Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:requests
User: [email protected]
Usertags: pu
This fixes a low severity security issues in requests, which
doesn't warrant a DSA. Tests via debusine look all good.
debdiff below.
Cheers,
Moritz
diff -Nru requests-2.32.3+dfsg/debian/changelog
requests-2.32.3+dfsg/debian/changelog
--- requests-2.32.3+dfsg/debian/changelog 2025-03-24 07:38:07.000000000
+0100
+++ requests-2.32.3+dfsg/debian/changelog 2026-03-04 00:13:42.000000000
+0100
@@ -1,3 +1,9 @@
+requests (2.32.3+dfsg-5+deb13u1) trixie; urgency=medium
+
+ * CVE-2024-47081 (Closes: #1107368)
+
+ -- Moritz Mühlenhoff <[email protected]> Wed, 04 Mar 2026 00:13:42 +0100
+
requests (2.32.3+dfsg-5) unstable; urgency=medium
* Team upload.
diff -Nru requests-2.32.3+dfsg/debian/patches/CVE-2024-47081.patch
requests-2.32.3+dfsg/debian/patches/CVE-2024-47081.patch
--- requests-2.32.3+dfsg/debian/patches/CVE-2024-47081.patch 1970-01-01
01:00:00.000000000 +0100
+++ requests-2.32.3+dfsg/debian/patches/CVE-2024-47081.patch 2026-03-04
00:13:42.000000000 +0100
@@ -0,0 +1,75 @@
+From 96ba401c1296ab1dda74a2365ef36d88f7d144ef Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <[email protected]>
+Date: Wed, 25 Sep 2024 08:03:20 -0700
+Subject: [PATCH] Only use hostname to do netrc lookup instead of netloc
+
+From 7bc45877a86192af77645e156eb3744f95b47dae Mon Sep 17 00:00:00 2001
+From: danigm <[email protected]>
+Date: Thu, 5 Jun 2025 13:21:46 +0200
+Subject: [PATCH] Add new test to check netrc auth leak (#6962)
+
+
+--- requests-2.32.3+dfsg.orig/src/requests/utils.py
++++ requests-2.32.3+dfsg/src/requests/utils.py
+@@ -233,13 +233,7 @@ def get_netrc_auth(url, raise_errors=Fal
+ return
+
+ ri = urlparse(url)
+-
+- # Strip port numbers from netloc. This weird `if...encode`` dance is
+- # used for Python 3.2, which doesn't support unicode literals.
+- splitstr = b":"
+- if isinstance(url, str):
+- splitstr = splitstr.decode("ascii")
+- host = ri.netloc.split(splitstr)[0]
++ host = ri.hostname
+
+ try:
+ _netrc = netrc(netrc_path).authenticators(host)
+--- requests-2.32.3+dfsg.orig/tests/test_requests.py
++++ requests-2.32.3+dfsg/tests/test_requests.py
+@@ -7,6 +7,7 @@ import json
+ import os
+ import pickle
+ import re
++import tempfile
+ import threading
+ import warnings
+ from unittest import mock
+@@ -704,6 +705,36 @@ class TestRequests:
+ finally:
+ requests.sessions.get_netrc_auth = old_auth
+
++ def test_basicauth_with_netrc_leak(self, httpbin):
++ url1 = httpbin("basic-auth", "user", "pass")
++ url = url1[len("http://";) :]
++ domain = url.split(":")[0]
++ url = f"http://example.com:@{url}";
++
++ netrc_file = ""
++ with tempfile.NamedTemporaryFile(mode="w", delete=False) as fp:
++ fp.write("machine example.com\n")
++ fp.write("login wronguser\n")
++ fp.write("password wrongpass\n")
++ fp.write(f"machine {domain}\n")
++ fp.write("login user\n")
++ fp.write("password pass\n")
++ fp.close()
++ netrc_file = fp.name
++
++ old_netrc = os.environ.get("NETRC", "")
++ os.environ["NETRC"] = netrc_file
++
++ try:
++ # Should use netrc
++ # Make sure that we don't use the example.com credentails
++ # for the request
++ r = requests.get(url)
++ assert r.status_code == 200
++ finally:
++ os.environ["NETRC"] = old_netrc
++ os.unlink(netrc_file)
++
+ def test_DIGEST_HTTP_200_OK_GET(self, httpbin):
+ for authtype in self.digest_auth_algo:
+ auth = HTTPDigestAuth("user", "pass")
diff -Nru requests-2.32.3+dfsg/debian/patches/series
requests-2.32.3+dfsg/debian/patches/series
--- requests-2.32.3+dfsg/debian/patches/series 2025-03-24 07:36:50.000000000
+0100
+++ requests-2.32.3+dfsg/debian/patches/series 2026-03-04 00:13:42.000000000
+0100
@@ -1,3 +1,4 @@
0001-Remove-remote-images-traking-code-and-ads.patch
0002-Fix-tests-with-HTTP-proxy.patch
add-ca-constraint-to-test-ca.patch
+CVE-2024-47081.patch
