Security update for python-requests SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20034-1 Final 1 1 2025-02-03T08:52:32Z current 2025-02-03T08:52:32Z 2025-02-03T08:52:32Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-requests This update for python-requests fixes the following issues: - Update to 2.32.2 * To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0. - Update to 2.32.1 * Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value of verify. (bsc#1224788, CVE-2024-35195) * verify=True now reuses a global SSLContext which should improve request time variance between first and subsequent requests. * Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their vendoring surface area. * Requests has officially added support for CPython 3.12 and dropped support for CPython 3.7. * Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build system using hatchling. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-28 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520034-1/ Link for SUSE-SU-2025:20034-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021347.html E-Mail link for SUSE-SU-2025:20034-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1224788 SUSE Bug 1224788 https://www.suse.com/security/cve/CVE-2024-35195/ SUSE CVE CVE-2024-35195 page SUSE Linux Micro 6.0 python311-requests-2.32.2-1.1 python311-requests-2.32.2-1.1 as a component of SUSE Linux Micro 6.0 Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0. CVE-2024-35195 SUSE Linux Micro 6.0:python311-requests-2.32.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520034-1/ https://www.suse.com/security/cve/CVE-2024-35195.html CVE-2024-35195 https://bugzilla.suse.com/1224788 SUSE Bug 1224788