Latest version in the Gentoo tree is 3.2.1 and the latest version in upstream is 3.2.2. Before updating, the status of this vulnerability should probably be checked whether it has been patched. https://www.cve.org/CVERecord?id=CVE-2023-48052 https://gxx777.github.io/HTTPie_3.2.2_Cryptographic_API_Misuse_Vulnerability.md Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack. Expected Behavior: The expected behavior for any HTTPS connection is that the client should validate the SSL certificate provided by the server to ensure it is trusted, not expired, and matches the requested hostname. Additionally, any HTTPS warnings should be displayed to the user, rather than being disabled, to avoid security oversights. Actual Behavior: The actual behavior observed in the code indicates that SSL certificate validation may not be properly enforced. Furthermore, HTTPS warnings that are essential for debugging and security awareness are not displayed, potentially causing the users to remain unaware of misconfigured or insecure SSL implementations.
Created httpie tracking bugs for this issue: Affects: epel-all [bug 2250164] Affects: fedora-all [bug 2250165]
Interestingly, I cannot locate any upstream issue about this. Why is the version packaged in Gentoo relevant here?
mhroncok, yes, I just realized there are no upstream issue/comments around this. This was filed in order to inform, please feel free to close it if you find that does not apply to upstream version. My apologies.
Upstream has not answered any queries: https://github.com/httpie/cli/issues/1588