Bug 2282114 (CVE-2024-35195)

Summary: CVE-2024-35195 requests: subsequent requests to the same host ignore cert verification
Product: [Other] Security Response Reporter: ybuenos
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abarbaro, adudiak, agarcial, ahrabovs, anthomas, aoconnor, apevec, aprice, asegurap, aucunnin, bbuckingham, bcourt, bdettelb, brking, caswilli, cdaley, crizzo, cstratak, davidn, dfreiber, dkuc, doconnor, dranck, drow, eglynn, ehelms, epacific, fjansen, ggainey, gtanzill, haoli, hhorak, hkataria, jajackso, jburrell, jcammara, jchui, jdobes, jhardy, jhe, jjoyce, jmitchel, jneedle, jobarker, jorton, jsamir, jschluet, jsherril, jtanner, juwatts, jweng, jwong, kaycoth, kegrant, kholdawa, koliveir, kshier, ktsao, lbalhar, lcouzens, lhh, lsvaty, lzap, mabashia, mburns, mgarciac, mhroncok, mhulan, mminar, mpierce, mskarbek, mstoklus, nboldt, nmoumoul, oezr, omaciel, orabin, osousa, pbraun, pcreech, pgrist, psegedy, psrna, python-maint, rbiba, rbobbitt, rchan, rhos-maint, rtaniwa, shvarugh, sidakwo, simaishi, smallamp, smcdonal, sskracic, stcannon, sthirugn, teagle, tfister, thavo, tkral, torsava, vkrizan, vkumar, xiaoxwan, yguenane, zsadeh, zzhou
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: requests 2.32.0 Doc Type: If docs needed, set a value
Doc Text:
An incorrect control flow implementation vulnerability was found in Requests. If the first request in a session is made with verify=False, all subsequent requests to the same host will continue to ignore cert verification.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2282117, 2282118, 2282120, 2282123, 2282124, 2282125, 2282115, 2282116, 2282119, 2282121, 2282122, 2282126, 2282127, 2282128, 2282129, 2282130, 2282131, 2282132, 2282133, 2282134, 2282135, 2282136, 2282137, 2282138, 2282139, 2282140, 2282141, 2282142, 2282143, 2282144, 2282145, 2282146, 2282147, 2282148, 2282149, 2282150, 2282151, 2282152, 2282153, 2282154, 2282155, 2282156, 2282157, 2282158, 2282159, 2282160, 2282161, 2282162, 2282189, 2282192, 2282193, 2282205, 2282207, 2282208, 2282210, 2282211    
Bug Blocks: 2282194    

Description ybuenos 2024-05-21 10:25:09 UTC 
Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.

https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac
https://github.com/psf/requests/pull/6655
https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56
Comment 1 ybuenos 2024-05-21 10:32:27 UTC 
Created cascadia-code-fonts tracking bugs for this issue:

Affects: fedora-all [bug 2282126]


Created copr-cli tracking bugs for this issue:

Affects: epel-all [bug 2282115]
Affects: fedora-all [bug 2282127]


Created crosswords tracking bugs for this issue:

Affects: fedora-all [bug 2282128]


Created crosswords-puzzle-sets-xword-dl tracking bugs for this issue:

Affects: fedora-all [bug 2282129]


Created duplicity tracking bugs for this issue:

Affects: fedora-all [bug 2282130]


Created espresso tracking bugs for this issue:

Affects: epel-all [bug 2282116]
Affects: fedora-all [bug 2282131]


Created google-roboto-mono-fonts tracking bugs for this issue:

Affects: fedora-all [bug 2282132]


Created mingw-python-OWSLib tracking bugs for this issue:

Affects: fedora-all [bug 2282133]


Created mrsw-biz-udgothic-fonts tracking bugs for this issue:

Affects: fedora-all [bug 2282134]


Created mrsw-biz-udmincho-fonts tracking bugs for this issue:

Affects: fedora-all [bug 2282135]


Created ndiscover-exo-2-fonts tracking bugs for this issue:

Affects: fedora-all [bug 2282136]


Created oci-cli tracking bugs for this issue:

Affects: fedora-all [bug 2282137]


Created pipenv tracking bugs for this issue:

Affects: fedora-all [bug 2282138]


Created protonvpn-cli tracking bugs for this issue:

Affects: epel-all [bug 2282117]


Created proxysql tracking bugs for this issue:

Affects: epel-all [bug 2282118]


Created pypy tracking bugs for this issue:

Affects: fedora-all [bug 2282139]


Created python-WSGIProxy2 tracking bugs for this issue:

Affects: fedora-all [bug 2282140]


Created python-ansible-compat tracking bugs for this issue:

Affects: fedora-all [bug 2282141]


Created python-astral tracking bugs for this issue:

Affects: epel-all [bug 2282119]


Created python-botocore tracking bugs for this issue:

Affects: fedora-all [bug 2282142]


Created python-container-inspector tracking bugs for this issue:

Affects: fedora-all [bug 2282143]


Created python-dbus-next tracking bugs for this issue:

Affects: fedora-all [bug 2282144]


Created python-debian-inspector tracking bugs for this issue:

Affects: fedora-all [bug 2282145]


Created python-docker tracking bugs for this issue:

Affects: fedora-all [bug 2282146]


Created python-extractcode tracking bugs for this issue:

Affects: fedora-all [bug 2282147]


Created python-fedbadges tracking bugs for this issue:

Affects: epel-all [bug 2282120]


Created python-ffmpeg-python tracking bugs for this issue:

Affects: fedora-all [bug 2282148]


Created python-flake8-builtins tracking bugs for this issue:

Affects: fedora-all [bug 2282149]


Created python-mercantile tracking bugs for this issue:

Affects: fedora-all [bug 2282150]


Created python-molecule tracking bugs for this issue:

Affects: fedora-all [bug 2282151]


Created python-nuheat tracking bugs for this issue:

Affects: epel-all [bug 2282121]
Affects: fedora-all [bug 2282152]


Created python-pip tracking bugs for this issue:

Affects: fedora-all [bug 2282153]


Created python-pip-epel tracking bugs for this issue:

Affects: epel-all [bug 2282122]


Created python-plugincode tracking bugs for this issue:

Affects: fedora-all [bug 2282154]


Created python-pygments-better-html tracking bugs for this issue:

Affects: fedora-all [bug 2282155]


Created python-pyvirtualize tracking bugs for this issue:

Affects: epel-all [bug 2282123]


Created python-tornado tracking bugs for this issue:

Affects: fedora-all [bug 2282156]


Created python-typecode tracking bugs for this issue:

Affects: fedora-all [bug 2282157]


Created python3-docker tracking bugs for this issue:

Affects: epel-all [bug 2282124]


Created rpm-head-signing tracking bugs for this issue:

Affects: fedora-all [bug 2282158]


Created rst2pdf tracking bugs for this issue:

Affects: fedora-all [bug 2282159]


Created scap-security-guide tracking bugs for this issue:

Affects: fedora-all [bug 2282160]


Created sorkintype-merriweather-fonts tracking bugs for this issue:

Affects: fedora-all [bug 2282161]


Created sorkintype-merriweather-sans-fonts tracking bugs for this issue:

Affects: fedora-all [bug 2282162]


Created transifex-client tracking bugs for this issue:

Affects: epel-all [bug 2282125]
Comment 2 ybuenos 2024-05-21 12:09:16 UTC 
Created pipenv tracking bugs for this issue:

Affects: fedora-all [bug 2282189]
Comment 4 Miro Hrončok 2024-05-21 12:52:21 UTC 
Why is this reported to packages requiring python3-requests?
Comment 5 ybuenos 2024-05-21 14:30:43 UTC 
Created python-requests tracking bugs for this issue:

Affects: fedora-all [bug 2282205]
Comment 9 Lumír Balhar 2024-05-22 11:02:15 UTC 
In pip (where requests is bundled) there are only two possibilities to handle specific needs related to SSL certificates: --trusted-host and --cert options.

--trusted-host makes a host trusted which disables SSL certificate verification for the specific host:port combination and all connections to that host which makes the CVE, according to its description, irrelevant, because we trust all connections to that host and there is no way how to disable verification for the first one and require it for the rest.

--cert can be used to specify a custom certificate store.

Therefore, I'm going to close all trackers for pip.
Comment 13 errata-xmlrpc 2024-06-10 18:38:02 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:3781 https://access.redhat.com/errata/RHSA-2024:3781
Comment 16 errata-xmlrpc 2024-07-12 01:40:45 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:4522 https://access.redhat.com/errata/RHSA-2024:4522
Comment 17 errata-xmlrpc 2024-11-21 09:28:58 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 8

Via RHSA-2024:9988 https://access.redhat.com/errata/RHSA-2024:9988
Comment 18 errata-xmlrpc 2025-01-02 15:23:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:0012 https://access.redhat.com/errata/RHSA-2025:0012
Comment 19 errata-xmlrpc 2025-02-12 00:09:22 UTC 
This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2025:1335 https://access.redhat.com/errata/RHSA-2025:1335
Comment 21 errata-xmlrpc 2025-05-13 09:46:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7049 https://access.redhat.com/errata/RHSA-2025:7049