Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2024-35195

Publication date 20 May 2024

Last updated 24 July 2024

Ubuntu priority

Medium

Why this priority?

Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.

Read the notes from the security team

Status

Package Ubuntu Release Status
python-pip 24.04 LTS noble
Vulnerable
23.10 mantic Ignored
22.04 LTS jammy
Vulnerable
20.04 LTS focal
Vulnerable
18.04 LTS bionic
Vulnerable
16.04 LTS xenial
Vulnerable
14.04 LTS trusty
Vulnerable
requests 24.04 LTS noble Ignored
23.10 mantic Ignored
22.04 LTS jammy Ignored
20.04 LTS focal Ignored
18.04 LTS bionic Ignored
16.04 LTS xenial Ignored
14.04 LTS trusty Ignored

Notes

mdeslaur

On focal and earlier, the python-pip package bundles requests binaries when built. After updating requests, a no-change rebuild of python-pip is required. On jammy and later, requests is bundled in the python-pip package and needs to be patched. The fix for this issue introduced regressions in certain other applications, such as docker. See https://github.com/docker/docker-py/pull/3257 and resulted in 2.32.0 and 2.32.1 in being yanked, see: https://pypi.org/project/requests/#history 2.32.2 and 2.32.3 were subsequently released to fix those regressions. Even with the regression fixes in 2.32.2 and 2.32.3, fixing this may still break applications that subclass HTTPAdapter, for example, cloud-init. See: https://github.com/canonical/cloud-init/pull/5435

vyomydv

The CVE patch causes a regression. The patch enforced the URL scheme to be either `http` or `https`. This broke users that used a custom scheme (e.g. `http+docker`) by implementing a custom `get_connection` method but used the default `send` method. Patching this CVE would require some users to update their source code like: https://github.com/docker/docker-py/pull/3257

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
requests