CVE-2024-35195 alert caused by pinning requests to version <2.32.3

[inuyasha82]

Requests has a known vulnerability, that is fixed in versions 2.32.3.

Anyway this project in our requirements is causing an alert, because it still resolve to an older version of requests, as can be seen here:

ibm-cos-sdk-python-core/setup.py

Line 9 in c35f5f1

'requests>=2.32.0,<2.32.3',

requires = [
    'jmespath>=0.10.0,<=1.0.1',
    'python-dateutil>=2.9.0,<3.0.0',
    'requests>=2.32.0,<2.32.3',
    'urllib3>=1.26.18,<3',
]

Is possible to fix this issue?

[avinash1IBM]

@inuyasha82 The cve's description says that the vulnerability you mentioned above was fixed in 2.32.0 and we are already bound by that

Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of verify. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.

[benSchaper]

I'm encountering an additional dependency conflict related to this version constraint. When trying to use this package alongside others that require requests>=2.32.3 like Docling the dependency resolver fails due to the upper bound <2.32.3 in ibm-cos-sdk-core.

Would it be possible to remove or update the upper bound constraint on requests to allow newer compatible versions? This would help resolve dependency conflicts while maintaining security requirements.

[avinash1IBM]

@benSchaper Our team is working on it and will update you.

[lpulley]

Is there a bug preventing compatibility with requests 2.32.3?

[avinash1IBM]

@lpulley yes there is this issue psf/requests#6730.

[adbuerger]

@avinash1IBM at this time, is it already foreseeable when the issue can/will be resolved? Thank you for your time and your reply.

[IBMalok]

@adbuerger - still the above issue is not resolve by the requests team. Waiting for them to fix it.

[illeatmyhat]

FYI ibm-watsonx-orchestrate==1.2.0 requires requests>=2.32.3 which makes these two packages mutually incompatible.
Maybe it's time to stop waiting for changes from upstream?

[bigpick]

FWIW, we're also now seeing problems with requests getting pinged for CVE-2024-47081 so unless that is removed older pinned version will continue to see that (even after a fix is eventually released, if so), as well

edit: looks like it'll be 2.32.4 https://github.com/psf/requests/releases/tag/v2.32.4

[Prashant-IBM]

Requests v2.32.4, includes important updates and fixes. We are working on addressing the requests dependency conflict and the CVE-2024-47081 issue. We will post the update here.

[ArvinB]

It would be great to get a progress update and ETA for resolution of this issue.

[Prashant-IBM]

We will convey the ETA in a day or two.

[adbuerger]

@Prashant-IBM Maybe it is relevant information for you that there has been activity on psf/requests#6731 which was recently closed in favor of psf/requests#6767 which has just been merged

[Prashant-IBM]

We are targeting Friday for the ETA.