Debian Package Tracker
Register | Log in
Subscribe

requests

Choose email to subscribe with

general
  • source: requests (main)
  • version: 2.32.3+dfsg-5
  • maintainer: Debian Python Team (DMD)
  • uploaders: Daniele Tricoli [DMD]
  • arch: all
  • std-ver: 4.7.0
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 2.21.0-1
  • o-o-sec: 2.21.0-1+deb10u1
  • oldstable: 2.25.1+dfsg-2
  • stable: 2.28.1+dfsg-1
  • testing: 2.32.3+dfsg-5
  • unstable: 2.32.3+dfsg-5
versioned links
  • 2.21.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.21.0-1+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.25.1+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.28.1+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.32.3+dfsg-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • python-requests-doc
  • python3-requests (2 bugs: 0, 2, 0, 0)
action needed
2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:
  • CVE-2023-32681: (needs triaging) Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
  • CVE-2024-35195: (needs triaging) Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-05-24 Last update: 2025-04-17 00:00
debian/patches: 2 patches to forward upstream low

Among the 3 debian patches available in version 2.32.3+dfsg-5 of the package, we noticed the following issues:

  • 2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2023-02-26 Last update: 2025-03-24 12:31
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).
Created: 2025-02-21 Last update: 2025-03-24 11:00
news
[rss feed]
  • [2025-04-17] requests 2.32.3+dfsg-5 MIGRATED to testing (Debian testing watch)
  • [2025-03-24] Accepted requests 2.32.3+dfsg-5 (source) into unstable (Bastian Germann) (signed by: bage@debian.org)
  • [2025-02-23] requests 2.32.3+dfsg-4 MIGRATED to testing (Debian testing watch)
  • [2025-02-17] Accepted requests 2.32.3+dfsg-4 (source) into unstable (Colin Watson)
  • [2025-02-17] Accepted requests 2.32.3+dfsg-3 (source) into experimental (Colin Watson)
  • [2024-11-24] Accepted requests 2.32.3+dfsg-2 (source) into experimental (Alexandre Detiste)
  • [2024-08-31] requests 2.32.3+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2024-06-13] Accepted requests 2.32.3+dfsg-1 (source) into unstable (Colin Watson)
  • [2024-05-19] requests 2.31.0+dfsg-2 MIGRATED to testing (Debian testing watch)
  • [2024-05-16] Accepted requests 2.31.0+dfsg-2 (source) into unstable (Timo Röhling)
  • [2023-07-22] requests 2.31.0+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2023-07-17] Accepted requests 2.31.0+dfsg-1 (source) into unstable (Daniele Tricoli)
  • [2023-06-18] Accepted requests 2.21.0-1+deb10u1 (source) into oldoldstable (Markus Koschany)
  • [2022-11-26] requests 2.28.1+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2022-11-24] Accepted requests 2.28.1+dfsg-1 (source) into unstable (Daniele Tricoli)
  • [2022-03-31] requests 2.27.1+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2022-03-20] Accepted requests 2.27.1+dfsg-1 (source) into unstable (Daniele Tricoli)
  • [2021-01-06] requests 2.25.1+dfsg-2 MIGRATED to testing (Debian testing watch)
  • [2020-12-31] Accepted requests 2.25.1+dfsg-2 (source) into unstable (Daniele Tricoli)
  • [2020-12-31] Accepted requests 2.25.1+dfsg-1 (source) into unstable (Daniele Tricoli)
  • [2020-12-30] Accepted requests 2.25.0+dfsg-2 (source) into unstable (Daniele Tricoli)
  • [2020-12-08] Accepted requests 2.25.0+dfsg-1 (source) into unstable (Daniele Tricoli)
  • [2020-10-27] requests 2.24.0+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2020-10-27] requests 2.24.0+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2020-10-23] Accepted requests 2.24.0+dfsg-1 (source) into unstable (Drew Parsons)
  • [2020-04-08] requests 2.23.0+dfsg-2 MIGRATED to testing (Debian testing watch)
  • [2020-04-01] Accepted requests 2.23.0+dfsg-2 (source) into unstable (Sandro Tosi)
  • [2020-04-01] Accepted requests 2.23.0+dfsg-1 (source all) into unstable, unstable (Debian FTP Masters) (signed by: Daniele Tricoli)
  • [2019-12-10] requests 2.22.0-2 MIGRATED to testing (Debian testing watch)
  • [2019-12-05] Accepted requests 2.22.0-2 (source) into unstable (Daniele Tricoli)
  • 1
  • 2
bugs [bug history graph]
  • all: 8
  • RC: 0
  • I&N: 7
  • M&W: 1
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian
  • buildd: logs, reproducibility
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 2.32.3+dfsg-4ubuntu1
  • 8 bugs
  • patches for 2.32.3+dfsg-4ubuntu1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing