I already fixed it in Factory, so while on it...

MR for SUSE:SLE-12:Update sent, reassigning to security team.

SUSE-SU-2024:1880-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1224788
CVE References: CVE-2024-35195
Maintenance Incident: [SUSE:Maintenance:33993](https://smelt.suse.de/incident/33993/)
Sources used:
openSUSE Leap 15.3 (src):
 python-requests-2.25.1-150300.3.9.1, python-requests-test-2.25.1-150300.3.9.1
openSUSE Leap Micro 5.3 (src):
 python-requests-2.25.1-150300.3.9.1
openSUSE Leap Micro 5.4 (src):
 python-requests-2.25.1-150300.3.9.1
openSUSE Leap 15.5 (src):
 python-requests-2.25.1-150300.3.9.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 python-requests-2.25.1-150300.3.9.1
SUSE Linux Enterprise Micro 5.3 (src):
 python-requests-2.25.1-150300.3.9.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 python-requests-2.25.1-150300.3.9.1
SUSE Linux Enterprise Micro 5.4 (src):
 python-requests-2.25.1-150300.3.9.1
SUSE Linux Enterprise Micro 5.5 (src):
 python-requests-2.25.1-150300.3.9.1
Basesystem Module 15-SP5 (src):
 python-requests-2.25.1-150300.3.9.1
Basesystem Module 15-SP6 (src):
 python-requests-2.25.1-150300.3.9.1
SUSE Linux Enterprise Micro 5.1 (src):
 python-requests-2.25.1-150300.3.9.1
SUSE Linux Enterprise Micro 5.2 (src):
 python-requests-2.25.1-150300.3.9.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 python-requests-2.25.1-150300.3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

This fix breakes python3-docker

The file docker/transport/unixconn.py is extending BaseHTTPAdapter which es extending HTTPAdapter

inside UnixHTTPAdapter from file unixconn.py the method get_connection is overwritten to handle docker specific http schemes like "http+docker"

now this does not work anymore

just try

'''
import docker

client = docker.api.client.APIClient(version="auto")

print(client.api_version)
'''

and this breakes ansible docker container deployments at the end...

Is there any plan to revoke the fix and replace it with a better implemented version that doesn't have such far-reaching consequences?

Everyone who is using the python3-docker package is affected and I guess more undetected effects exists.
 
I mean, extending a class and overwriting a public function (get_connection is not prefixed with _) is not an exceptional behavior.

Hi, are you using python-docker for that? If yes, the fix can be found here: https://github.com/docker/docker-py/pull/3257 and it can be upgraded/patched.

(In reply to Markéta Machová from comment #13)
> Hi, are you using python-docker for that? If yes, the fix can be found here:
> https://github.com/docker/docker-py/pull/3257 and it can be upgraded/patched.

Sorry, my brain omitted the "python3-" prefix while reading your comment. The package can be easily patched with a two-liner https://github.com/docker/docker-py/pull/3257/commits/e33e0a437ecd895158c8cb4322a0cdad79312636 (the whole PR won't work, since my patch was the original one from 2.32.0). Will you do it, or should I?

I guess I don't have permission to add the patch to the build process of the python3-docker rpm package. So I think it would be better if you do it.

I will wait until the fix arrives the SLE update repo as a final rpm package. I hope it will just take a couple of days.

Until them I will pause the automatic update procedure of our servers.

But thanks for taking care about it!

SUSE-SU-2024:1937-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1224788
CVE References: CVE-2024-35195
Maintenance Incident: [SUSE:Maintenance:34171](https://smelt.suse.de/incident/34171/)
Sources used:
Public Cloud Module 15-SP5 (src):
 python-docker-7.0.0-150400.8.7.1
openSUSE Leap 15.4 (src):
 python-docker-7.0.0-150400.8.7.1
Public Cloud Module 15-SP4 (src):
 python-docker-7.0.0-150400.8.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2024:1946-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1224788
CVE References: CVE-2024-35195
Maintenance Incident: [SUSE:Maintenance:34009](https://smelt.suse.de/incident/34009/)
Sources used:
SUSE Manager Client Tools for SLE 12 (src):
 python-requests-2.11.1-6.37.1
Advanced Systems Management Module 12 (src):
 python-requests-2.11.1-6.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

I installed both updates and now everything works as expected.

Thanks a lot!

SUSE-SU-2024:1938-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1224788
CVE References: CVE-2024-35195
Maintenance Incident: [SUSE:Maintenance:34184](https://smelt.suse.de/incident/34184/)
Sources used:
openSUSE Leap 15.5 (src):
 python-docker-4.2.0-150200.3.5.1
openSUSE Leap 15.6 (src):
 python-docker-4.2.0-150200.3.5.1
SUSE Package Hub 15 15-SP5 (src):
 python-docker-4.2.0-150200.3.5.1
SUSE Package Hub 15 15-SP6 (src):
 python-docker-4.2.0-150200.3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2024:2068-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1224788
CVE References: CVE-2024-35195
Maintenance Incident: [SUSE:Maintenance:33995](https://smelt.suse.de/incident/33995/)
Sources used:
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 python-requests-2.24.0-8.17.1
SUSE Linux Enterprise High Availability Extension 12 SP5 (src):
 python-requests-2.24.0-8.17.1
Public Cloud Module 12 (src):
 python-requests-2.24.0-8.17.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 python-requests-2.24.0-8.17.1
SUSE Linux Enterprise Server 12 SP5 (src):
 python-requests-2.24.0-8.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2024:2182-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1224788
CVE References: CVE-2024-35195
Maintenance Incident: [SUSE:Maintenance:34172](https://smelt.suse.de/incident/34172/)
Sources used:
SUSE Manager Client Tools for SLE 15 (src):
 python-docker-2.6.1-150000.4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2024:1937-2: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1224788
CVE References: CVE-2024-35195
Maintenance Incident: [SUSE:Maintenance:34171](https://smelt.suse.de/incident/34171/)
Sources used:
openSUSE Leap 15.5 (src):
 python-docker-7.0.0-150400.8.7.1
openSUSE Leap 15.6 (src):
 python-docker-7.0.0-150400.8.7.1
Public Cloud Module 15-SP6 (src):
 python-docker-7.0.0-150400.8.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.