Your message dated Sat, 14 Mar 2026 11:48:36 +0000
with message-id <[email protected]>
and subject line Released with 13.4
has caused the Debian Bug report #1130081,
regarding trixie-pu: package requests/2.32.3+dfsg-5+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1130081: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130081
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:requests
User: [email protected]
Usertags: pu
This fixes a low severity security issues in requests, which
doesn't warrant a DSA. Tests via debusine look all good.
debdiff below.
Cheers,
Moritz
diff -Nru requests-2.32.3+dfsg/debian/changelog
requests-2.32.3+dfsg/debian/changelog
--- requests-2.32.3+dfsg/debian/changelog 2025-03-24 07:38:07.000000000
+0100
+++ requests-2.32.3+dfsg/debian/changelog 2026-03-04 00:13:42.000000000
+0100
@@ -1,3 +1,9 @@
+requests (2.32.3+dfsg-5+deb13u1) trixie; urgency=medium
+
+ * CVE-2024-47081 (Closes: #1107368)
+
+ -- Moritz Mühlenhoff <[email protected]> Wed, 04 Mar 2026 00:13:42 +0100
+
requests (2.32.3+dfsg-5) unstable; urgency=medium
* Team upload.
diff -Nru requests-2.32.3+dfsg/debian/patches/CVE-2024-47081.patch
requests-2.32.3+dfsg/debian/patches/CVE-2024-47081.patch
--- requests-2.32.3+dfsg/debian/patches/CVE-2024-47081.patch 1970-01-01
01:00:00.000000000 +0100
+++ requests-2.32.3+dfsg/debian/patches/CVE-2024-47081.patch 2026-03-04
00:13:42.000000000 +0100
@@ -0,0 +1,75 @@
+From 96ba401c1296ab1dda74a2365ef36d88f7d144ef Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <[email protected]>
+Date: Wed, 25 Sep 2024 08:03:20 -0700
+Subject: [PATCH] Only use hostname to do netrc lookup instead of netloc
+
+From 7bc45877a86192af77645e156eb3744f95b47dae Mon Sep 17 00:00:00 2001
+From: danigm <[email protected]>
+Date: Thu, 5 Jun 2025 13:21:46 +0200
+Subject: [PATCH] Add new test to check netrc auth leak (#6962)
+
+
+--- requests-2.32.3+dfsg.orig/src/requests/utils.py
++++ requests-2.32.3+dfsg/src/requests/utils.py
+@@ -233,13 +233,7 @@ def get_netrc_auth(url, raise_errors=Fal
+ return
+
+ ri = urlparse(url)
+-
+- # Strip port numbers from netloc. This weird `if...encode`` dance is
+- # used for Python 3.2, which doesn't support unicode literals.
+- splitstr = b":"
+- if isinstance(url, str):
+- splitstr = splitstr.decode("ascii")
+- host = ri.netloc.split(splitstr)[0]
++ host = ri.hostname
+
+ try:
+ _netrc = netrc(netrc_path).authenticators(host)
+--- requests-2.32.3+dfsg.orig/tests/test_requests.py
++++ requests-2.32.3+dfsg/tests/test_requests.py
+@@ -7,6 +7,7 @@ import json
+ import os
+ import pickle
+ import re
++import tempfile
+ import threading
+ import warnings
+ from unittest import mock
+@@ -704,6 +705,36 @@ class TestRequests:
+ finally:
+ requests.sessions.get_netrc_auth = old_auth
+
++ def test_basicauth_with_netrc_leak(self, httpbin):
++ url1 = httpbin("basic-auth", "user", "pass")
++ url = url1[len("http://";) :]
++ domain = url.split(":")[0]
++ url = f"http://example.com:@{url}";
++
++ netrc_file = ""
++ with tempfile.NamedTemporaryFile(mode="w", delete=False) as fp:
++ fp.write("machine example.com\n")
++ fp.write("login wronguser\n")
++ fp.write("password wrongpass\n")
++ fp.write(f"machine {domain}\n")
++ fp.write("login user\n")
++ fp.write("password pass\n")
++ fp.close()
++ netrc_file = fp.name
++
++ old_netrc = os.environ.get("NETRC", "")
++ os.environ["NETRC"] = netrc_file
++
++ try:
++ # Should use netrc
++ # Make sure that we don't use the example.com credentails
++ # for the request
++ r = requests.get(url)
++ assert r.status_code == 200
++ finally:
++ os.environ["NETRC"] = old_netrc
++ os.unlink(netrc_file)
++
+ def test_DIGEST_HTTP_200_OK_GET(self, httpbin):
+ for authtype in self.digest_auth_algo:
+ auth = HTTPDigestAuth("user", "pass")
diff -Nru requests-2.32.3+dfsg/debian/patches/series
requests-2.32.3+dfsg/debian/patches/series
--- requests-2.32.3+dfsg/debian/patches/series 2025-03-24 07:36:50.000000000
+0100
+++ requests-2.32.3+dfsg/debian/patches/series 2026-03-04 00:13:42.000000000
+0100
@@ -1,3 +1,4 @@
0001-Remove-remote-images-traking-code-and-ads.patch
0002-Fix-tests-with-HTTP-proxy.patch
add-ca-constraint-to-test-ca.patch
+CVE-2024-47081.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.4
This update has been released as part of Debian 13.4.
--- End Message ---
