will compute the required proxy headers in `proxy_headers` and pass
them to the Proxy Manager, avoiding attaching them directly to the
Request object. This will be our preferred option going forward for
default usage.

### Patches
Starting in Requests v2.31.0, Requests will no longer attach this header
to redirects with an HTTPS destination. This should have no negative
impacts on the default behavior of the library as the proxy credentials
are already properly being handled by urllib3's ProxyManager.

For users with custom adapters, this _may_ be potentially breaking if
you were already working around this behavior. The previous
functionality of `rebuild_proxies` doesn't make sense in any case, so we
would encourage any users impacted to migrate any handling of
Proxy-Authorization directly into their custom adapter.

### Workarounds
For users who are not able to update Requests immediately, there is one
potential workaround.

You may disable redirects by setting `allow_redirects` to `False` on all
calls through Requests top-level APIs. Note that if you're currently
relying on redirect behaviors, you will need to capture the 3xx response
codes and ensure a new request is made to the redirect destination.
```
import requests
r = requests.get('http://github.com/', allow_redirects=False)
```

### Credits

This vulnerability was discovered and disclosed by the following
individuals.

Dennis Brinkrolf, Haxolot (https://haxolot.com/)
Tobias Funke, (tobiasfunke93@&#8203;gmail.com)

####
[CVE-2024-35195](https://togithub.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)

When making requests through a Requests `Session`, if the first request
is made with `verify=False` to disable cert verification, all subsequent
requests to the same origin will continue to ignore cert verification
regardless of changes to the value of `verify`. This behavior will
continue for the lifecycle of the connection in the connection pool.

### Remediation
Any of these options can be used to remediate the current issue, we
highly recommend upgrading as the preferred mitigation.

* Upgrade to `requests>=2.32.0`.
* For `requests<2.32.0`, avoid setting `verify=False` for the first
request to a host while using a Requests Session.
* For `requests<2.32.0`, call `close()` on `Session` objects to clear
existing connections if `verify=False` is used.

### Related Links
*
[https://github.com/psf/requests/pull/6655](https://togithub.com/psf/requests/pull/6655)

---

### Unintended leak of Proxy-Authorization header in requests
[CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681) /
[GHSA-j8r2-6x86-q33q](https://togithub.com/advisories/GHSA-j8r2-6x86-q33q)
/ PYSEC-2023-74

<details>
<summary>More information</summary>

#### Details
##### Impact

Since Requests v2.3.0, Requests has been vulnerable to potentially
leaking `Proxy-Authorization` headers to destination servers,
specifically during redirects to an HTTPS origin. This is a product of
how `rebuild_proxies` is used to recompute and [reattach the
`Proxy-Authorization`
header](https://togithub.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/sessions.py#L319-L328)
to requests when redirected. Note this behavior has _only_ been observed
to affect proxied requests when credentials are supplied in the URL user
information component (e.g. `https://username:password@proxy:8080`).

**Current vulnerable behavior(s):**

1. HTTP → HTTPS: **leak**
2. HTTPS → HTTP: **no leak**
3. HTTPS → HTTPS: **leak**
4. HTTP → HTTP: **no leak**

For HTTP connections sent through the proxy, the proxy will identify the
header in the request itself and remove it prior to forwarding to the
destination server. However when sent over HTTPS, the
`Proxy-Authorization` header must be sent in the CONNECT request as the
proxy has no visibility into further tunneled requests. This results in
Requests forwarding the header to the destination server
unintentionally, allowing a malicious actor to potentially exfiltrate
those credentials.

The reason this currently works for HTTPS connections in Requests is the
`Proxy-Authorization` header is also handled by urllib3 with our usage
of the ProxyManager in adapters.py with
[`proxy_manager_for`](https://togithub.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/adapters.py#L199-L235).
This will compute the required proxy headers in `proxy_headers` and pass
them to the Proxy Manager, avoiding attaching them directly to the
Request object. This will be our preferred option going forward for
default usage.

##### Patches
Starting in Requests v2.31.0, Requests will no longer attach this header
to redirects with an HTTPS destination. This should have no negative
impacts on the default behavior of the library as the proxy credentials
are already properly being handled by urllib3's ProxyManager.

For users with custom adapters, this _may_ be potentially breaking if
you were already working around this behavior. The previous
functionality of `rebuild_proxies` doesn't make sense in any case, so we
would encourage any users impacted to migrate any handling of
Proxy-Authorization directly into their custom adapter.

##### Workarounds
For users who are not able to update Requests immediately, there is one
potential workaround.

You may disable redirects by setting `allow_redirects` to `False` on all
calls through Requests top-level APIs. Note that if you're currently
relying on redirect behaviors, you will need to capture the 3xx response
codes and ensure a new request is made to the redirect destination.
```
import requests
r = requests.get('http://github.com/', allow_redirects=False)
```

##### Credits

This vulnerability was discovered and disclosed by the following
individuals.

Dennis Brinkrolf, Haxolot (https://haxolot.com/)
Tobias Funke, (tobiasfunke93@&#8203;gmail.com)

#### Severity
- CVSS Score: 6.1 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N`

#### References
-
[https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q](https://togithub.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q)
-
[https://nvd.nist.gov/vuln/detail/CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681)
-
[https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5](https://togithub.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5)
- [https://github.com/psf/requests](https://togithub.com/psf/requests)
-
[https://github.com/psf/requests/releases/tag/v2.31.0](https://togithub.com/psf/requests/releases/tag/v2.31.0)
-
[https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml](https://togithub.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml)
-
[https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html](https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html)
-
[https://lists.fedoraproject.org/archives/list/[email protected]/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y](https://lists.fedoraproject.org/archives/list/[email protected]/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y)
-
[https://lists.fedoraproject.org/archives/list/[email protected]/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ](https://lists.fedoraproject.org/archives/list/[email protected]/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ)
-
[https://security.gentoo.org/glsa/202309-08](https://security.gentoo.org/glsa/202309-08)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-j8r2-6x86-q33q) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### [CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681) /
[GHSA-j8r2-6x86-q33q](https://togithub.com/advisories/GHSA-j8r2-6x86-q33q)
/ PYSEC-2023-74

<details>
<summary>More information</summary>

#### Details
Requests is a HTTP library. Since Requests 2.3.0, Requests has been
leaking Proxy-Authorization headers to destination servers when
redirected to an HTTPS endpoint. This is a product of how we use
`rebuild_proxies` to reattach the `Proxy-Authorization` header to
requests. For HTTP connections sent through the tunnel, the proxy will
identify the header in the request itself and remove it prior to
forwarding to the destination server. However when sent over HTTPS, the
`Proxy-Authorization` header must be sent in the CONNECT request as the
proxy has no visibility into the tunneled request. This results in
Requests forwarding proxy credentials to the destination server
unintentionally, allowing a malicious actor to potentially exfiltrate
sensitive information. This issue has been patched in version 2.31.0.

#### Severity
Unknown

#### References
-
[https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q](https://togithub.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q)
-
[https://github.com/psf/requests/releases/tag/v2.31.0](https://togithub.com/psf/requests/releases/tag/v2.31.0)
-
[https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5](https://togithub.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5)
-
[https://lists.fedoraproject.org/archives/list/[email protected]/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/](https://lists.fedoraproject.org/archives/list/[email protected]/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/)

This data is provided by
[OSV](https://osv.dev/vulnerability/PYSEC-2023-74) and the [PyPI
Advisory Database](https://togithub.com/pypa/advisory-database) ([CC-BY
4.0](https://togithub.com/pypa/advisory-database/blob/main/LICENSE)).
</details>

---

### Requests `Session` object does not verify requests after making
first request with verify=False
[CVE-2024-35195](https://nvd.nist.gov/vuln/detail/CVE-2024-35195) /
[GHSA-9wx4-h78v-vm56](https://togithub.com/advisories/GHSA-9wx4-h78v-vm56)

<details>
<summary>More information</summary>

#### Details
When making requests through a Requests `Session`, if the first request
is made with `verify=False` to disable cert verification, all subsequent
requests to the same origin will continue to ignore cert verification
regardless of changes to the value of `verify`. This behavior will
continue for the lifecycle of the connection in the connection pool.

##### Remediation
Any of these options can be used to remediate the current issue, we
highly recommend upgrading as the preferred mitigation.

* Upgrade to `requests>=2.32.0`.
* For `requests<2.32.0`, avoid setting `verify=False` for the first
request to a host while using a Requests Session.
* For `requests<2.32.0`, call `close()` on `Session` objects to clear
existing connections if `verify=False` is used.

##### Related Links
*
[https://github.com/psf/requests/pull/6655](https://togithub.com/psf/requests/pull/6655)

#### Severity
- CVSS Score: 5.6 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N`

#### References
-
[https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56](https://togithub.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)
-
[https://nvd.nist.gov/vuln/detail/CVE-2024-35195](https://nvd.nist.gov/vuln/detail/CVE-2024-35195)
-
[https://github.com/psf/requests/pull/6655](https://togithub.com/psf/requests/pull/6655)
-
[https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac](https://togithub.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac)
- [https://github.com/psf/requests](https://togithub.com/psf/requests)
-
[https://lists.fedoraproject.org/archives/list/[email protected]/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q](https://lists.fedoraproject.org/archives/list/[email protected]/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q)
-
[https://lists.fedoraproject.org/archives/list/[email protected]/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ](https://lists.fedoraproject.org/archives/list/[email protected]/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-9wx4-h78v-vm56) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>psf/requests (requests)</summary>

###
[`v2.32.2`](https://togithub.com/psf/requests/blob/HEAD/HISTORY.md#2322-2024-05-21)

[Compare
Source](https://togithub.com/psf/requests/compare/v2.32.1...v2.32.2)

**Deprecations**

-   To provide a more stable migration for custom HTTPAdapters impacted
    by the CVE changes in 2.32.0, we've renamed `_get_connection` to
    a new public API, `get_connection_with_tls_context`. Existing custom
    HTTPAdapters will need to migrate their code to use this new API.
`get_connection` is considered deprecated in all versions of
Requests>=2.32.0.

A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom
adapter
is subject to the same issue described in CVE-2024-35195.
([#&#8203;6710](https://togithub.com/psf/requests/issues/6710))

###
[`v2.32.1`](https://togithub.com/psf/requests/blob/HEAD/HISTORY.md#2321-2024-05-20)

[Compare
Source](https://togithub.com/psf/requests/compare/v2.32.0...v2.32.1)

**Bugfixes**

-   Add missing test certs to the sdist distributed on PyPI.

###
[`v2.32.0`](https://togithub.com/psf/requests/blob/HEAD/HISTORY.md#2320-2024-05-20)

[Compare
Source](https://togithub.com/psf/requests/compare/v2.31.0...v2.32.0)

**Security**

- Fixed an issue where setting `verify=False` on the first request from
a
Session will cause subsequent requests to the *same origin* to also
ignore
    cert verification, regardless of the value of `verify`.

(GHSA-9wx4-h78v-vm56)

**Improvements**

-   `verify=True` now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a
Python
version built with OpenSSL 3.x.
([#&#8203;6667](https://togithub.com/psf/requests/issues/6667))
-   Requests now supports optional use of character detection
    (`chardet` or `charset_normalizer`) when repackaged or vendored.
    This enables `pip` and other projects to minimize their vendoring
    surface area. The `Response.text()` and `apparent_encoding` APIs
will default to `utf-8` if neither library is present.
([#&#8203;6702](https://togithub.com/psf/requests/issues/6702))

**Bugfixes**

-   Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length.
([#&#8203;6589](https://togithub.com/psf/requests/issues/6589))
- Fixed deserialization bug in JSONDecodeError.
([#&#8203;6629](https://togithub.com/psf/requests/issues/6629))
-   Fixed bug where an extra leading `/` (path separator) could lead
urllib3 to unnecessarily reparse the request URI.
([#&#8203;6644](https://togithub.com/psf/requests/issues/6644))

**Deprecations**

- Requests has officially added support for CPython 3.12
([#&#8203;6503](https://togithub.com/psf/requests/issues/6503))
- Requests has officially added support for PyPy 3.9 and 3.10
([#&#8203;6641](https://togithub.com/psf/requests/issues/6641))
- Requests has officially dropped support for CPython 3.7
([#&#8203;6642](https://togithub.com/psf/requests/issues/6642))
- Requests has officially dropped support for PyPy 3.7 and 3.8
([#&#8203;6641](https://togithub.com/psf/requests/issues/6641))

**Documentation**

-   Various typo fixes and doc improvements.

**Packaging**

-   Requests has started adopting some modern packaging practices.
The source files for the projects (formerly `requests`) is now located
in `src/requests` in the Requests sdist.
([#&#8203;6506](https://togithub.com/psf/requests/issues/6506))
- Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build
system
using `hatchling`. This should not impact the average user, but
extremely old
versions of packaging utilities may have issues with the new packaging
format.

###
[`v2.31.0`](https://togithub.com/psf/requests/blob/HEAD/HISTORY.md#2310-2023-05-22)

[Compare
Source](https://togithub.com/psf/requests/compare/v2.30.0...v2.31.0)

**Security**

- Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to
potential
forwarding of `Proxy-Authorization` headers to destination servers when
    following HTTPS redirects.

When proxies are defined with user info
(`https://user:pass@proxy:8080`), Requests
will construct a `Proxy-Authorization` header that is attached to the
request to
    authenticate with the proxy.

In cases where Requests receives a redirect response, it previously
reattached
the `Proxy-Authorization` header incorrectly, resulting in the value
being
sent through the tunneled connection to the destination server. Users
who rely on
defining their proxy credentials in the URL are *strongly* encouraged to
upgrade
to Requests 2.31.0+ to prevent unintentional leakage and rotate their
proxy
    credentials once the change has been fully deployed.

Users who do not use a proxy or do not supply their proxy credentials
through
the user information portion of their proxy URL are not subject to this
    vulnerability.

Full details can be read in our [Github Security
Advisory](https://togithub.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q)
and [CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681).

###
[`v2.30.0`](https://togithub.com/psf/requests/blob/HEAD/HISTORY.md#2300-2023-05-03)

[Compare
Source](https://togithub.com/psf/requests/compare/v2.29.0...v2.30.0)

**Dependencies**

-   ⚠️ Added support for urllib3 2.0. ⚠️

This may contain minor breaking changes so we advise careful testing and
reviewing
https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html
    prior to upgrading.

    Users who wish to stay on urllib3 1.x can pin to `urllib3<2`.

###
[`v2.29.0`](https://togithub.com/psf/requests/blob/HEAD/HISTORY.md#2290-2023-04-26)

[Compare
Source](https://togithub.com/psf/requests/compare/v2.28.2...v2.29.0)

**Improvements**

- Requests now defers chunked requests to the urllib3 implementation to
improve
standardization.
([#&#8203;6226](https://togithub.com/psf/requests/issues/6226))
- Requests relaxes header component requirements to support bytes/str
subclasses.
([#&#8203;6356](https://togithub.com/psf/requests/issues/6356))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View the
[repository job
log](https://developer.mend.io/github/DelineaXPM/python-dsv-sdk).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MTAuMSIsInVwZGF0ZWRJblZlciI6IjM3LjQzOC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJzZWN1cml0eSJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Sep 18, 2024
GitHub Dependabot has issued the following alert:

"build(deps): bump requests from 2.31.0 to 2.32.2 in
 /drivers/gpu/drm/ci/xfails.

 When making requests through a Requests Session, if the first
 request is made with verify=False to disable cert verification,
 all subsequent requests to the same origin will continue to ignore
 cert verification regardless of changes to the value of verify.
 This behavior will continue for the lifecycle of the connection in
 the connection pool.

 Severity: 5.6 / 10 (Moderate)
 Attack vector:          Local
 Attack complexity:       High
 Privileges required:     High
 User interaction:    Required
 Scope:              Unchanged
 Confidentiality:         High
 Integrity:               High
 Availability:            None
 CVE ID:        CVE-2024-35195"

To avoid disturbing everyone with the kernel repo hosted on GitHub,
I suggest we upgrade our python dependencies once again to appease
GitHub Dependabot.

Link: https://github.com/dependabot
Link: psf/requests#6655
Signed-off-by: WangYuli <[email protected]>
Copy link

@Thompson1985 Thompson1985 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants