Bug 33260

Summary: python-requests new security issue CVE-2024-35195
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, dan, geiger.david68210, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: python-requests CVE: CVE-2024-35195
Status comment: Really Fixed upstream in 2.32.3

Description Nicolas Salguero 2024-05-31 15:40:02 CEST 
SUSE has issued an advisory on May 31:
https://lists.suse.com/pipermail/sle-updates/2024-May/035430.html

The problem is fixed in 2.32.0.

Mageia 9 is also affected.
Nicolas Salguero 2024-05-31 15:40:23 CEST

Status comment: (none) => Fixed upstream in 2.32.0
CVE: (none) => CVE-2024-35195
Source RPM: (none) => python-requests-2.31.0-2.mga10.src.rpm
Whiteboard: (none) => MGA9TOO

Comment 1 David GEIGER 2024-05-31 16:46:39 CEST 
Done for Cauldron!

CC: (none) => geiger.david68210
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)

Comment 2 David GEIGER 2024-05-31 16:47:26 CEST Comment hidden (obsolete)

Assignee: bugsquad => qa-bugs

katnatek 2024-06-01 03:49:07 CEST

Keywords: (none) => advisory

Comment 3 katnatek 2024-06-01 04:06:35 CEST Comment hidden (obsolete)

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2024-06-01 04:41:06 CEST Comment hidden (obsolete)

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Dan Fandrich 2024-06-01 07:01:30 CEST 
I'm not sure ver. 2.32.0 actually fixes the issue. Pypi lists both 2.32.0 and 2.32.1 as being yanked due to "conflicts with CVE-2024-35195 mitigation". That listing shows 2.32.2 as being the first non-yanked release, with another release happening 8 days later.
https://pypi.org/project/requests/#history

CC: (none) => dan

Comment 6 Thomas Andrews 2024-06-01 13:18:27 CEST 
Good to know you have our backs, Dan. Using a "yanked" version doesn't make much sense, does it?

It sure reads like we should be using the first unyanked version, if not the latest one. At the very least, it needs another look.

Removing the OK, and validation. Katnatek, I'm removing the advisory keyword, as it looks like we need a different version.

Keywords: advisory, validated_update => (none)
Whiteboard: MGA9-64-OK => (none)

Comment 7 katnatek 2024-06-01 18:25:23 CEST 
(In reply to Thomas Andrews from comment #6)
> Good to know you have our backs, Dan. Using a "yanked" version doesn't make
> much sense, does it?
> 
> It sure reads like we should be using the first unyanked version, if not the
> latest one. At the very least, it needs another look.
> 
> Removing the OK, and validation. Katnatek, I'm removing the advisory
> keyword, as it looks like we need a different version.

Back to David then

Assignee: qa-bugs => geiger.david68210

Comment 8 David GEIGER 2024-06-01 19:31:04 CEST 
Assigning back to QA,

Packages in 9/Core/Updates_testing:
======================
python3-requests+socks-2.32.3-1.mga9.noarch.rpm
python3-requests-2.32.3-1.mga9.noarch.rpm

From SRPMS:
python-requests-2.32.3-1.mga9.src.rpm

Assignee: geiger.david68210 => qa-bugs

Comment 9 katnatek 2024-06-02 01:06:52 CEST 
RH mageia 9 x86_64

 LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date
medium "BDK-Free-x86_64" is up-to-date
medium "BDK-Free-noarch" is up-to-date
medium "BDK-NonFree-x86_64" is up-to-date


installing python3-requests-2.32.3-1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: python3-requests      ##################################################################################################
      1/1: removing python3-requests-2.32.0-1.mga9.noarch
                                 ##################################################################################################
[root@phoenix ~]# LC_ALL=C urpmi python3-requests+socks
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  python3-requests+socks         2.32.3       1.mga9        noarch  
(medium "Core Release (distrib1)")
  python3-pysocks                1.7.1        5.mga9        noarch  
124KB of additional disk space will be used.
40KB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python3-pysocks-1.7.1-5.mga9.noarch.rpm
installing //home/katnatek/qa-testing/x86_64/python3-requests+socks-2.32.3-1.mga9.noarch.rpm                                        
/var/cache/urpmi/rpms/python3-pysocks-1.7.1-5.mga9.noarch.rpm
Preparing...                     ##################################################################################################
      1/2: python3-pysocks       ##################################################################################################
      2/2: python3-requests+socks
                                 ##################################################################################################

Reference Bug#32032 Comment#8 

python3 pyrequests_test1.py
[<Response [301]>]
https://github.com/
200
<RequestsCookieJar[<Cookie _octo=GH1.1.183012040.1717282985 for .github.com/>, <Cookie logged_in=no for .github.com/>, <Cookie _gh_sess=1GjxKmnvBpDIROhcrvwELV9wubmqmI3l8RO1%2FGEN%2Fi4uHqNEkgUdarqKBMn4CwkSVs%2Br9%2FynGrUMDvwJxVdwntTUfxRfQ34afBeVw9iwllQ88RFmNL47cjOtvW%2B0MF1WWYCmuC%2Fv2ON8Meb1c1BWLgE2yIxqVP2URBovTF8FTkExADeeG9ExfqHuz3im1aTsxNJjdsutvP6vO%2BaGzn5G2OmqeFzshG0RC0y0h77%2FsvJ74w3qmn%2FZHnvZ5NjNu2zRqrkEYaJUBsrJV6yGeSmfbg%3D%3D--jV%2FhzAFiUDnqTLuT--ykYyfjdy7QQNkHAdeMcdbA%3D%3D for github.com/>]>

python3 py3requests_test2.py 
[<Response [301]>]
https://github.com/
200
<RequestsCookieJar[<Cookie _octo=GH1.1.1713642659.1717283042 for .github.com/>, <Cookie logged_in=no for .github.com/>, <Cookie _gh_sess=EO7lryMo0iM9XDKqyyXvyuDocxTMl03pBX6r4JFFZ0mRgqfOTtYGgtPdy2TrPDGAkdmpI4xFv87hbzbIb2wSzJzNI4KFmajUeB6AU1xqMVT%2FnaKGXprDplvLNDvAO8zHv5LyytLVISWD7lEq2IeXBcq1kNTY1oNruJbGbKFMsbK37CpChWbJ%2BLW531SjB68CltWORV%2FAoG2mlZ8VDdammqvbXz0oJQ3aNk%2BBfXMLD5BFpC9q2JAHO923tIMS3a24XAvyVFBBSZ9eNeIyoKQcOw%3D%3D--QJ86CkMNhASVMXy6--1H8qJxdZVwexvEYTYCFzOA%3D%3D for github.com/>]>

Not understand the cve, neither how to reproduce nor confirm is fixed

Whiteboard: (none) => MGA9-64-OK

Comment 10 katnatek 2024-06-02 01:16:01 CEST 
Advisory updated

Source RPM: python-requests-2.31.0-2.mga10.src.rpm => python-requests
Keywords: (none) => advisory

katnatek 2024-06-02 01:21:22 CEST

Status comment: Fixed upstream in 2.32.0 => Really Fixed upstream in 2.32.3

Comment 11 katnatek 2024-06-02 01:39:29 CEST 
Among others, mock requires this, start a build and not look to produce side effects
Comment 12 Thomas Andrews 2024-06-02 13:30:07 CEST 
Validating.

Keywords: (none) => validated_update

Comment 13 Dan Fandrich 2024-06-03 20:04:39 CEST 
Tested with my own Python application without issue.
Comment 14 Mageia Robot 2024-06-03 20:32:14 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0210.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED