Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-9wx4-h78v-vm56] Requests Session object does not verify requests after making first request with verify=False #4468

Closed
wants to merge 1 commit into from
Closed

[GHSA-9wx4-h78v-vm56] Requests Session object does not verify requests after making first request with verify=False #4468

wants to merge 1 commit into from

Conversation

astellingwerf
Copy link

Updates

  • Affected products
  • Description

Comments
https://pypi.org/project/requests/#history shows the fixed version as yanked.

@github
Copy link
Collaborator

github commented May 29, 2024

Hi there @nateprewitt! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@github-actions github-actions bot changed the base branch from main to astellingwerf/advisory-improvement-4468 May 29, 2024 09:24
@astellingwerf astellingwerf mentioned this pull request May 29, 2024
Closed
@nateprewitt
Copy link

Hi @astellingwerf both 2.32.0 and 2.32.1 are valid releases for the CVE patch. They're both available for use on GitHub and PyPI if needed. Yanking a release on PyPI just instructs pip and other package management tools to prefer a different installation if the user doesn't explicitly ask for it. I'm not sure what's in the Security Advisory currently is inaccurate.

@astellingwerf
Copy link
Author

Thanks for your response, @nateprewitt. I proposed this change because of renovatebot/renovate#29280. Renovate will (with OSV alerts enabled) only update to the exact version that is declared as the fix version, but it also refuses to update to yanked/deprecated versions.

I'd imagine it makes little sense to suggest users to update to a yanked version, and the change would allow Renovate to update to a valid version with the fix for this security vulnerability.

@shelbyc
Copy link
Contributor

shelbyc commented Jun 3, 2024

Hi @astellingwerf, as @nateprewitt pointed out, version 2.32.0 contains the patch and the fix commit is tagged with version 2.32.0. I'm not accepting the contribution because changing the patched version to 2.32.2 would result in readers of the advisory receiving less accurate information, including thousands of users receiving alerts that say their software is vulnerable when it is not vulnerable. The difficulty you describe at renovatebot/renovate#29280 sounds frustrating, but difficulty with another org's tooling can't lead me to compromising on data accuracy.

Thank you for your interest in GHSA-9wx4-h78v-vm56 and have a great week.

@advisory-database advisory-database bot closed this Jun 3, 2024
@github-actions github-actions bot deleted the astellingwerf-GHSA-9wx4-h78v-vm56 branch June 3, 2024 13:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@astellingwerf @github @nateprewitt @shelbyc