SUSE has issued an advisory on May 31: https://lists.suse.com/pipermail/sle-updates/2024-May/035430.html The problem is fixed in 2.32.0. Mageia 9 is also affected.
Status comment: (none) => Fixed upstream in 2.32.0CVE: (none) => CVE-2024-35195Source RPM: (none) => python-requests-2.31.0-2.mga10.src.rpmWhiteboard: (none) => MGA9TOO
Done for Cauldron!
CC: (none) => geiger.david68210Version: Cauldron => 9Whiteboard: MGA9TOO => (none)
Assigning to QA, Packages in 9/Core/Updates_testing: ====================== python3-requests+socks-2.32.0-1.mga9.noarch.rpm python3-requests-2.32.0-1.mga9.noarch.rpm From SRPMS: python-requests-2.32.0-1.mga9.src.rpm
Assignee: bugsquad => qa-bugs
Keywords: (none) => advisory
LC_ALL=C urpmi --auto --auto-update medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing python3-requests-2.32.0-1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: python3-requests ################################################################################################## 1/1: removing python3-requests-2.31.0-2.mga9.noarch ################################################################################################## LC_ALL=C urpmi python3-requests+socks To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "QA Testing (64-bit)") python3-requests+socks 2.32.0 1.mga9 noarch (medium "Core Release (distrib1)") python3-pysocks 1.7.1 5.mga9 noarch 124KB of additional disk space will be used. 40KB of packages will be retrieved. Proceed with the installation of the 2 packages? (Y/n) y https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python3-pysocks-1.7.1-5.mga9.noarch.rpm installing //home/katnatek/qa-testing/x86_64/python3-requests+socks-2.32.0-1.mga9.noarch.rpm /var/cache/urpmi/rpms/python3-pysocks-1.7.1-5.mga9.noarch.rpm Preparing... ################################################################################################## 1/2: python3-pysocks ################################################################################################## 2/2: python3-requests+socks ################################################################################################## Reference Bug#32032 Comment#8 python3 pyrequests_test1.py [<Response [301]>] https://github.com/ 200 <RequestsCookieJar[<Cookie _octo=GH1.1.2083242251.1717207462 for .github.com/>, <Cookie logged_in=no for .github.com/>, <Cookie _gh_sess=IT8GzXbfPflE9kHT%2FKGsB8qNowZTvdwiOCzGaifLnaagn9XOL0yMuW%2Fk9dgfTDeo4v4uhulq1FAPh%2ByZqNJGt0DLy7MePonvL9I05%2BZuc7tVOmtwuVzevn32ezlDLoccpm2PBofWgTj2ABIKzLhvyDPgQH4wQSQ%2BGCnqvKc6vmMcD2xmJGNxNaa3EiQuo8GO8n0oMSJWADVqL4iZKxQ9BGTwtI2Uf6HBXadkUWYIWAToILLVfffyMVTRXksOxfasO01t5H6iCV21Rv754jGfXQ%3D%3D--nRa%2BKH6LVRA%2F0dma--jdfQkVojwCJPtu1HX6%2Fahg%3D%3D for github.com/>]> python3 py3requests_test2.py [<Response [301]>] https://github.com/ 200 <RequestsCookieJar[<Cookie _octo=GH1.1.23337777.1717207515 for .github.com/>, <Cookie logged_in=no for .github.com/>, <Cookie _gh_sess=gqUDFjq7LWuHttSgRcrY1EhIZynaWCSqUoq%2FKtDA%2BqdjGpGXnc68tNHNQax6y66PdkV7qyZWwbzOOzwGimQ1Zoiv4cmU8bIVi5w%2F6noe9GaVROYE4vwV4pRI1GsBuaRugj1yll8nAgx1qUi0LbB%2BacsIIUWmPHPW5iVoXctF4iXO6z6aJ1rwt5XYaKSmQelXPhf7KAUyK%2BXs%2F8LyGXuq9Vy7%2Bmg%2F2Q1a9t9FVQf3hNT42vv1HJlXXUJCbFkL1%2B4fUGsmBMIjdxSyaPuTFdLQNw%3D%3D--gZzRq0MHi%2B%2FKyq8X--EmG6XDxhMBTO2lZYOe0ODQ%3D%3D for github.com/>]> Looks good to me
Whiteboard: (none) => MGA9-64-OKCC: (none) => andrewsfarm
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
I'm not sure ver. 2.32.0 actually fixes the issue. Pypi lists both 2.32.0 and 2.32.1 as being yanked due to "conflicts with CVE-2024-35195 mitigation". That listing shows 2.32.2 as being the first non-yanked release, with another release happening 8 days later. https://pypi.org/project/requests/#history
CC: (none) => dan
Good to know you have our backs, Dan. Using a "yanked" version doesn't make much sense, does it? It sure reads like we should be using the first unyanked version, if not the latest one. At the very least, it needs another look. Removing the OK, and validation. Katnatek, I'm removing the advisory keyword, as it looks like we need a different version.
Keywords: advisory, validated_update => (none)Whiteboard: MGA9-64-OK => (none)
(In reply to Thomas Andrews from comment #6) > Good to know you have our backs, Dan. Using a "yanked" version doesn't make > much sense, does it? > > It sure reads like we should be using the first unyanked version, if not the > latest one. At the very least, it needs another look. > > Removing the OK, and validation. Katnatek, I'm removing the advisory > keyword, as it looks like we need a different version. Back to David then
Assignee: qa-bugs => geiger.david68210
Assigning back to QA, Packages in 9/Core/Updates_testing: ====================== python3-requests+socks-2.32.3-1.mga9.noarch.rpm python3-requests-2.32.3-1.mga9.noarch.rpm From SRPMS: python-requests-2.32.3-1.mga9.src.rpm
Assignee: geiger.david68210 => qa-bugs
RH mageia 9 x86_64 LC_ALL=C urpmi --auto --auto-update medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date medium "BDK-Free-x86_64" is up-to-date medium "BDK-Free-noarch" is up-to-date medium "BDK-NonFree-x86_64" is up-to-date installing python3-requests-2.32.3-1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: python3-requests ################################################################################################## 1/1: removing python3-requests-2.32.0-1.mga9.noarch ################################################################################################## [root@phoenix ~]# LC_ALL=C urpmi python3-requests+socks To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "QA Testing (64-bit)") python3-requests+socks 2.32.3 1.mga9 noarch (medium "Core Release (distrib1)") python3-pysocks 1.7.1 5.mga9 noarch 124KB of additional disk space will be used. 40KB of packages will be retrieved. Proceed with the installation of the 2 packages? (Y/n) y https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python3-pysocks-1.7.1-5.mga9.noarch.rpm installing //home/katnatek/qa-testing/x86_64/python3-requests+socks-2.32.3-1.mga9.noarch.rpm /var/cache/urpmi/rpms/python3-pysocks-1.7.1-5.mga9.noarch.rpm Preparing... ################################################################################################## 1/2: python3-pysocks ################################################################################################## 2/2: python3-requests+socks ################################################################################################## Reference Bug#32032 Comment#8 python3 pyrequests_test1.py [<Response [301]>] https://github.com/ 200 <RequestsCookieJar[<Cookie _octo=GH1.1.183012040.1717282985 for .github.com/>, <Cookie logged_in=no for .github.com/>, <Cookie _gh_sess=1GjxKmnvBpDIROhcrvwELV9wubmqmI3l8RO1%2FGEN%2Fi4uHqNEkgUdarqKBMn4CwkSVs%2Br9%2FynGrUMDvwJxVdwntTUfxRfQ34afBeVw9iwllQ88RFmNL47cjOtvW%2B0MF1WWYCmuC%2Fv2ON8Meb1c1BWLgE2yIxqVP2URBovTF8FTkExADeeG9ExfqHuz3im1aTsxNJjdsutvP6vO%2BaGzn5G2OmqeFzshG0RC0y0h77%2FsvJ74w3qmn%2FZHnvZ5NjNu2zRqrkEYaJUBsrJV6yGeSmfbg%3D%3D--jV%2FhzAFiUDnqTLuT--ykYyfjdy7QQNkHAdeMcdbA%3D%3D for github.com/>]> python3 py3requests_test2.py [<Response [301]>] https://github.com/ 200 <RequestsCookieJar[<Cookie _octo=GH1.1.1713642659.1717283042 for .github.com/>, <Cookie logged_in=no for .github.com/>, <Cookie _gh_sess=EO7lryMo0iM9XDKqyyXvyuDocxTMl03pBX6r4JFFZ0mRgqfOTtYGgtPdy2TrPDGAkdmpI4xFv87hbzbIb2wSzJzNI4KFmajUeB6AU1xqMVT%2FnaKGXprDplvLNDvAO8zHv5LyytLVISWD7lEq2IeXBcq1kNTY1oNruJbGbKFMsbK37CpChWbJ%2BLW531SjB68CltWORV%2FAoG2mlZ8VDdammqvbXz0oJQ3aNk%2BBfXMLD5BFpC9q2JAHO923tIMS3a24XAvyVFBBSZ9eNeIyoKQcOw%3D%3D--QJ86CkMNhASVMXy6--1H8qJxdZVwexvEYTYCFzOA%3D%3D for github.com/>]> Not understand the cve, neither how to reproduce nor confirm is fixed
Whiteboard: (none) => MGA9-64-OK
Advisory updated
Source RPM: python-requests-2.31.0-2.mga10.src.rpm => python-requestsKeywords: (none) => advisory
Status comment: Fixed upstream in 2.32.0 => Really Fixed upstream in 2.32.3
Among others, mock requires this, start a build and not look to produce side effects
Keywords: (none) => validated_update
Tested with my own Python application without issue.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0210.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED