Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2024-35195

Publication date 20 May 2024

Last updated 24 July 2024


Ubuntu priority

Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.

Read the notes from the security team

Status

Package Ubuntu Release Status
python-pip 24.10 oracular
Vulnerable
24.04 LTS noble
Vulnerable
23.10 mantic Ignored end of life, was needed
22.04 LTS jammy
Vulnerable
20.04 LTS focal
Vulnerable
18.04 LTS bionic
Vulnerable
16.04 LTS xenial
Vulnerable
14.04 LTS trusty
Vulnerable
requests 24.10 oracular
Fixed 2.32.3+dfsg-1ubuntu1
24.04 LTS noble Ignored breaks users, requires source code updates
23.10 mantic Ignored end of life, was ignored [breaks users, requires source code updates]
22.04 LTS jammy Ignored breaks users, requires source code updates
20.04 LTS focal Ignored breaks users, requires source code updates
18.04 LTS bionic Ignored breaks users, requires source code updates
16.04 LTS xenial Ignored breaks users, requires source code updates
14.04 LTS trusty Ignored breaks users, requires source code updates

Notes


mdeslaur

On focal and earlier, the python-pip package bundles requests binaries when built. After updating requests, a no-change rebuild of python-pip is required. On jammy and later, requests is bundled in the python-pip package and needs to be patched. The fix for this issue introduced regressions in certain other applications, such as docker. See https://github.com/docker/docker-py/pull/3257 and resulted in 2.32.0 and 2.32.1 in being yanked, see: https://pypi.org/project/requests/#history 2.32.2 and 2.32.3 were subsequently released to fix those regressions. Even with the regression fixes in 2.32.2 and 2.32.3, fixing this may still break applications that subclass HTTPAdapter, for example, cloud-init. See: https://github.com/canonical/cloud-init/pull/5435


vyomydv

The CVE patch causes a regression. The patch enforced the URL scheme to be either `http` or `https`. This broke users that used a custom scheme (e.g. `http+docker`) by implementing a custom `get_connection` method but used the default `send` method. Patching this CVE would require some users to update their source code like: https://github.com/docker/docker-py/pull/3257

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
requests