[GHSA-9wx4-h78v-vm56] Requests `Session` object does not verify requests after making first request with verify=False

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Creative Commons Attribution 4.0 International

1.72k stars 323 forks source link

[GHSA-9wx4-h78v-vm56] Requests `Session` object does not verify requests after making first request with verify=False #4468

Closed astellingwerf closed 4 months ago

astellingwerf commented 4 months ago

Updates

Affected products
Description

Comments https://pypi.org/project/requests/#history shows the fixed version as yanked.

github commented 4 months ago

Hi there @nateprewitt! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

nateprewitt commented 4 months ago

Hi @astellingwerf both 2.32.0 and 2.32.1 are valid releases for the CVE patch. They're both available for use on GitHub and PyPI if needed. Yanking a release on PyPI just instructs pip and other package management tools to prefer a different installation if the user doesn't explicitly ask for it. I'm not sure what's in the Security Advisory currently is inaccurate.

astellingwerf commented 4 months ago

Thanks for your response, @nateprewitt. I proposed this change because of https://github.com/renovatebot/renovate/discussions/29280. Renovate will (with OSV alerts enabled) only update to the exact version that is declared as the fix version, but it also refuses to update to yanked/deprecated versions.

I'd imagine it makes little sense to suggest users to update to a yanked version, and the change would allow Renovate to update to a valid version with the fix for this security vulnerability.

shelbyc commented 4 months ago

Hi @astellingwerf, as @nateprewitt pointed out, version 2.32.0 contains the patch and the fix commit is tagged with version 2.32.0. I'm not accepting the contribution because changing the patched version to 2.32.2 would result in readers of the advisory receiving less accurate information, including thousands of users receiving alerts that say their software is vulnerable when it is not vulnerable. The difficulty you describe at https://github.com/renovatebot/renovate/discussions/29280 sounds frustrating, but difficulty with another org's tooling can't lead me to compromising on data accuracy.

Thank you for your interest in GHSA-9wx4-h78v-vm56 and have a great week.