Bug 1224788 (CVE-2024-35195)

Summary: VUL-0: CVE-2024-35195: python-requests: session object does not verify requests after making first request with verify=False
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: camila.matos, holger.hees, meissner, mmachova
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/406775/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-35195:6.0:(AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-05-21 10:36:30 UTC 
Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-35195
https://www.cve.org/CVERecord?id=CVE-2024-35195
https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac
https://github.com/psf/requests/pull/6655
https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56
Comment 2 Markéta Machová 2024-05-21 12:44:29 UTC 
I already fixed it in Factory, so while on it...
Comment 7 Markéta Machová 2024-05-23 08:03:45 UTC 
MR for SUSE:SLE-12:Update sent, reassigning to security team.
Comment 9 Maintenance Automation 2024-05-31 08:30:07 UTC 
SUSE-SU-2024:1880-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1224788
CVE References: CVE-2024-35195
Maintenance Incident: [SUSE:Maintenance:33993](https://smelt.suse.de/incident/33993/)
Sources used:
openSUSE Leap 15.3 (src):
 python-requests-2.25.1-150300.3.9.1, python-requests-test-2.25.1-150300.3.9.1
openSUSE Leap Micro 5.3 (src):
 python-requests-2.25.1-150300.3.9.1
openSUSE Leap Micro 5.4 (src):
 python-requests-2.25.1-150300.3.9.1
openSUSE Leap 15.5 (src):
 python-requests-2.25.1-150300.3.9.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 python-requests-2.25.1-150300.3.9.1
SUSE Linux Enterprise Micro 5.3 (src):
 python-requests-2.25.1-150300.3.9.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 python-requests-2.25.1-150300.3.9.1
SUSE Linux Enterprise Micro 5.4 (src):
 python-requests-2.25.1-150300.3.9.1
SUSE Linux Enterprise Micro 5.5 (src):
 python-requests-2.25.1-150300.3.9.1
Basesystem Module 15-SP5 (src):
 python-requests-2.25.1-150300.3.9.1
Basesystem Module 15-SP6 (src):
 python-requests-2.25.1-150300.3.9.1
SUSE Linux Enterprise Micro 5.1 (src):
 python-requests-2.25.1-150300.3.9.1
SUSE Linux Enterprise Micro 5.2 (src):
 python-requests-2.25.1-150300.3.9.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 python-requests-2.25.1-150300.3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Holger Hees 2024-06-02 11:41:50 UTC 
This fix breakes python3-docker

The file docker/transport/unixconn.py is extending BaseHTTPAdapter which es extending HTTPAdapter

inside UnixHTTPAdapter from file unixconn.py the method get_connection is overwritten to handle docker specific http schemes like "http+docker"

now this does not work anymore

just try

'''
import docker

client = docker.api.client.APIClient(version="auto")

print(client.api_version)
'''
Comment 11 Holger Hees 2024-06-02 11:52:28 UTC 
and this breakes ansible docker container deployments at the end...
Comment 12 Holger Hees 2024-06-04 06:46:50 UTC 
Is there any plan to revoke the fix and replace it with a better implemented version that doesn't have such far-reaching consequences?

Everyone who is using the python3-docker package is affected and I guess more undetected effects exists.
 
I mean, extending a class and overwriting a public function (get_connection is not prefixed with _) is not an exceptional behavior.
Comment 13 Markéta Machová 2024-06-04 13:07:49 UTC 
Hi, are you using python-docker for that? If yes, the fix can be found here: https://github.com/docker/docker-py/pull/3257 and it can be upgraded/patched.
Comment 14 Markéta Machová 2024-06-04 13:16:33 UTC 
(In reply to Markéta Machová from comment #13)
> Hi, are you using python-docker for that? If yes, the fix can be found here:
> https://github.com/docker/docker-py/pull/3257 and it can be upgraded/patched.

Sorry, my brain omitted the "python3-" prefix while reading your comment. The package can be easily patched with a two-liner https://github.com/docker/docker-py/pull/3257/commits/e33e0a437ecd895158c8cb4322a0cdad79312636 (the whole PR won't work, since my patch was the original one from 2.32.0). Will you do it, or should I?
Comment 15 Holger Hees 2024-06-04 14:03:36 UTC 
I guess I don't have permission to add the patch to the build process of the python3-docker rpm package. So I think it would be better if you do it.

I will wait until the fix arrives the SLE update repo as a final rpm package. I hope it will just take a couple of days.

Until them I will pause the automatic update procedure of our servers.

But thanks for taking care about it!
Comment 19 Maintenance Automation 2024-06-07 12:30:01 UTC 
SUSE-SU-2024:1937-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1224788
CVE References: CVE-2024-35195
Maintenance Incident: [SUSE:Maintenance:34171](https://smelt.suse.de/incident/34171/)
Sources used:
Public Cloud Module 15-SP5 (src):
 python-docker-7.0.0-150400.8.7.1
openSUSE Leap 15.4 (src):
 python-docker-7.0.0-150400.8.7.1
Public Cloud Module 15-SP4 (src):
 python-docker-7.0.0-150400.8.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Maintenance Automation 2024-06-07 16:30:19 UTC 
SUSE-SU-2024:1946-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1224788
CVE References: CVE-2024-35195
Maintenance Incident: [SUSE:Maintenance:34009](https://smelt.suse.de/incident/34009/)
Sources used:
SUSE Manager Client Tools for SLE 12 (src):
 python-requests-2.11.1-6.37.1
Advanced Systems Management Module 12 (src):
 python-requests-2.11.1-6.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Holger Hees 2024-06-08 17:17:52 UTC 
I installed both updates and now everything works as expected.

Thanks a lot!
Comment 22 Maintenance Automation 2024-06-10 20:30:34 UTC 
SUSE-SU-2024:1938-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1224788
CVE References: CVE-2024-35195
Maintenance Incident: [SUSE:Maintenance:34184](https://smelt.suse.de/incident/34184/)
Sources used:
openSUSE Leap 15.5 (src):
 python-docker-4.2.0-150200.3.5.1
openSUSE Leap 15.6 (src):
 python-docker-4.2.0-150200.3.5.1
SUSE Package Hub 15 15-SP5 (src):
 python-docker-4.2.0-150200.3.5.1
SUSE Package Hub 15 15-SP6 (src):
 python-docker-4.2.0-150200.3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Maintenance Automation 2024-06-18 12:30:03 UTC 
SUSE-SU-2024:2068-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1224788
CVE References: CVE-2024-35195
Maintenance Incident: [SUSE:Maintenance:33995](https://smelt.suse.de/incident/33995/)
Sources used:
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 python-requests-2.24.0-8.17.1
SUSE Linux Enterprise High Availability Extension 12 SP5 (src):
 python-requests-2.24.0-8.17.1
Public Cloud Module 12 (src):
 python-requests-2.24.0-8.17.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 python-requests-2.24.0-8.17.1
SUSE Linux Enterprise Server 12 SP5 (src):
 python-requests-2.24.0-8.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Maintenance Automation 2024-06-24 16:30:01 UTC 
SUSE-SU-2024:2182-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1224788
CVE References: CVE-2024-35195
Maintenance Incident: [SUSE:Maintenance:34172](https://smelt.suse.de/incident/34172/)
Sources used:
SUSE Manager Client Tools for SLE 15 (src):
 python-docker-2.6.1-150000.4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Maintenance Automation 2024-07-08 16:30:20 UTC 
SUSE-SU-2024:1937-2: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1224788
CVE References: CVE-2024-35195
Maintenance Incident: [SUSE:Maintenance:34171](https://smelt.suse.de/incident/34171/)
Sources used:
openSUSE Leap 15.5 (src):
 python-docker-7.0.0-150400.8.7.1
openSUSE Leap 15.6 (src):
 python-docker-7.0.0-150400.8.7.1
Public Cloud Module 15-SP6 (src):
 python-docker-7.0.0-150400.8.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.