CVE-2024-35195
Publication date 20 May 2024
Last updated 5 December 2024
Ubuntu priority
Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.
Status
Package | Ubuntu Release | Status |
---|---|---|
python-pip | 24.10 oracular |
Vulnerable
|
24.04 LTS noble |
Vulnerable
|
|
22.04 LTS jammy |
Vulnerable
|
|
20.04 LTS focal | Ignored bundles requests during build, and requests cannot be patched | |
18.04 LTS bionic | Ignored bundles requests during build, and requests cannot be patched | |
16.04 LTS xenial | Ignored bundles requests during build, and requests cannot be patched | |
14.04 LTS trusty | Ignored end of ESM support, was ignored [bundles requests during build, and requests cannot be patched] | |
requests | 24.10 oracular |
Fixed 2.32.3+dfsg-1ubuntu1
|
24.04 LTS noble | Ignored breaks users, requires source code updates | |
22.04 LTS jammy | Ignored breaks users, requires source code updates | |
20.04 LTS focal | Ignored breaks users, requires source code updates | |
18.04 LTS bionic | Ignored breaks users, requires source code updates | |
16.04 LTS xenial | Ignored breaks users, requires source code updates | |
14.04 LTS trusty | Ignored end of ESM support, was ignored [breaks users, requires source code updates] |
Notes
mdeslaur
On focal and earlier, the python-pip package bundles requests binaries when built. After updating requests, a no-change rebuild of python-pip is required. On jammy and later, requests is bundled in the python-pip package and needs to be patched. The fix for this issue introduced regressions in certain other applications, such as docker. See https://github.com/docker/docker-py/pull/3257 and resulted in 2.32.0 and 2.32.1 in being yanked, see: https://pypi.org/project/requests/#history 2.32.2 and 2.32.3 were subsequently released to fix those regressions. Even with the regression fixes in 2.32.2 and 2.32.3, fixing this may still break applications that subclass HTTPAdapter, for example, cloud-init. See: https://github.com/canonical/cloud-init/pull/5435
vyomydv
The CVE patch causes a regression. The patch enforced the URL scheme to be either `http` or `https`. This broke users that used a custom scheme (e.g. `http+docker`) by implementing a custom `get_connection` method but used the default `send` method. Patching this CVE would require some users to update their source code like: https://github.com/docker/docker-py/pull/3257 python-pip, on focal and earlier versions, bundles requests during the build. Since requests can't be patched due to breaking changes, python-pip has been ignored on focal and earlier.
Patch details
Package | Patch details |
---|---|
requests |
|