Skip to content

2.27.1.2 — CVE-2024-35195, CVE-2024-47081, CVE-2026-25645 security backports#3

Merged
martinPavesio merged 4 commits into
2.27.1.xfrom
security/cve-2024-35195
May 28, 2026
Merged

2.27.1.2 — CVE-2024-35195, CVE-2024-47081, CVE-2026-25645 security backports#3
martinPavesio merged 4 commits into
2.27.1.xfrom
security/cve-2024-35195

Conversation

@martinPavesio
Copy link
Copy Markdown

@martinPavesio martinPavesio commented May 28, 2026

Security backports for Python 2.7. Tag: 2.27.1.2. Ticket: CS-2178.

@martinPavesio
Backport CVE-2024-35195, CVE-2024-47081, CVE-2026-25645 to 2.27.1.2
5c754ba 
CVE-2024-35195 (GHSA-9wx4-h78v-vm56): TLS verify=False connection reuse
  requests/adapters.py: add _get_connection() that keys connection pools
  on TLS settings, preventing a verify=False connection from being reused
  for a subsequent request expecting TLS verification to the same host.
  send() updated to call _get_connection(request, verify, proxies).
  Python 2.7 compatible (no type hints).
  Upstream: psf/requests commit c0813a2 (2.32.0)

CVE-2024-47081 (GHSA-9hjg-9r4m-mvj7): netrc credential leak via netloc
  requests/utils.py: use ri.hostname instead of manually stripping port
  from ri.netloc in get_netrc_auth(). Prevents credential leakage to
  hosts that share a netloc prefix with the legitimate target.
  Upstream: psf/requests commit 96ba401 (2.32.4)

CVE-2026-25645 (GHSA-gc5v-m9x4-r6x2): predictable temp file in extract_zipped_paths
  requests/utils.py: use tempfile.mkstemp() instead of a fixed predictable
  path in the temp directory, preventing a local attacker from pre-creating
  a malicious file at that path.
  Upstream: psf/requests commit 66d21cb (2.33.0)

Built on top of 2.27.1.1 (CVE-2023-32681 already fixed).
@martinPavesio
Version string: 2.27.1+security.2 (tag stays 2.27.1.2)
04e6015
@martinPavesio
HISTORY.md: add 2.27.1+security.2 release notes for CVE-2024-35195, C…
3b7ae30 
…VE-2024-47081, CVE-2026-25645
@martinPavesio
HISTORY.md: remove CVE-2023-32681 from 2.27.1+security.2 entry (was f…
cf5a808 
…ixed in 2.27.1.1)
icanhasmath
icanhasmath approved these changes May 28, 2026
View reviewed changes
Copy link
Copy Markdown

@icanhasmath icanhasmath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

@martinPavesio martinPavesio merged commit 9e12f66 into 2.27.1.x May 28, 2026
0 of 60 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@icanhasmath icanhasmath icanhasmath approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@martinPavesio @icanhasmath