Request 1092607: Submit python-requests - openSUSE Build Service

This request supersedes: request 1084497 (Show diff)

Overview

Request 1092607 accepted

- Delete requests-no-hardcoded-version.patch
- Security Update to 2.31.0 (bsc#1211674):
Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
forwarding of Proxy-Authorization headers to destination servers when
following HTTPS redirects.
When proxies are defined with user info (https://user:pass@proxy:8080), Requests
will construct a Proxy-Authorization header that is attached to the request to
authenticate with the proxy.
In cases where Requests receives a redirect response, it previously reattached
the Proxy-Authorization header incorrectly, resulting in the value being
sent through the tunneled connection to the destination server. Users who rely on
defining their proxy credentials in the URL are strongly encouraged to upgrade
to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
credentials once the change has been fully deployed.
Users who do not use a proxy or do not supply their proxy credentials through
the user information portion of their proxy URL are not subject to this
vulnerability.
Full details can be read in our Github Security Advisory
and CVE-2023-32681.

Created by dgarcia 12 months ago
In state accepted
Supersedes 1084497

Submit python-requests

Comments for request 1092607 0

Login required, please login in order to comment

Request History

dgarcia created request 12 months ago

- Delete requests-no-hardcoded-version.patch
- Security Update to 2.31.0 (bsc#1211674):
Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential
forwarding of Proxy-Authorization headers to destination servers when
following HTTPS redirects.
When proxies are defined with user info (https://user:pass@proxy:8080), Requests
will construct a Proxy-Authorization header that is attached to the request to
authenticate with the proxy.
In cases where Requests receives a redirect response, it previously reattached
the Proxy-Authorization header incorrectly, resulting in the value being
sent through the tunneled connection to the destination server. Users who rely on
defining their proxy credentials in the URL are strongly encouraged to upgrade
to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy
credentials once the change has been fully deployed.
Users who do not use a proxy or do not supply their proxy credentials through
the user information portion of their proxy URL are not subject to this
vulnerability.
Full details can be read in our Github Security Advisory
and CVE-2023-32681.

factory-auto added opensuse-review-team as a reviewer 12 months ago

Please review sources

factory-auto accepted review 12 months ago

Check script succeeded

licensedigger accepted review 12 months ago

ok

oertel accepted review 12 months ago

Accepted review for by_group opensuse-review-team request 1092607 from user factory-auto

anag+factory set openSUSE:Factory:Staging:B as a staging project 12 months ago

Being evaluated by staging project "openSUSE:Factory:Staging:B"

anag+factory accepted review 12 months ago

Picked "openSUSE:Factory:Staging:B"

dimstar_suse accepted review 12 months ago

Staging Project openSUSE:Factory:Staging:B got accepted.

dimstar_suse approved review 12 months ago

Staging Project openSUSE:Factory:Staging:B got accepted.

dimstar_suse accepted request 12 months ago

Staging Project openSUSE:Factory:Staging:B got accepted.

openSUSE Build Service is sponsored by