Security update for python-requests

Announcement ID:	SUSE-SU-2025:20255-1
Release Date:	2025-03-28T13:56:40Z
Rating:	moderate
References:	bsc#1226321 bsc#1231500
Affected Products:	SUSE Linux Micro 6.1

An update that has two fixes can now be installed.

Description:

This update for python-requests fixes the following issues:

• Add patch to inject the default CA bundles if they are not specified. (bsc#1226321, bsc#1231500)

• Remove Requires on python-py.

• update to 2.32.3:

• Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of HTTPAdapter.

• Fixed issue where Requests started failing to run on Python versions compiled without the ssl module.

• To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we've renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is

• Fixed an issue where setting verify=False on the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification,
• verify=True now reuses a global SSLContext which should improve request time
• Requests now supports optional use of character detection (chardet or charset_normalizer) when repackaged or vendored. This enables pip and other projects to minimize their

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Micro 6.1
  zypper in -t patch SUSE-SLE-Micro-6.1-1=1

Package List:

• SUSE Linux Micro 6.1 (noarch)
  • python311-requests-2.32.3-slfo.1.1_2.1

References:

• https://bugzilla.suse.com/show_bug.cgi?id=1226321
• https://bugzilla.suse.com/show_bug.cgi?id=1231500