Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0. https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac https://github.com/psf/requests/pull/6655 https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56
Created cascadia-code-fonts tracking bugs for this issue: Affects: fedora-all [bug 2282126] Created copr-cli tracking bugs for this issue: Affects: epel-all [bug 2282115] Affects: fedora-all [bug 2282127] Created crosswords tracking bugs for this issue: Affects: fedora-all [bug 2282128] Created crosswords-puzzle-sets-xword-dl tracking bugs for this issue: Affects: fedora-all [bug 2282129] Created duplicity tracking bugs for this issue: Affects: fedora-all [bug 2282130] Created espresso tracking bugs for this issue: Affects: epel-all [bug 2282116] Affects: fedora-all [bug 2282131] Created google-roboto-mono-fonts tracking bugs for this issue: Affects: fedora-all [bug 2282132] Created mingw-python-OWSLib tracking bugs for this issue: Affects: fedora-all [bug 2282133] Created mrsw-biz-udgothic-fonts tracking bugs for this issue: Affects: fedora-all [bug 2282134] Created mrsw-biz-udmincho-fonts tracking bugs for this issue: Affects: fedora-all [bug 2282135] Created ndiscover-exo-2-fonts tracking bugs for this issue: Affects: fedora-all [bug 2282136] Created oci-cli tracking bugs for this issue: Affects: fedora-all [bug 2282137] Created pipenv tracking bugs for this issue: Affects: fedora-all [bug 2282138] Created protonvpn-cli tracking bugs for this issue: Affects: epel-all [bug 2282117] Created proxysql tracking bugs for this issue: Affects: epel-all [bug 2282118] Created pypy tracking bugs for this issue: Affects: fedora-all [bug 2282139] Created python-WSGIProxy2 tracking bugs for this issue: Affects: fedora-all [bug 2282140] Created python-ansible-compat tracking bugs for this issue: Affects: fedora-all [bug 2282141] Created python-astral tracking bugs for this issue: Affects: epel-all [bug 2282119] Created python-botocore tracking bugs for this issue: Affects: fedora-all [bug 2282142] Created python-container-inspector tracking bugs for this issue: Affects: fedora-all [bug 2282143] Created python-dbus-next tracking bugs for this issue: Affects: fedora-all [bug 2282144] Created python-debian-inspector tracking bugs for this issue: Affects: fedora-all [bug 2282145] Created python-docker tracking bugs for this issue: Affects: fedora-all [bug 2282146] Created python-extractcode tracking bugs for this issue: Affects: fedora-all [bug 2282147] Created python-fedbadges tracking bugs for this issue: Affects: epel-all [bug 2282120] Created python-ffmpeg-python tracking bugs for this issue: Affects: fedora-all [bug 2282148] Created python-flake8-builtins tracking bugs for this issue: Affects: fedora-all [bug 2282149] Created python-mercantile tracking bugs for this issue: Affects: fedora-all [bug 2282150] Created python-molecule tracking bugs for this issue: Affects: fedora-all [bug 2282151] Created python-nuheat tracking bugs for this issue: Affects: epel-all [bug 2282121] Affects: fedora-all [bug 2282152] Created python-pip tracking bugs for this issue: Affects: fedora-all [bug 2282153] Created python-pip-epel tracking bugs for this issue: Affects: epel-all [bug 2282122] Created python-plugincode tracking bugs for this issue: Affects: fedora-all [bug 2282154] Created python-pygments-better-html tracking bugs for this issue: Affects: fedora-all [bug 2282155] Created python-pyvirtualize tracking bugs for this issue: Affects: epel-all [bug 2282123] Created python-tornado tracking bugs for this issue: Affects: fedora-all [bug 2282156] Created python-typecode tracking bugs for this issue: Affects: fedora-all [bug 2282157] Created python3-docker tracking bugs for this issue: Affects: epel-all [bug 2282124] Created rpm-head-signing tracking bugs for this issue: Affects: fedora-all [bug 2282158] Created rst2pdf tracking bugs for this issue: Affects: fedora-all [bug 2282159] Created scap-security-guide tracking bugs for this issue: Affects: fedora-all [bug 2282160] Created sorkintype-merriweather-fonts tracking bugs for this issue: Affects: fedora-all [bug 2282161] Created sorkintype-merriweather-sans-fonts tracking bugs for this issue: Affects: fedora-all [bug 2282162] Created transifex-client tracking bugs for this issue: Affects: epel-all [bug 2282125]
Created pipenv tracking bugs for this issue: Affects: fedora-all [bug 2282189]
Why is this reported to packages requiring python3-requests?
Created python-requests tracking bugs for this issue: Affects: fedora-all [bug 2282205]
In pip (where requests is bundled) there are only two possibilities to handle specific needs related to SSL certificates: --trusted-host and --cert options. --trusted-host makes a host trusted which disables SSL certificate verification for the specific host:port combination and all connections to that host which makes the CVE, according to its description, irrelevant, because we trust all connections to that host and there is no way how to disable verification for the first one and require it for the rest. --cert can be used to specify a custom certificate store. Therefore, I'm going to close all trackers for pip.
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2024:3781 https://access.redhat.com/errata/RHSA-2024:3781
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 9 Red Hat Ansible Automation Platform 2.4 for RHEL 8 Via RHSA-2024:4522 https://access.redhat.com/errata/RHSA-2024:4522
This issue has been addressed in the following products: Red Hat OpenStack Platform 17.1 for RHEL 8 Via RHSA-2024:9988 https://access.redhat.com/errata/RHSA-2024:9988
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:0012 https://access.redhat.com/errata/RHSA-2025:0012
This issue has been addressed in the following products: RHUI 4 for RHEL 8 Via RHSA-2025:1335 https://access.redhat.com/errata/RHSA-2025:1335
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:7049 https://access.redhat.com/errata/RHSA-2025:7049