Version in base suite: 2.32.3+dfsg-5

Base version: requests_2.32.3+dfsg-5
Target version: requests_2.32.3+dfsg-5+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/requests/requests_2.32.3+dfsg-5.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/r/requests/requests_2.32.3+dfsg-5+deb13u1.dsc

 changelog                    |    6 +++
 patches/CVE-2024-47081.patch |   75 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 82 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpuxmz2uy1/requests_2.32.3+dfsg-5.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpuxmz2uy1/requests_2.32.3+dfsg-5+deb13u1.dsc: no acceptable signature found
diff -Nru requests-2.32.3+dfsg/debian/changelog requests-2.32.3+dfsg/debian/changelog
--- requests-2.32.3+dfsg/debian/changelog	2025-03-24 06:38:07.000000000 +0000
+++ requests-2.32.3+dfsg/debian/changelog	2026-03-03 23:13:42.000000000 +0000
@@ -1,3 +1,9 @@
+requests (2.32.3+dfsg-5+deb13u1) trixie; urgency=medium
+
+  * CVE-2024-47081 (Closes: #1107368)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Wed, 04 Mar 2026 00:13:42 +0100
+
 requests (2.32.3+dfsg-5) unstable; urgency=medium
 
   * Team upload.
diff -Nru requests-2.32.3+dfsg/debian/patches/CVE-2024-47081.patch requests-2.32.3+dfsg/debian/patches/CVE-2024-47081.patch
--- requests-2.32.3+dfsg/debian/patches/CVE-2024-47081.patch	1970-01-01 00:00:00.000000000 +0000
+++ requests-2.32.3+dfsg/debian/patches/CVE-2024-47081.patch	2026-03-03 23:13:42.000000000 +0000
@@ -0,0 +1,75 @@
+From 96ba401c1296ab1dda74a2365ef36d88f7d144ef Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Wed, 25 Sep 2024 08:03:20 -0700
+Subject: [PATCH] Only use hostname to do netrc lookup instead of netloc
+
+From 7bc45877a86192af77645e156eb3744f95b47dae Mon Sep 17 00:00:00 2001
+From: danigm <daniel.garcia@suse.com>
+Date: Thu, 5 Jun 2025 13:21:46 +0200
+Subject: [PATCH] Add new test to check netrc auth leak (#6962)
+
+
+--- requests-2.32.3+dfsg.orig/src/requests/utils.py
++++ requests-2.32.3+dfsg/src/requests/utils.py
+@@ -233,13 +233,7 @@ def get_netrc_auth(url, raise_errors=Fal
+             return
+ 
+         ri = urlparse(url)
+-
+-        # Strip port numbers from netloc. This weird `if...encode`` dance is
+-        # used for Python 3.2, which doesn't support unicode literals.
+-        splitstr = b":"
+-        if isinstance(url, str):
+-            splitstr = splitstr.decode("ascii")
+-        host = ri.netloc.split(splitstr)[0]
++        host = ri.hostname
+ 
+         try:
+             _netrc = netrc(netrc_path).authenticators(host)
+--- requests-2.32.3+dfsg.orig/tests/test_requests.py
++++ requests-2.32.3+dfsg/tests/test_requests.py
+@@ -7,6 +7,7 @@ import json
+ import os
+ import pickle
+ import re
++import tempfile
+ import threading
+ import warnings
+ from unittest import mock
+@@ -704,6 +705,36 @@ class TestRequests:
+         finally:
+             requests.sessions.get_netrc_auth = old_auth
+ 
++    def test_basicauth_with_netrc_leak(self, httpbin):
++        url1 = httpbin("basic-auth", "user", "pass")
++        url = url1[len("http://") :]
++        domain = url.split(":")[0]
++        url = f"http://example.com:@{url}"
++
++        netrc_file = ""
++        with tempfile.NamedTemporaryFile(mode="w", delete=False) as fp:
++            fp.write("machine example.com\n")
++            fp.write("login wronguser\n")
++            fp.write("password wrongpass\n")
++            fp.write(f"machine {domain}\n")
++            fp.write("login user\n")
++            fp.write("password pass\n")
++            fp.close()
++            netrc_file = fp.name
++
++        old_netrc = os.environ.get("NETRC", "")
++        os.environ["NETRC"] = netrc_file
++
++        try:
++            # Should use netrc
++            # Make sure that we don't use the example.com credentails
++            # for the request
++            r = requests.get(url)
++            assert r.status_code == 200
++        finally:
++            os.environ["NETRC"] = old_netrc
++            os.unlink(netrc_file)
++
+     def test_DIGEST_HTTP_200_OK_GET(self, httpbin):
+         for authtype in self.digest_auth_algo:
+             auth = HTTPDigestAuth("user", "pass")
diff -Nru requests-2.32.3+dfsg/debian/patches/series requests-2.32.3+dfsg/debian/patches/series
--- requests-2.32.3+dfsg/debian/patches/series	2025-03-24 06:36:50.000000000 +0000
+++ requests-2.32.3+dfsg/debian/patches/series	2026-03-03 23:13:42.000000000 +0000
@@ -1,3 +1,4 @@
 0001-Remove-remote-images-traking-code-and-ads.patch
 0002-Fix-tests-with-HTTP-proxy.patch
 add-ca-constraint-to-test-ca.patch
+CVE-2024-47081.patch