requests (2.21.0-1+deb10u1) buster-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2023-32681: Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. -- Markus Koschany Sun, 18 Jun 2023 00:29:17 +0200 requests (2.21.0-1) unstable; urgency=medium * New upstream release. * debian/control - Update to use my debian.org mail address. - Bump Standards-Version to 4.3.0 (no changes needed). - Bump python-all >= 2.7 in Build-Depends. * debian/copyright - Update to use my debian.org mail address. - Update copyright years. -- Daniele Tricoli Tue, 12 Feb 2019 01:28:14 +0100 requests (2.20.0-2) unstable; urgency=medium * Bump python-urllib3 to (<< 1.25) in Build-Depends. Thanks to Mattia Rizzolo for the report. (Closes: #911903) -- Daniele Tricoli Fri, 26 Oct 2018 01:46:46 +0200 requests (2.20.0-1) unstable; urgency=medium [ Ondřej Nový ] * d/control: Remove ancient X-Python-Version field * d/control: Remove ancient X-Python3-Version field * Convert git repository from git-dpm to gbp layout [ Daniele Tricoli ] * New upstream release. - Fix CVE-2018-18074 (Closes: #910766) * Add gbp.conf. * debian/control - Bump python{,3}-urllib3 (>= 1.21.1) (<< 1.25). - Bump Standards-Version to 4.2.1 (no changes needed). * debian/copyright - Update upstream copyright year. - Update Source field to point to new PyPI URL. * debian/docs - Rename README.rst to README.md. * debian/rules - Rename HISTORY.rst to HISTORY.md. * debian/watch - Remove pgpsigurlmangle since upstream is not signing releases anymore. * debian/upstream/signing-key.asc - Remove upstream signing-key.asc since not used anymore. -- Daniele Tricoli Thu, 25 Oct 2018 03:50:50 +0200 requests (2.18.4-2) unstable; urgency=medium * debian/control - Update Vcs-Git and Vcs-Browser to salsa.debian.org. - Add awscli (<< 1.11.139) to python3-requests' Breaks. (Closes: #870888) * debian/copyright - Use secure URI in format field. - Update copyright years. -- Daniele Tricoli Fri, 09 Feb 2018 19:31:10 +0100 requests (2.18.4-1) unstable; urgency=medium * Team upload. * New upstream release * d/watch: Use https * Bump X-Python3-Version to 3.4 * Bump debhelper compat level to 11 * Standards-Version is 4.1.3 now (no changes needed) * d/watch: Check upstream signature * Fixed required version of chardet and urllib3 for new version -- Ondřej Nový Thu, 04 Jan 2018 15:18:19 +0100 requests (2.18.1-1) unstable; urgency=medium * New upstream release. (Closes: #856619) - No more bundling of dependencies. (Closes: #859504) * Drop all patches. * Add autodep8 tests. * debian/control - Bump python{,3}-urllib3 dependencies to (>= 1.21.1) (<< 1.22). - Bump Standards-Version to 4.0.0 (no changes needed). - Add version constraint for chardet and idna. - Add python{,3}-certifi to Build-Depends and Depends. * debian/copyright - Remove stanzas of no more bundled dependencies. - Update copyright years. -- Daniele Tricoli Fri, 04 Aug 2017 08:13:04 +0200 requests (2.12.4-1) unstable; urgency=medium * New upstream release. -- Daniele Tricoli Mon, 19 Dec 2016 20:18:04 +0100 requests (2.12.3-1) unstable; urgency=medium * New upstream release. * debian/control - Bump python{,3}-urllib3 dependencies to (>= 1.19.1) (<< 1.19.2). - Remove python{,3}-ndg-httpsclient and python{,3}-pyasn1. - Add python{,3}-cryptography and python{,3}-idna. * debian/copyright - Add stanza for idna. * debian/patches/02_populate-install_requires.patch - Refresh. * debian/patches/use-pip-unbundling.patch - Refresh. -- Daniele Tricoli Tue, 13 Dec 2016 00:34:47 +0100 requests (2.11.1-1) unstable; urgency=medium * New upstream release. * debian/control - Bump python{,3}-urllib3 dependencies to (>= 1.16) (<< 1.16.1). * debian/patches/02_populate-install_requires.patch - Refresh. -- Daniele Tricoli Fri, 09 Sep 2016 00:31:15 +0200 requests (2.10.0-2) unstable; urgency=medium * debian/patches/use-pip-unbundling.patch - Use the same unbundling strategy implemented by pip. -- Daniele Tricoli Sat, 18 Jun 2016 22:28:05 +0200 requests (2.10.0-1) unstable; urgency=medium * New upstream release. * debian/control - Bump Standards-Version to 3.9.8 (no changes needed). - Add python{,3}-socks to Suggests. - Bump python{,3}-urllib3 dependencies to (>= 1.15.1) (<< 1.15.2). * debian/copyright - Update copyright years. * debian/patches/02_populate-install_requires.patch - Refresh. -- Daniele Tricoli Fri, 20 May 2016 02:41:59 +0200 requests (2.9.1-3) unstable; urgency=medium * debian/control - Remove python-requests-whl as it's no longer necessary. - Remove python3-wheel from Build-Depends. - Fix Vcs-Git URI. - Bump Standards-Version to 3.9.7 (no changes needed). - Bump X-Python3-Version to >= 3.3. * debian/copyright - Updated copyright years. * debian/python-requests-whl.install - Remove. * debian/rules - Remove override_dh_auto_install since we no longer need to build the wheel package. -- Daniele Tricoli Fri, 12 Feb 2016 07:23:58 +0100 requests (2.9.1-2) unstable; urgency=medium * debian/control - Tweak fixed dependency on urllib3 1.13.1 to accommodate packaging changes, as the version requirement is upstream version only. Thanks James Page for report and patch. (Closes: #809485) - Use HTTPS scheme for Vcs-Git. -- Daniele Tricoli Sun, 24 Jan 2016 21:12:17 +0100 requests (2.9.1-1) unstable; urgency=medium * New upstream release. * debian/control - Bump python{,3}-urllib3 to = 1.13.1-1 both in Build-Depends and Depends. Tighten urllib3 dependency is needed because, otherwise, any programs depending to requests through pkgresources will fail. Thanks to Vincent Bernat for the report. * debian/patches/02_populate-install_requires.patch - Refresh. (Closes: #809031) -- Daniele Tricoli Sun, 27 Dec 2015 13:14:02 +0100 requests (2.8.1-1) unstable; urgency=medium * New upstream release. (Closes: #802760) * debian/control - Bump python{,3}-urllib3 to >= 1.12 both in Build-Depends and Depends. * debian/patches/05_upstream_devendorize.patch - Remove because included since version 2.8.0. * debian/patches/02_populate-install_requires.patch - Populate install_requires for unbundled packages to avoid breakage updating urllib3 via pip when requests/urllib3 are already installed via the system packages. -- Daniele Tricoli Sat, 24 Oct 2015 17:46:58 +0200 requests (2.7.0-3) unstable; urgency=medium [ Barry Warsaw ] * debian/patches: - 02_use-system-chardet-and-urllib3.patch and 04_make-requests.packages.urllib3-same-as-urllib3.patch: Removed in favor of upstream's pull request #2567 - 05_upstream_devendorize.patch: Upstream's pull request to better support the devendorizing of urllib3 and chardet. (Closes: #771349, #788383) [ Daniele Tricoli ] * debian/python{,3}-requests.pyremove - Remove embedded copy of chardet and urllib3. Previously it was done by 02_use-system-chardet-and-urllib3.patch. -- Daniele Tricoli Thu, 11 Jun 2015 01:39:13 +0200 requests (2.7.0-2) unstable; urgency=medium * Upload to unstable. * debian/control - Add httpie (<< 0.9.2) to python-requests' Breaks since constants imported by httpie from requests.compat were removed. -- Daniele Tricoli Wed, 27 May 2015 17:31:38 +0200 requests (2.7.0-1) experimental; urgency=medium * New upstream release. (Closes: #784095) - Embedded copy (not used) of urllib3 does not require SSLv3 anymore. (Closes: #770172) * debian/control - Move python-ndg-httpsclient, python-openssl and python-pyasn1 to Suggests inside python-requests' stanza since Python 2.7.9 include SNI support and PEP 476 made it as secure as Python 3. - Bump python{,3}-urllib3 to 1.10.4. * debian/copyright - Update copyright years. - Update to MPL-2.0 license stanza of requests/cacert.pem (not used but shipped in orig tarball). * debian/watch - Use pypi.debian.net redirector. * debian/patches/01_use-system-ca-certificates.patch - Refresh and remove CA certificate bundle from MANIFEST.in. (Closes: #781610) * debian/patches/02_use-system-chardet-and-urllib3.patch - Refresh. * debian/patches/04_make-requests.packages.urllib3-same-as-urllib3.patch - Refresh. * debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch - Remove since fixed upstream. * debian/python{,3}-requests.links - Remove links thanks to the import machinery in 04_make-requests.packages.urllib3-same-as-urllib3.patch -- Daniele Tricoli Mon, 04 May 2015 21:43:40 +0200 requests (2.4.3-6) unstable; urgency=medium * debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch - Fix session fixation and cookie stealing: CVE-2015-2296. (Closes: #780506) -- Daniele Tricoli Mon, 16 Mar 2015 01:31:10 +0100 requests (2.4.3-5) unstable; urgency=medium * Team upload. * d/control: Remove the Build-Depends on python{,3}-pytest since we aren't actually running the tests at build time. (Closes: #770173) * d/rules: Update the comment about why the tests are currently disabled at build time to point to the updated upstream url. -- Barry Warsaw Wed, 19 Nov 2014 18:00:46 -0500 requests (2.4.3-4) unstable; urgency=medium * debian/patches/04_make-requests.packages.urllib3-same-as-urllib3.patch - Fix requests.packages.urllib3 sub on Python 3. Thanks to Tianon Gravi for the report. (Closes: #769496) -- Daniele Tricoli Fri, 14 Nov 2014 04:50:22 +0100 requests (2.4.3-3) unstable; urgency=medium * debian/patches/04_make-requests.packages.urllib3-same-as-urllib3.patch - Make Python import system know that requests.packages.urllib3 and urllib3 are the same thing. Thanks to Jakub Wilk for the patch. (Closes: #769047) -- Daniele Tricoli Tue, 11 Nov 2014 03:28:18 +0100 requests (2.4.3-2) unstable; urgency=medium * debian/patches/03_export-IncompleteRead.patch - Export IncompleteRead from requests.compat since it's imported by python-pip. (Closes: #766419) -- Daniele Tricoli Thu, 23 Oct 2014 02:54:46 +0200 requests (2.4.3-1) unstable; urgency=medium * New upstream release. * debian/control - Fix duplicate-short-description. - Bump Standards-Version to 3.9.6 (no changes needed). - Add python-ndg-httpsclient, python-openssl and python-pyasn1 into python-urllib3's Recomends to ensure that SNI works as expected and to prevent CRIME attack. (Closes: #755805) - Add python3-ndg-httpsclient, python3-openssl and python3-pyasn1 into python3-urllib3's Suggests since Python 3 already support SNI and and SSL compression can be disabled using OP_NO_COMPRESSION. - Bump python{,3}-urllib3 to (>=1.9.1). * debian/patches/01_use-system-ca-certificates.patch - Refresh. * debian/patches/02_use-system-chardet-and-urllib3.patch - Refresh. - Provide requests.packages package because it will be used to supply a stub for requests.packages.urllib3. * debian/python{,3}-requests.links: - Provide requests.packages.urllib3 as symlink of python{,3}-urllib3 system package since it is used as import location. (Closes: #753578) -- Daniele Tricoli Tue, 21 Oct 2014 01:35:59 +0200 requests (2.3.0-1) unstable; urgency=medium * Team upload. - Fix CVE-2014-1829 and CVE-2014-1830 (Closes: #733108) * New upstream release. * d/control: Added python{,3}-pytest to Build-Depends. * d/patches/*: Refreshed. -- Barry Warsaw Wed, 04 Jun 2014 10:40:46 -0400 requests (2.2.1-3) unstable; urgency=medium * Team upload. * d/control: - Fix python-requests-whl Depends. - Fix typo in python-requests-whl description. -- Barry Warsaw Thu, 22 May 2014 18:33:19 -0400 requests (2.2.1-2) unstable; urgency=medium * Team upload. * debian/control - Add python-requests-whl binary package. - Build-Depends on python3-wheel, python-setuptools, and python3-setuptools. - wrap-and-sort. * debian/rules: - Simplify by using PYBUILD_NAME. - Build the universal wheels. -- Barry Warsaw Thu, 15 May 2014 17:09:30 -0400 requests (2.2.1-1) unstable; urgency=medium * New upstream release * debian/control - Bumped Standards-Version to 3.9.5 (no changes needed) * debian/copyright - Updated copyright years * debian/patches/02_use-system-chardet-and-urllib3.patches - Refreshed -- Daniele Tricoli Mon, 27 Jan 2014 04:58:17 +0100 requests (2.0.0-1) unstable; urgency=low * New upstream release (Closes: #725784) * Switched to pybuild * debian/clean - Switched to debian/clean for cleaning instead of using debian/rules * debian/control - Bumped python(3)-urllib3 to (>=1.7.1) * debian/copyright - Updated copyright year * debian/patches/02_use-system-chardet-and-urllib3.patches - Refreshed * debian/watch - Switched download URL to https -- Daniele Tricoli Fri, 18 Oct 2013 19:20:21 +0200 requests (1.2.3-1) unstable; urgency=low * New upstream release (Closes: #712915) (LP: #1187429) - Thanks to Scott Moser for the report * debian/compat - Bumped debhelper compatibility level to 9 * debian/control - Bumped debhelper B-D to (>= 9) - Temporarily bumped X-Python-Version to >= 2.7 to prevent FTBFS due to lack of python-urllib3 for Python 2.6 * debian/patches/02_use-system-chardet-and-urllib3.patches - Refreshed -- Daniele Tricoli Fri, 21 Jun 2013 08:52:39 +0200 requests (1.2.0-2) unstable; urgency=low * Uploading to unstable. * rm -rf requests.egg-info on clean so the package can be built twice. -- Thomas Goirand Sat, 11 May 2013 05:15:04 +0000 requests (1.2.0-1) experimental; urgency=low * New upstream version. * Refreshed both debian-specific patches. -- Thomas Goirand Thu, 25 Apr 2013 22:56:42 +0000 requests (1.1.0-1) experimental; urgency=low * New upstream release (Closes: #692602) - Thanks to Barry Warsaw for report * debian/control - Added python-chardet, python3-chardet to Build-Depends and moved them from Recommends to Depends since chardet is now required - Added python(3)-urllib3 (>= 1.5) to Build-Depends and Depends since the embedded copy is no more a fork - Removed python(3)-six since python(3)-urllib3 is not embedded anymore - Removed python-gevent and python-oauthlib from Recommends since upstream is not using them anymore - Bumped Standards-Version to 3.9.4 (no changes needed) - Fixed lintian vcs-field-not-canonical * debian/copyright - Updated to reflect upstream switch to Apache 2.0 and updated copyright years * debian/patches/01_do-not-use-python-certifi.patch - Removed because no longer necessary * debian/patches/02_do-not-use-embedded-python-six.patch - Removed because no longer necessary * debian/patches/01_use-system-ca-certificates.patch - Use the bundle provided by ca-certificates instead of the embedded one * debian/patches/02_use-system-chardet-and-urllib3.patches - Use the system python-chardet and python-urllib3 instead of the embedded copies -- Daniele Tricoli Sun, 20 Jan 2013 23:03:45 +0100 requests (0.12.1-1) unstable; urgency=low * New upstream release * debian/control - Added python-oauthlib to python-requests' Recommends field * debian/patches/01_do-not-use-python-certifi.patch - Refreshed -- Daniele Tricoli Fri, 04 May 2012 14:34:47 +0200 requests (0.11.2-1) unstable; urgency=low * New upstream release * debian/patches/01_do-not-use-python-certifi.patch - Refreshed -- Daniele Tricoli Mon, 23 Apr 2012 16:06:33 +0200 requests (0.11.1-1) unstable; urgency=low * New upstream release * debian/control - Added python3-chardet to python3-requests' Recommends field - Updated Description field * debian/patches/02_do-not-use-embedded-python-six.patch - Refreshed -- Daniele Tricoli Sun, 01 Apr 2012 12:33:42 +0200 requests (0.10.8-1) unstable; urgency=low [ Piotr Ożarowski ] * Fix typo in python3-requests' ${python3:Depends} [ Daniele Tricoli ] * New upstream release (Closes: #663561) * Removed embedded copy of python-six - Added debian/patches/02_do-not-use-embedded-python-six.patch - Added override_dh_auto_configure to debian/rules to remove the embedded copy - Added python(3)-six to Builds-Depends and Depends * debian/control - Bumped Standards-Version to 3.9.3 (no changes needed) * debian/copyright - Added forgotten stanzas about packages inside the fork of python-urllib3 * debian/patches/01_do-not-use-python-certifi.patch - Refreshed * debian/patches/02_fix-python3-except-sintax-error.patch - Removed as it is applied upstream -- Daniele Tricoli Mon, 19 Mar 2012 01:20:59 +0100 requests (0.10.1-1) unstable; urgency=low * New upstream release - Adds Python 3 support * Builded python 3 package * debian/control - Added python-chardet to Recommends - Bumped X-Python-Version >= 2.6 - Added ca-certificates to Depends - Added python3-all to Build-Depends * debian/copyright - Updated Format URI - Updated copyright years * debian/patches/01_do-not-use-python-certifi.patch - To verify SSL certificates for HTTPS requests, use the bundle provided by ca-certificates instead of python-certifi * debian/patches/02_fix-python3-except-sintax-error.patches - Fix SyntaxError on Python3 because "except Error, e" is not supported anymore * debian/rules - Added override_dh_auto_clean to make the package build twice in a row -- Daniele Tricoli Sun, 05 Feb 2012 04:51:38 +0100 requests (0.8.2-1) unstable; urgency=low * New upstream release * debian/watch - Removed "debian uupdate" options * debian/{copyright,README.source} - Updated to reflect upstream changes: switched from poster to urllib3 - Added a stanza about the embedded modified copy of the standard module Cookie -- Daniele Tricoli Fri, 25 Nov 2011 00:02:28 +0100 requests (0.6.4-1) unstable; urgency=low * New upstream release * debian/control - Dropped python-eventlet from Depends field because it's not used anymore - Moved python-gevent from Depends field to Recommends field so python-requests can be installed also in ia64 and sparc -- Daniele Tricoli Wed, 19 Oct 2011 20:49:39 +0200 requests (0.6.1-1) unstable; urgency=low * New upstream release -- Daniele Tricoli Tue, 23 Aug 2011 02:00:41 +0200 requests (0.5.0-1) unstable; urgency=low * New upstream release * debian/control - Updated description to mention proxy support -- Daniele Tricoli Sun, 26 Jun 2011 07:12:03 +0200 requests (0.4.1-1) unstable; urgency=low * Initial release (Closes: #629370) -- Daniele Tricoli Mon, 06 Jun 2011 02:11:15 +0200