[GHSA-9wx4-h78v-vm56] Requests Session object does not verify requests after making first request with verify=False

[dbold]

Updates

• Affected products
• Description

Comments
requests 2.32.0 and requests 2.32.1 have both been yanked from pypi with the explanation

Yanked due to conflicts with CVE-2024-35195 mitigation

Which means they cannot be considered as good versions for CVE-2024-35195. The 1st good version afterwards is 2.32.2

See

• https://pypi.org/project/requests/2.32.1/
• https://pypi.org/project/requests/2.32.0/

[github]

Hi there @nateprewitt! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[nateprewitt]

This looks like a duplicate of #4468 with a provided explanation here. I would still hold the current versions listed are accurate but it seems there may be some community knowledge gaps causing confusion about how pip/PyPI work.

[dbold]

This looks like a duplicate of #4468 with a provided explanation here. I would still hold the current versions listed are accurate but it seems there may be some community knowledge gaps causing confusion about how pip/PyPI work.

Those two releases expressly mention on pypi

Yanked due to conflicts with CVE-2024-35195 mitigation

Now, this is not a very descriptive phrasing but the CVE is there. Apparently, there is a mitigation too but there's also "conflicts". So... does the mitigation work? Are the conflicts making the mitigation ineffective? Are the conflicts causing breakages elsewhere?

The explanation for the yanking is just not clear at all. There is something odd with these 2 releases and since people quite likely moved 2.32.0 because of the CVE, it's really not encouraging.

I now see requests has not yanked any other version, ever! Why are these 2 versions special?

[nateprewitt]

The releases were yanked due to an issue with the CVE mitigation and how the Python docker client subclassed our Adapters. This was done as a courtesy to users to help prevent pip from choosing the problematic versions unless expressly requested. This information is all included in the patch notes for the version superseding the yanked versions including links to the original issue in the referenced PR.

To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0. [...] (#6710)

[dbold]

I see. May I suggest changing the yanked message?

Our CI builds show this warning:

WARNING: The candidate selected for download or install is a yanked version: 'requests' candidate (version 2.32.0...)
Reason for being yanked: Yanked due to conflicts with CVE-2024-35195 mitigation

... and it just does not inspire confidence.

Something like: Yanked due to breaking API change: get_connection is superseded by get_connection_with_tls_context as part of CVE hardening

[nateprewitt]

We can take a look at changing the message. I think there may be a character limit which resulted in the brevity, but we'll confirm if that's correct.

[dbold]

Thank you. I'm closing this PR.