+2.31.0 (2023-05-22) +------------------- + +**Security** +- Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential + forwarding of `Proxy-Authorization` headers to destination servers when + following HTTPS redirects. + + When proxies are defined with user info (https://user:pass@proxy:8080), Requests + will construct a `Proxy-Authorization` header that is attached to the request to + authenticate with the proxy. + + In cases where Requests receives a redirect response, it previously reattached + the `Proxy-Authorization` header incorrectly, resulting in the value being + sent through the tunneled connection to the destination server. Users who rely on + defining their proxy credentials in the URL are *strongly* encouraged to upgrade + to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy + credentials once the change has been fully deployed. + + Users who do not use a proxy or do not supply their proxy credentials through + the user information portion of their proxy URL are not subject to this + vulnerability. + + Full details can be read in our [Github Security Advisory](https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q) + and [CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681).
Cleanup done.
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=350089607fb03a112b8ef41490ac5428b2edf828 commit 350089607fb03a112b8ef41490ac5428b2edf828 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-09-17 06:32:25 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-09-17 06:33:22 +0000 [ GLSA 202309-08 ] Requests: Information Leak Bug: https://bugs.gentoo.org/906970 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202309-08.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+)
