requests (2.21.0-1+deb10u1) buster-security; urgency=high
* Non-maintainer upload by the LTS team.
* Fix CVE-2023-32681:
Requests has been leaking Proxy-Authorization headers to destination
servers when redirected to an HTTPS endpoint. For HTTP connections sent
through the tunnel, the proxy will identify the header in the request
itself and remove it prior to forwarding to the destination server. However
when sent over HTTPS, the `Proxy-Authorization` header must be sent in the
CONNECT request as the proxy has no visibility into the tunneled request.
This results in Requests forwarding proxy credentials to the destination
server unintentionally, allowing a malicious actor to potentially
exfiltrate sensitive information.
-- Markus Koschany <apo@debian.org> Sun, 18 Jun 2023 00:29:17 +0200
requests (2.21.0-1) unstable; urgency=medium
* New upstream release.
* debian/control
- Update to use my debian.org mail address.
- Bump Standards-Version to 4.3.0 (no changes needed).
- Bump python-all >= 2.7 in Build-Depends.
* debian/copyright
- Update to use my debian.org mail address.
- Update copyright years.
-- Daniele Tricoli <eriol@debian.org> Tue, 12 Feb 2019 01:28:14 +0100
requests (2.20.0-2) unstable; urgency=medium
* Bump python-urllib3 to (<< 1.25) in Build-Depends.
Thanks to Mattia Rizzolo for the report. (Closes: #911903)
-- Daniele Tricoli <eriol@mornie.org> Fri, 26 Oct 2018 01:46:46 +0200
requests (2.20.0-1) unstable; urgency=medium
[ Ondřej Nový ]
* d/control: Remove ancient X-Python-Version field
* d/control: Remove ancient X-Python3-Version field
* Convert git repository from git-dpm to gbp layout
[ Daniele Tricoli ]
* New upstream release.
- Fix CVE-2018-18074 (Closes: #910766)
* Add gbp.conf.
* debian/control
- Bump python{,3}-urllib3 (>= 1.21.1) (<< 1.25).
- Bump Standards-Version to 4.2.1 (no changes needed).
* debian/copyright
- Update upstream copyright year.
- Update Source field to point to new PyPI URL.
* debian/docs
- Rename README.rst to README.md.
* debian/rules
- Rename HISTORY.rst to HISTORY.md.
* debian/watch
- Remove pgpsigurlmangle since upstream is not signing releases anymore.
* debian/upstream/signing-key.asc
- Remove upstream signing-key.asc since not used anymore.
-- Daniele Tricoli <eriol@mornie.org> Thu, 25 Oct 2018 03:50:50 +0200
requests (2.18.4-2) unstable; urgency=medium
* debian/control
- Update Vcs-Git and Vcs-Browser to salsa.debian.org.
- Add awscli (<< 1.11.139) to python3-requests' Breaks. (Closes: #870888)
* debian/copyright
- Use secure URI in format field.
- Update copyright years.
-- Daniele Tricoli <eriol@mornie.org> Fri, 09 Feb 2018 19:31:10 +0100
requests (2.18.4-1) unstable; urgency=medium
* Team upload.
* New upstream release
* d/watch: Use https
* Bump X-Python3-Version to 3.4
* Bump debhelper compat level to 11
* Standards-Version is 4.1.3 now (no changes needed)
* d/watch: Check upstream signature
* Fixed required version of chardet and urllib3 for new version
-- Ondřej Nový <onovy@debian.org> Thu, 04 Jan 2018 15:18:19 +0100
requests (2.18.1-1) unstable; urgency=medium
* New upstream release. (Closes: #856619)
- No more bundling of dependencies. (Closes: #859504)
* Drop all patches.
* Add autodep8 tests.
* debian/control
- Bump python{,3}-urllib3 dependencies to (>= 1.21.1) (<< 1.22).
- Bump Standards-Version to 4.0.0 (no changes needed).
- Add version constraint for chardet and idna.
- Add python{,3}-certifi to Build-Depends and Depends.
* debian/copyright
- Remove stanzas of no more bundled dependencies.
- Update copyright years.
-- Daniele Tricoli <eriol@mornie.org> Fri, 04 Aug 2017 08:13:04 +0200
requests (2.12.4-1) unstable; urgency=medium
* New upstream release.
-- Daniele Tricoli <eriol@mornie.org> Mon, 19 Dec 2016 20:18:04 +0100
requests (2.12.3-1) unstable; urgency=medium
* New upstream release.
* debian/control
- Bump python{,3}-urllib3 dependencies to (>= 1.19.1) (<< 1.19.2).
- Remove python{,3}-ndg-httpsclient and python{,3}-pyasn1.
- Add python{,3}-cryptography and python{,3}-idna.
* debian/copyright
- Add stanza for idna.
* debian/patches/02_populate-install_requires.patch
- Refresh.
* debian/patches/use-pip-unbundling.patch
- Refresh.
-- Daniele Tricoli <eriol@mornie.org> Tue, 13 Dec 2016 00:34:47 +0100
requests (2.11.1-1) unstable; urgency=medium
* New upstream release.
* debian/control
- Bump python{,3}-urllib3 dependencies to (>= 1.16) (<< 1.16.1).
* debian/patches/02_populate-install_requires.patch
- Refresh.
-- Daniele Tricoli <eriol@mornie.org> Fri, 09 Sep 2016 00:31:15 +0200
requests (2.10.0-2) unstable; urgency=medium
* debian/patches/use-pip-unbundling.patch
- Use the same unbundling strategy implemented by pip.
-- Daniele Tricoli <eriol@mornie.org> Sat, 18 Jun 2016 22:28:05 +0200
requests (2.10.0-1) unstable; urgency=medium
* New upstream release.
* debian/control
- Bump Standards-Version to 3.9.8 (no changes needed).
- Add python{,3}-socks to Suggests.
- Bump python{,3}-urllib3 dependencies to (>= 1.15.1) (<< 1.15.2).
* debian/copyright
- Update copyright years.
* debian/patches/02_populate-install_requires.patch
- Refresh.
-- Daniele Tricoli <eriol@mornie.org> Fri, 20 May 2016 02:41:59 +0200
requests (2.9.1-3) unstable; urgency=medium
* debian/control
- Remove python-requests-whl as it's no longer necessary.
- Remove python3-wheel from Build-Depends.
- Fix Vcs-Git URI.
- Bump Standards-Version to 3.9.7 (no changes needed).
- Bump X-Python3-Version to >= 3.3.
* debian/copyright
- Updated copyright years.
* debian/python-requests-whl.install
- Remove.
* debian/rules
- Remove override_dh_auto_install since we no longer need to
build the wheel package.
-- Daniele Tricoli <eriol@mornie.org> Fri, 12 Feb 2016 07:23:58 +0100
requests (2.9.1-2) unstable; urgency=medium
* debian/control
- Tweak fixed dependency on urllib3 1.13.1 to accommodate
packaging changes, as the version requirement is upstream version
only. Thanks James Page for report and patch. (Closes: #809485)
- Use HTTPS scheme for Vcs-Git.
-- Daniele Tricoli <eriol@mornie.org> Sun, 24 Jan 2016 21:12:17 +0100
requests (2.9.1-1) unstable; urgency=medium
* New upstream release.
* debian/control
- Bump python{,3}-urllib3 to = 1.13.1-1 both in Build-Depends and Depends.
Tighten urllib3 dependency is needed because, otherwise, any programs
depending to requests through pkgresources will fail. Thanks to Vincent
Bernat for the report.
* debian/patches/02_populate-install_requires.patch
- Refresh. (Closes: #809031)
-- Daniele Tricoli <eriol@mornie.org> Sun, 27 Dec 2015 13:14:02 +0100
requests (2.8.1-1) unstable; urgency=medium
* New upstream release. (Closes: #802760)
* debian/control
- Bump python{,3}-urllib3 to >= 1.12 both in Build-Depends and Depends.
* debian/patches/05_upstream_devendorize.patch
- Remove because included since version 2.8.0.
* debian/patches/02_populate-install_requires.patch
- Populate install_requires for unbundled packages to avoid breakage
updating urllib3 via pip when requests/urllib3 are already installed
via the system packages.
-- Daniele Tricoli <eriol@mornie.org> Sat, 24 Oct 2015 17:46:58 +0200
requests (2.7.0-3) unstable; urgency=medium
[ Barry Warsaw ]
* debian/patches:
- 02_use-system-chardet-and-urllib3.patch and
04_make-requests.packages.urllib3-same-as-urllib3.patch: Removed in
favor of upstream's pull request #2567
- 05_upstream_devendorize.patch: Upstream's pull request to better
support the devendorizing of urllib3 and chardet.
(Closes: #771349, #788383)
[ Daniele Tricoli ]
* debian/python{,3}-requests.pyremove
- Remove embedded copy of chardet and urllib3. Previously it was done by
02_use-system-chardet-and-urllib3.patch.
-- Daniele Tricoli <eriol@mornie.org> Thu, 11 Jun 2015 01:39:13 +0200
requests (2.7.0-2) unstable; urgency=medium
* Upload to unstable.
* debian/control
- Add httpie (<< 0.9.2) to python-requests' Breaks since constants
imported by httpie from requests.compat were removed.
-- Daniele Tricoli <eriol@mornie.org> Wed, 27 May 2015 17:31:38 +0200
requests (2.7.0-1) experimental; urgency=medium
* New upstream release. (Closes: #784095)
- Embedded copy (not used) of urllib3 does not require SSLv3 anymore.
(Closes: #770172)
* debian/control
- Move python-ndg-httpsclient, python-openssl and python-pyasn1 to Suggests
inside python-requests' stanza since Python 2.7.9 include SNI support
and PEP 476 made it as secure as Python 3.
- Bump python{,3}-urllib3 to 1.10.4.
* debian/copyright
- Update copyright years.
- Update to MPL-2.0 license stanza of requests/cacert.pem (not used but
shipped in orig tarball).
* debian/watch
- Use pypi.debian.net redirector.
* debian/patches/01_use-system-ca-certificates.patch
- Refresh and remove CA certificate bundle from MANIFEST.in.
(Closes: #781610)
* debian/patches/02_use-system-chardet-and-urllib3.patch
- Refresh.
* debian/patches/04_make-requests.packages.urllib3-same-as-urllib3.patch
- Refresh.
* debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch
- Remove since fixed upstream.
* debian/python{,3}-requests.links
- Remove links thanks to the import machinery in
04_make-requests.packages.urllib3-same-as-urllib3.patch
-- Daniele Tricoli <eriol@mornie.org> Mon, 04 May 2015 21:43:40 +0200
requests (2.4.3-6) unstable; urgency=medium
* debian/patches/05_do-not-ascribe-cookies-to-the-target-domain.patch
- Fix session fixation and cookie stealing: CVE-2015-2296.
(Closes: #780506)
-- Daniele Tricoli <eriol@mornie.org> Mon, 16 Mar 2015 01:31:10 +0100
requests (2.4.3-5) unstable; urgency=medium
* Team upload.
* d/control: Remove the Build-Depends on python{,3}-pytest since we
aren't actually running the tests at build time. (Closes: #770173)
* d/rules: Update the comment about why the tests are currently disabled
at build time to point to the updated upstream url.
-- Barry Warsaw <barry@debian.org> Wed, 19 Nov 2014 18:00:46 -0500
requests (2.4.3-4) unstable; urgency=medium
* debian/patches/04_make-requests.packages.urllib3-same-as-urllib3.patch
- Fix requests.packages.urllib3 sub on Python 3. Thanks to Tianon
Gravi for the report. (Closes: #769496)
-- Daniele Tricoli <eriol@mornie.org> Fri, 14 Nov 2014 04:50:22 +0100
requests (2.4.3-3) unstable; urgency=medium
* debian/patches/04_make-requests.packages.urllib3-same-as-urllib3.patch
- Make Python import system know that requests.packages.urllib3 and
urllib3 are the same thing. Thanks to Jakub Wilk for the patch.
(Closes: #769047)
-- Daniele Tricoli <eriol@mornie.org> Tue, 11 Nov 2014 03:28:18 +0100
requests (2.4.3-2) unstable; urgency=medium
* debian/patches/03_export-IncompleteRead.patch
- Export IncompleteRead from requests.compat since it's imported by
python-pip. (Closes: #766419)
-- Daniele Tricoli <eriol@mornie.org> Thu, 23 Oct 2014 02:54:46 +0200
requests (2.4.3-1) unstable; urgency=medium
* New upstream release.
* debian/control
- Fix duplicate-short-description.
- Bump Standards-Version to 3.9.6 (no changes needed).
- Add python-ndg-httpsclient, python-openssl and python-pyasn1 into
python-urllib3's Recomends to ensure that SNI works as expected and to
prevent CRIME attack. (Closes: #755805)
- Add python3-ndg-httpsclient, python3-openssl and python3-pyasn1 into
python3-urllib3's Suggests since Python 3 already support SNI and
and SSL compression can be disabled using OP_NO_COMPRESSION.
- Bump python{,3}-urllib3 to (>=1.9.1).
* debian/patches/01_use-system-ca-certificates.patch
- Refresh.
* debian/patches/02_use-system-chardet-and-urllib3.patch
- Refresh.
- Provide requests.packages package because it will be used to supply
a stub for requests.packages.urllib3.
* debian/python{,3}-requests.links:
- Provide requests.packages.urllib3 as symlink of python{,3}-urllib3
system package since it is used as import location. (Closes: #753578)
-- Daniele Tricoli <eriol@mornie.org> Tue, 21 Oct 2014 01:35:59 +0200
requests (2.3.0-1) unstable; urgency=medium
* Team upload.
- Fix CVE-2014-1829 and CVE-2014-1830 (Closes: #733108)
* New upstream release.
* d/control: Added python{,3}-pytest to Build-Depends.
* d/patches/*: Refreshed.
-- Barry Warsaw <barry@debian.org> Wed, 04 Jun 2014 10:40:46 -0400
requests (2.2.1-3) unstable; urgency=medium
* Team upload.
* d/control:
- Fix python-requests-whl Depends.
- Fix typo in python-requests-whl description.
-- Barry Warsaw <barry@debian.org> Thu, 22 May 2014 18:33:19 -0400
requests (2.2.1-2) unstable; urgency=medium
* Team upload.
* debian/control
- Add python-requests-whl binary package.
- Build-Depends on python3-wheel, python-setuptools,
and python3-setuptools.
- wrap-and-sort.
* debian/rules:
- Simplify by using PYBUILD_NAME.
- Build the universal wheels.
-- Barry Warsaw <barry@debian.org> Thu, 15 May 2014 17:09:30 -0400
requests (2.2.1-1) unstable; urgency=medium
* New upstream release
* debian/control
- Bumped Standards-Version to 3.9.5 (no changes needed)
* debian/copyright
- Updated copyright years
* debian/patches/02_use-system-chardet-and-urllib3.patches
- Refreshed
-- Daniele Tricoli <eriol@mornie.org> Mon, 27 Jan 2014 04:58:17 +0100
requests (2.0.0-1) unstable; urgency=low
* New upstream release (Closes: #725784)
* Switched to pybuild
* debian/clean
- Switched to debian/clean for cleaning instead of using debian/rules
* debian/control
- Bumped python(3)-urllib3 to (>=1.7.1)
* debian/copyright
- Updated copyright year
* debian/patches/02_use-system-chardet-and-urllib3.patches
- Refreshed
* debian/watch
- Switched download URL to https
-- Daniele Tricoli <eriol@mornie.org> Fri, 18 Oct 2013 19:20:21 +0200
requests (1.2.3-1) unstable; urgency=low
* New upstream release (Closes: #712915) (LP: #1187429)
- Thanks to Scott Moser for the report
* debian/compat
- Bumped debhelper compatibility level to 9
* debian/control
- Bumped debhelper B-D to (>= 9)
- Temporarily bumped X-Python-Version to >= 2.7 to prevent FTBFS
due to lack of python-urllib3 for Python 2.6
* debian/patches/02_use-system-chardet-and-urllib3.patches
- Refreshed
-- Daniele Tricoli <eriol@mornie.org> Fri, 21 Jun 2013 08:52:39 +0200
requests (1.2.0-2) unstable; urgency=low
* Uploading to unstable.
* rm -rf requests.egg-info on clean so the package can be built twice.
-- Thomas Goirand <zigo@debian.org> Sat, 11 May 2013 05:15:04 +0000
requests (1.2.0-1) experimental; urgency=low
* New upstream version.
* Refreshed both debian-specific patches.
-- Thomas Goirand <zigo@debian.org> Thu, 25 Apr 2013 22:56:42 +0000
requests (1.1.0-1) experimental; urgency=low
* New upstream release (Closes: #692602)
- Thanks to Barry Warsaw for report
* debian/control
- Added python-chardet, python3-chardet to Build-Depends and moved
them from Recommends to Depends since chardet is now required
- Added python(3)-urllib3 (>= 1.5) to Build-Depends and Depends
since the embedded copy is no more a fork
- Removed python(3)-six since python(3)-urllib3 is not embedded
anymore
- Removed python-gevent and python-oauthlib from Recommends
since upstream is not using them anymore
- Bumped Standards-Version to 3.9.4 (no changes needed)
- Fixed lintian vcs-field-not-canonical
* debian/copyright
- Updated to reflect upstream switch to Apache 2.0 and updated
copyright years
* debian/patches/01_do-not-use-python-certifi.patch
- Removed because no longer necessary
* debian/patches/02_do-not-use-embedded-python-six.patch
- Removed because no longer necessary
* debian/patches/01_use-system-ca-certificates.patch
- Use the bundle provided by ca-certificates instead of
the embedded one
* debian/patches/02_use-system-chardet-and-urllib3.patches
- Use the system python-chardet and python-urllib3 instead of the
embedded copies
-- Daniele Tricoli <eriol@mornie.org> Sun, 20 Jan 2013 23:03:45 +0100
requests (0.12.1-1) unstable; urgency=low
* New upstream release
* debian/control
- Added python-oauthlib to python-requests' Recommends field
* debian/patches/01_do-not-use-python-certifi.patch
- Refreshed
-- Daniele Tricoli <eriol@mornie.org> Fri, 04 May 2012 14:34:47 +0200
requests (0.11.2-1) unstable; urgency=low
* New upstream release
* debian/patches/01_do-not-use-python-certifi.patch
- Refreshed
-- Daniele Tricoli <eriol@mornie.org> Mon, 23 Apr 2012 16:06:33 +0200
requests (0.11.1-1) unstable; urgency=low
* New upstream release
* debian/control
- Added python3-chardet to python3-requests' Recommends field
- Updated Description field
* debian/patches/02_do-not-use-embedded-python-six.patch
- Refreshed
-- Daniele Tricoli <eriol@mornie.org> Sun, 01 Apr 2012 12:33:42 +0200
requests (0.10.8-1) unstable; urgency=low
[ Piotr Ożarowski ]
* Fix typo in python3-requests' ${python3:Depends}
[ Daniele Tricoli ]
* New upstream release (Closes: #663561)
* Removed embedded copy of python-six
- Added debian/patches/02_do-not-use-embedded-python-six.patch
- Added override_dh_auto_configure to debian/rules to remove
the embedded copy
- Added python(3)-six to Builds-Depends and Depends
* debian/control
- Bumped Standards-Version to 3.9.3 (no changes needed)
* debian/copyright
- Added forgotten stanzas about packages inside the fork
of python-urllib3
* debian/patches/01_do-not-use-python-certifi.patch
- Refreshed
* debian/patches/02_fix-python3-except-sintax-error.patch
- Removed as it is applied upstream
-- Daniele Tricoli <eriol@mornie.org> Mon, 19 Mar 2012 01:20:59 +0100
requests (0.10.1-1) unstable; urgency=low
* New upstream release
- Adds Python 3 support
* Builded python 3 package
* debian/control
- Added python-chardet to Recommends
- Bumped X-Python-Version >= 2.6
- Added ca-certificates to Depends
- Added python3-all to Build-Depends
* debian/copyright
- Updated Format URI
- Updated copyright years
* debian/patches/01_do-not-use-python-certifi.patch
- To verify SSL certificates for HTTPS requests, use the bundle provided by
ca-certificates instead of python-certifi
* debian/patches/02_fix-python3-except-sintax-error.patches
- Fix SyntaxError on Python3 because "except Error, e" is not supported
anymore
* debian/rules
- Added override_dh_auto_clean to make the package build twice in a row
-- Daniele Tricoli <eriol@mornie.org> Sun, 05 Feb 2012 04:51:38 +0100
requests (0.8.2-1) unstable; urgency=low
* New upstream release
* debian/watch
- Removed "debian uupdate" options
* debian/{copyright,README.source}
- Updated to reflect upstream changes: switched from poster to
urllib3
- Added a stanza about the embedded modified copy of the
standard module Cookie
-- Daniele Tricoli <eriol@mornie.org> Fri, 25 Nov 2011 00:02:28 +0100
requests (0.6.4-1) unstable; urgency=low
* New upstream release
* debian/control
- Dropped python-eventlet from Depends field because it's not used
anymore
- Moved python-gevent from Depends field to Recommends field so
python-requests can be installed also in ia64 and sparc
-- Daniele Tricoli <eriol@mornie.org> Wed, 19 Oct 2011 20:49:39 +0200
requests (0.6.1-1) unstable; urgency=low
* New upstream release
-- Daniele Tricoli <eriol@mornie.org> Tue, 23 Aug 2011 02:00:41 +0200
requests (0.5.0-1) unstable; urgency=low
* New upstream release
* debian/control
- Updated description to mention proxy support
-- Daniele Tricoli <eriol@mornie.org> Sun, 26 Jun 2011 07:12:03 +0200
requests (0.4.1-1) unstable; urgency=low
* Initial release (Closes: #629370)
-- Daniele Tricoli <eriol@mornie.org> Mon, 06 Jun 2011 02:11:15 +0200