10 changed files with 186 additions and 888 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/requests-v2.20.0.tar.gz
+SOURCES/requests-v2.25.1.tar.gz
--- a/.python-requests.metadata
+++ b/.python-requests.metadata
@ -1 +1 @@
-2c0728fc3aca17419b2b574341a0b019e117d4f5 SOURCES/requests-v2.20.0.tar.gz
+804fdbaf3dbc57f49a66cef920e9d4a5ce3460eb SOURCES/requests-v2.25.1.tar.gz
--- a/SOURCES/CVE-2024-35195.patch
+++ b/SOURCES/CVE-2024-35195.patch
@ -1,629 +0,0 @@
 From e94346e13375d81b35644e95ea4340e957ee2a7d Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Tue, 17 Dec 2024 14:39:48 +0100
 Subject: [PATCH 1/8] Use TLS settings in selecting connection pool
 Upstream commit: https://github.com/psf/requests/commit/c0813a2d910ea6b4f8438b91d315b8d181302356
 ---
 requests/adapters.py | 53 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 52 insertions(+), 1 deletion(-)
 diff --git a/requests/adapters.py b/requests/adapters.py
 index fa4d9b3..b768460 100644
 --- a/requests/adapters.py
 +++ b/requests/adapters.py
@@ -10,6 +10,7 @@ and maintain connections.
 import os.path
 import socket
 +import typing
 from urllib3.poolmanager import PoolManager, proxy_from_url
 from urllib3.response import HTTPResponse
@@ -52,6 +53,28 @@ DEFAULT_RETRIES = 0
 DEFAULT_POOL_TIMEOUT = None
 +def _urllib3_request_context(
 +    request: "PreparedRequest", verify: "bool | str | None"
 +) -> "(typing.Dict[str, typing.Any], typing.Dict[str, typing.Any])":
 +    host_params = {}
 +    pool_kwargs = {}
 +    parsed_request_url = urlparse(request.url)
 +    scheme = parsed_request_url.scheme.lower()
 +    port = parsed_request_url.port
 +    cert_reqs = "CERT_REQUIRED"
 +    if verify is False:
 +        cert_reqs = "CERT_NONE"
 +    if isinstance(verify, str):
 +        pool_kwargs["ca_certs"] = verify
 +    pool_kwargs["cert_reqs"] = cert_reqs
 +    host_params = {
 +        "scheme": scheme,
 +        "host": parsed_request_url.hostname,
 +        "port": port,
 +    }
 +    return host_params, pool_kwargs
 +
 +
 class BaseAdapter(object):
     """The Base Transport Adapter"""
@@ -289,6 +312,34 @@ class HTTPAdapter(BaseAdapter):
         return response
 +    def _get_connection(self, request, verify, proxies=None):
 +        # Replace the existing get_connection without breaking things and
 +        # ensure that TLS settings are considered when we interact with
 +        # urllib3 HTTP Pools
 +        proxy = select_proxy(request.url, proxies)
 +        try:
 +            host_params, pool_kwargs = _urllib3_request_context(request, verify)
 +        except ValueError as e:
 +            raise InvalidURL(e, request=request)
 +        if proxy:
 +            proxy = prepend_scheme_if_needed(proxy, "http")
 +            proxy_url = parse_url(proxy)
 +            if not proxy_url.host:
 +                raise InvalidProxyURL(
 +                    "Please check proxy URL. It is malformed "
 +                    "and could be missing the host."
 +                )
 +            proxy_manager = self.proxy_manager_for(proxy)
 +            conn = proxy_manager.connection_from_host(
 +                **host_params, pool_kwargs=pool_kwargs
 +            )
 +        else:
 +            # Only scheme should be lower case
 +            conn = self.poolmanager.connection_from_host(
 +                **host_params, pool_kwargs=pool_kwargs
 +            )
 +        return conn
 +
     def get_connection(self, url, proxies=None):
         """Returns a urllib3 connection for the given URL. This should not be
         called from user code, and is only exposed for use when subclassing the
@@ -409,7 +460,7 @@ class HTTPAdapter(BaseAdapter):
         """
         try:
 -            conn = self.get_connection(request.url, proxies)
 +            conn = self._get_connection(request, verify, proxies)
         except LocationValueError as e:
             raise InvalidURL(e, request=request)
 -- 
 2.47.1
 From d3c30b0c69d8efe9a8ebce1f05d72dc0ac47ed67 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Tue, 17 Dec 2024 14:45:08 +0100
 Subject: [PATCH 2/8] Add additional context parameters for our pool manager
 Upstream commit: https://github.com/psf/requests/commit/a94e9b5308ffcc3d2913ab873e9810a6601a67da
 ---
 requests/adapters.py | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)
 diff --git a/requests/adapters.py b/requests/adapters.py
 index b768460..65ad876 100644
 --- a/requests/adapters.py
 +++ b/requests/adapters.py
@@ -54,7 +54,9 @@ DEFAULT_POOL_TIMEOUT = None
 def _urllib3_request_context(
 -    request: "PreparedRequest", verify: "bool | str | None"
 +    request: "PreparedRequest",
 +    verify: "bool | str | None",
 +    client_cert: "typing.Tuple[str, str] | str | None",
 ) -> "(typing.Dict[str, typing.Any], typing.Dict[str, typing.Any])":
     host_params = {}
     pool_kwargs = {}
@@ -67,6 +69,14 @@ def _urllib3_request_context(
     if isinstance(verify, str):
         pool_kwargs["ca_certs"] = verify
     pool_kwargs["cert_reqs"] = cert_reqs
 +    if client_cert is not None:
 +        if isinstance(client_cert, tuple) and len(client_cert) == 2:
 +            pool_kwargs["cert_file"] = client_cert[0]
 +            pool_kwargs["key_file"] = client_cert[1]
 +        else:
 +            # According to our docs, we allow users to specify just the client
 +            # cert path
 +            pool_kwargs["cert_file"] = client_cert
     host_params = {
         "scheme": scheme,
         "host": parsed_request_url.hostname,
@@ -312,13 +322,13 @@ class HTTPAdapter(BaseAdapter):
         return response
 -    def _get_connection(self, request, verify, proxies=None):
 +    def _get_connection(self, request, verify, proxies=None, cert=None):
         # Replace the existing get_connection without breaking things and
         # ensure that TLS settings are considered when we interact with
         # urllib3 HTTP Pools
         proxy = select_proxy(request.url, proxies)
         try:
 -            host_params, pool_kwargs = _urllib3_request_context(request, verify)
 +            host_params, pool_kwargs = _urllib3_request_context(request, verify, cert)
         except ValueError as e:
             raise InvalidURL(e, request=request)
         if proxy:
@@ -460,7 +470,7 @@ class HTTPAdapter(BaseAdapter):
         """
         try:
 -            conn = self._get_connection(request, verify, proxies)
 +            conn = self._get_connection(request, verify, proxies=proxies, cert=cert)
         except LocationValueError as e:
             raise InvalidURL(e, request=request)
 -- 
 2.47.1
 From 5dbe98fe21871f315cc68473165cbbed5eb5f048 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Tue, 17 Dec 2024 14:51:34 +0100
 Subject: [PATCH 3/8] Avoid reloading root certificates to improve concurrent
 performance
 Upstream commit: https://github.com/psf/requests/commit/9a40d1277807f0a4f26c9a37eea8ec90faa8aadc
 ---
 requests/adapters.py | 44 ++++++++++++++++++++++++++++----------------
 1 file changed, 28 insertions(+), 16 deletions(-)
 diff --git a/requests/adapters.py b/requests/adapters.py
 index 65ad876..7502059 100644
 --- a/requests/adapters.py
 +++ b/requests/adapters.py
@@ -17,6 +17,7 @@ from urllib3.response import HTTPResponse
 from urllib3.util import parse_url
 from urllib3.util import Timeout as TimeoutSauce
 from urllib3.util.retry import Retry
 +from urllib3.util.ssl_ import create_urllib3_context
 from urllib3.exceptions import ClosedPoolError
 from urllib3.exceptions import ConnectTimeoutError
 from urllib3.exceptions import HTTPError as _HTTPError
@@ -52,6 +53,11 @@ DEFAULT_POOLSIZE = 10
 DEFAULT_RETRIES = 0
 DEFAULT_POOL_TIMEOUT = None
 +_preloaded_ssl_context = create_urllib3_context()
 +_preloaded_ssl_context.load_verify_locations(
 +    extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
 +)
 +
 def _urllib3_request_context(
     request: "PreparedRequest",
@@ -66,8 +72,13 @@ def _urllib3_request_context(
     cert_reqs = "CERT_REQUIRED"
     if verify is False:
         cert_reqs = "CERT_NONE"
 -    if isinstance(verify, str):
 -        pool_kwargs["ca_certs"] = verify
 +    elif verify is True:
 +        pool_kwargs["ssl_context"] = _preloaded_ssl_context
 +    elif isinstance(verify, str):
 +        if not os.path.isdir(verify):
 +            pool_kwargs["ca_certs"] = verify
 +        else:
 +            pool_kwargs["ca_cert_dir"] = verify
     pool_kwargs["cert_reqs"] = cert_reqs
     if client_cert is not None:
         if isinstance(client_cert, tuple) and len(client_cert) == 2:
@@ -247,25 +258,26 @@ class HTTPAdapter(BaseAdapter):
         """
         if url.lower().startswith('https') and verify:
 -            cert_loc = None
 +            conn.cert_reqs = "CERT_REQUIRED"
 -            # Allow self-specified cert location.
 +            # Only load the CA certificates if 'verify' is a string indicating the CA bundle to use.
 +            # Otherwise, if verify is a boolean, we don't load anything since
 +            # the connection will be using a context with the default certificates already loaded,
 +            # and this avoids a call to the slow load_verify_locations()
             if verify is not True:
 +                # `verify` must be a str with a path then
                 cert_loc = verify
 -            if not cert_loc:
 -                cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
 -
 -            if not cert_loc or not os.path.exists(cert_loc):
 -                raise IOError("Could not find a suitable TLS CA certificate bundle, "
 -                              "invalid path: {}".format(cert_loc))
 -
 -            conn.cert_reqs = 'CERT_REQUIRED'
 +                if not os.path.exists(cert_loc):
 +                    raise OSError(
 +                        f"Could not find a suitable TLS CA certificate bundle, "
 +                        f"invalid path: {cert_loc}"
 +                    )
 -            if not os.path.isdir(cert_loc):
 -                conn.ca_certs = cert_loc
 -            else:
 -                conn.ca_cert_dir = cert_loc
 +                if not os.path.isdir(cert_loc):
 +                    conn.ca_certs = cert_loc
 +                else:
 +                    conn.ca_cert_dir = cert_loc
         else:
             conn.cert_reqs = 'CERT_NONE'
             conn.ca_certs = None
 -- 
 2.47.1
 From 232d96f2662eefbb3ebcfde94532ae38a6fe6f6f Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Tue, 17 Dec 2024 14:53:47 +0100
 Subject: [PATCH 4/8] Move _get_connection to get_connection_with_tls_context
 Upstream commit: https://github.com/psf/requests/commit/aa1461b68aa73e2f6ec0e78c8853b635c76fd099
 ---
 requests/adapters.py | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)
 diff --git a/requests/adapters.py b/requests/adapters.py
 index 7502059..823efcd 100644
 --- a/requests/adapters.py
 +++ b/requests/adapters.py
@@ -334,10 +334,19 @@ class HTTPAdapter(BaseAdapter):
         return response
 -    def _get_connection(self, request, verify, proxies=None, cert=None):
 -        # Replace the existing get_connection without breaking things and
 -        # ensure that TLS settings are considered when we interact with
 -        # urllib3 HTTP Pools
 +    def get_connection_with_tls_context(self, request, verify, proxies=None, cert=None):
 +        """Returns a urllib3 connection for the given request and TLS settings.
 +        This should not be called from user code, and is only exposed for use
 +        when subclassing the :class:`HTTPAdapter <requests.adapters.HTTPAdapter>`.
 +        :param request: The :class:`PreparedRequest <PreparedRequest>` object
 +            to be sent over the connection.
 +        :param verify: Either a boolean, in which case it controls whether
 +            we verify the server's TLS certificate, or a string, in which case it
 +            must be a path to a CA bundle to use.
 +        :param proxies: (optional) The proxies dictionary to apply to the request.
 +        :param cert: (optional) Any user-provided SSL certificate to be trusted.
 +        :rtype: urllib3.ConnectionPool
 +        """
         proxy = select_proxy(request.url, proxies)
         try:
             host_params, pool_kwargs = _urllib3_request_context(request, verify, cert)
@@ -363,7 +372,9 @@ class HTTPAdapter(BaseAdapter):
         return conn
     def get_connection(self, url, proxies=None):
 -        """Returns a urllib3 connection for the given URL. This should not be
 +        """DEPRECATED: Users should move to `get_connection_with_tls_context`
 +        for all subclasses of HTTPAdapter using Requests>=2.32.2.
 +        Returns a urllib3 connection for the given URL. This should not be
         called from user code, and is only exposed for use when subclassing the
         :class:`HTTPAdapter <requests.adapters.HTTPAdapter>`.
@@ -482,7 +493,9 @@ class HTTPAdapter(BaseAdapter):
         """
         try:
 -            conn = self._get_connection(request, verify, proxies=proxies, cert=cert)
 +            conn = self.get_connection_with_tls_context(
 +                request, verify, proxies=proxies, cert=cert
 +            )
         except LocationValueError as e:
             raise InvalidURL(e, request=request)
 -- 
 2.47.1
 From c380f08f4ba26e8658f20347cf82b3c2c4b797ea Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Tue, 17 Dec 2024 14:57:09 +0100
 Subject: [PATCH 5/8] Allow for overriding of specific pool key params
 Upstream commit: https://github.com/psf/requests/commit/a62a2d35d918baa8e793f7aa4fb41527644dfca5
 ---
 requests/adapters.py | 73 ++++++++++++++++++++++++++++++++++++++------
 1 file changed, 64 insertions(+), 9 deletions(-)
 diff --git a/requests/adapters.py b/requests/adapters.py
 index 823efcd..1ee302c 100644
 --- a/requests/adapters.py
 +++ b/requests/adapters.py
@@ -334,22 +334,77 @@ class HTTPAdapter(BaseAdapter):
         return response
 +    def build_connection_pool_key_attributes(self, request, verify, cert=None):
 +        """Build the PoolKey attributes used by urllib3 to return a connection.
 +        This looks at the PreparedRequest, the user-specified verify value,
 +        and the value of the cert parameter to determine what PoolKey values
 +        to use to select a connection from a given urllib3 Connection Pool.
 +        The SSL related pool key arguments are not consistently set. As of
 +        this writing, use the following to determine what keys may be in that
 +        dictionary:
 +        * If ``verify`` is ``True``, ``"ssl_context"`` will be set and will be the
 +          default Requests SSL Context
 +        * If ``verify`` is ``False``, ``"ssl_context"`` will not be set but
 +          ``"cert_reqs"`` will be set
 +        * If ``verify`` is a string, (i.e., it is a user-specified trust bundle)
 +          ``"ca_certs"`` will be set if the string is not a directory recognized
 +          by :py:func:`os.path.isdir`, otherwise ``"ca_certs_dir"`` will be
 +          set.
 +        * If ``"cert"`` is specified, ``"cert_file"`` will always be set. If
 +          ``"cert"`` is a tuple with a second item, ``"key_file"`` will also
 +          be present
 +        To override these settings, one may subclass this class, call this
 +        method and use the above logic to change parameters as desired. For
 +        example, if one wishes to use a custom :py:class:`ssl.SSLContext` one
 +        must both set ``"ssl_context"`` and based on what else they require,
 +        alter the other keys to ensure the desired behaviour.
 +        :param request:
 +            The PreparedReqest being sent over the connection.
 +        :type request:
 +            :class:`~requests.models.PreparedRequest`
 +        :param verify:
 +            Either a boolean, in which case it controls whether
 +            we verify the server's TLS certificate, or a string, in which case it
 +            must be a path to a CA bundle to use.
 +        :param cert:
 +            (optional) Any user-provided SSL certificate for client
 +            authentication (a.k.a., mTLS). This may be a string (i.e., just
 +            the path to a file which holds both certificate and key) or a
 +            tuple of length 2 with the certificate file path and key file
 +            path.
 +        :returns:
 +            A tuple of two dictionaries. The first is the "host parameters"
 +            portion of the Pool Key including scheme, hostname, and port. The
 +            second is a dictionary of SSLContext related parameters.
 +        """
 +        return _urllib3_request_context(request, verify, cert)
 +
     def get_connection_with_tls_context(self, request, verify, proxies=None, cert=None):
         """Returns a urllib3 connection for the given request and TLS settings.
         This should not be called from user code, and is only exposed for use
         when subclassing the :class:`HTTPAdapter <requests.adapters.HTTPAdapter>`.
 -        :param request: The :class:`PreparedRequest <PreparedRequest>` object
 -            to be sent over the connection.
 -        :param verify: Either a boolean, in which case it controls whether
 -            we verify the server's TLS certificate, or a string, in which case it
 -            must be a path to a CA bundle to use.
 -        :param proxies: (optional) The proxies dictionary to apply to the request.
 -        :param cert: (optional) Any user-provided SSL certificate to be trusted.
 -        :rtype: urllib3.ConnectionPool
 +        :param request:
 +            The :class:`PreparedRequest <PreparedRequest>` object to be sent
 +            over the connection.
 +        :param verify:
 +            Either a boolean, in which case it controls whether we verify the
 +            server's TLS certificate, or a string, in which case it must be a
 +            path to a CA bundle to use.
 +        :param proxies:
 +            (optional) The proxies dictionary to apply to the request.
 +        :param cert:
 +            (optional) Any user-provided SSL certificate to be used for client
 +            authentication (a.k.a., mTLS).
 +        :rtype:
 +            urllib3.ConnectionPool
         """
         proxy = select_proxy(request.url, proxies)
         try:
 -            host_params, pool_kwargs = _urllib3_request_context(request, verify, cert)
 +            host_params, pool_kwargs = self.build_connection_pool_key_attributes(
 +                request,
 +                verify,
 +                cert,
 +            )
         except ValueError as e:
             raise InvalidURL(e, request=request)
         if proxy:
 -- 
 2.47.1
 From 1f7a7a4748fec114fdb042649e8b2685fb2af464 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Tue, 17 Dec 2024 14:59:19 +0100
 Subject: [PATCH 6/8] Don't use default SSLContext with custom poolmanager
 kwargs
 Upstream commit: https://github.com/psf/requests/commit/b1d73ddb509a3a2d3e10744e85f9cdebdbde90f0
 ---
 requests/adapters.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)
 diff --git a/requests/adapters.py b/requests/adapters.py
 index 1ee302c..359bd22 100644
 --- a/requests/adapters.py
 +++ b/requests/adapters.py
@@ -63,16 +63,20 @@ def _urllib3_request_context(
     request: "PreparedRequest",
     verify: "bool | str | None",
     client_cert: "typing.Tuple[str, str] | str | None",
 +    poolmanager: "PoolManager",
 ) -> "(typing.Dict[str, typing.Any], typing.Dict[str, typing.Any])":
     host_params = {}
     pool_kwargs = {}
     parsed_request_url = urlparse(request.url)
     scheme = parsed_request_url.scheme.lower()
     port = parsed_request_url.port
 +    poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {})
 +    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
 +
     cert_reqs = "CERT_REQUIRED"
     if verify is False:
         cert_reqs = "CERT_NONE"
 -    elif verify is True:
 +    elif verify is True and not has_poolmanager_ssl_context:
         pool_kwargs["ssl_context"] = _preloaded_ssl_context
     elif isinstance(verify, str):
         if not os.path.isdir(verify):
@@ -377,7 +381,7 @@ class HTTPAdapter(BaseAdapter):
             portion of the Pool Key including scheme, hostname, and port. The
             second is a dictionary of SSLContext related parameters.
         """
 -        return _urllib3_request_context(request, verify, cert)
 +        return _urllib3_request_context(request, verify, cert, self.poolmanager)
     def get_connection_with_tls_context(self, request, verify, proxies=None, cert=None):
         """Returns a urllib3 connection for the given request and TLS settings.
 -- 
 2.47.1
 From f9e9a8b2a392b771d5ab644192246379667bbf08 Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Tue, 17 Dec 2024 15:01:24 +0100
 Subject: [PATCH 7/8] Don't create default SSLContext if ssl module isn't
 present
 Upstream commit: https://github.com/psf/requests/commit/e18879932287c2bf4bcee4ddf6ccb8a69b6fc656
 ---
 requests/adapters.py | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)
 diff --git a/requests/adapters.py b/requests/adapters.py
 index 359bd22..4062137 100644
 --- a/requests/adapters.py
 +++ b/requests/adapters.py
@@ -53,10 +53,17 @@ DEFAULT_POOLSIZE = 10
 DEFAULT_RETRIES = 0
 DEFAULT_POOL_TIMEOUT = None
 -_preloaded_ssl_context = create_urllib3_context()
 -_preloaded_ssl_context.load_verify_locations(
 -    extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
 -)
 +
 +try:
 +    import ssl  # noqa: F401
 +    _preloaded_ssl_context = create_urllib3_context()
 +    _preloaded_ssl_context.load_verify_locations(
 +        extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
 +    )
 +except ImportError:
 +    # Bypass default SSLContext creation when Python
 +    # interpreter isn't built with the ssl module.
 +    _preloaded_ssl_context = None
 def _urllib3_request_context(
@@ -70,13 +77,19 @@ def _urllib3_request_context(
     parsed_request_url = urlparse(request.url)
     scheme = parsed_request_url.scheme.lower()
     port = parsed_request_url.port
 +
 +    # Determine if we have and should use our default SSLContext
 +    # to optimize performance on standard requests.
     poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {})
     has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
 +    should_use_default_ssl_context = (
 +        _preloaded_ssl_context is not None and not has_poolmanager_ssl_context
 +    )
     cert_reqs = "CERT_REQUIRED"
     if verify is False:
         cert_reqs = "CERT_NONE"
 -    elif verify is True and not has_poolmanager_ssl_context:
 +    elif verify is True and should_use_default_ssl_context:
         pool_kwargs["ssl_context"] = _preloaded_ssl_context
     elif isinstance(verify, str):
         if not os.path.isdir(verify):
 -- 
 2.47.1
 From fd57339bb1f7f0e1726d52f4b45d54ae1262d09f Mon Sep 17 00:00:00 2001
 From: Lumir Balhar <lbalhar@redhat.com>
 Date: Tue, 17 Dec 2024 15:08:02 +0100
 Subject: [PATCH 8/8] Address certificate loading regression
 Upstream source: https://github.com/psf/requests/pull/6731
 ---
 requests/adapters.py | 45 +++++++++++++++++++++++++++++---------------
 1 file changed, 30 insertions(+), 15 deletions(-)
 diff --git a/requests/adapters.py b/requests/adapters.py
 index 4062137..6dac45e 100644
 --- a/requests/adapters.py
 +++ b/requests/adapters.py
@@ -66,6 +66,23 @@ except ImportError:
     _preloaded_ssl_context = None
 +def _should_use_default_context(
 +    verify: "bool | str | None",
 +    client_cert: "typing.Tuple[str, str] | str | None",
 +    poolmanager_kwargs: typing.Dict[str, typing.Any],
 +) -> bool:
 +    # Determine if we have and should use our default SSLContext
 +    # to optimize performance on standard requests.
 +    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
 +    should_use_default_ssl_context = (
 +        verify is True
 +        and _preloaded_ssl_context is not None
 +        and not has_poolmanager_ssl_context
 +        and client_cert is None
 +    )
 +    return should_use_default_ssl_context
 +
 +
 def _urllib3_request_context(
     request: "PreparedRequest",
     verify: "bool | str | None",
@@ -77,25 +94,25 @@ def _urllib3_request_context(
     parsed_request_url = urlparse(request.url)
     scheme = parsed_request_url.scheme.lower()
     port = parsed_request_url.port
 -
 -    # Determine if we have and should use our default SSLContext
 -    # to optimize performance on standard requests.
     poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {})
 -    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
 -    should_use_default_ssl_context = (
 -        _preloaded_ssl_context is not None and not has_poolmanager_ssl_context
 -    )
     cert_reqs = "CERT_REQUIRED"
 +    cert_loc = None
     if verify is False:
         cert_reqs = "CERT_NONE"
 -    elif verify is True and should_use_default_ssl_context:
 +    elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
         pool_kwargs["ssl_context"] = _preloaded_ssl_context
 +    elif verify is True:
 +        # Set default ca cert location if none provided
 +        cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
     elif isinstance(verify, str):
 -        if not os.path.isdir(verify):
 -            pool_kwargs["ca_certs"] = verify
 +        cert_loc = verify
 +
 +    if cert_loc is not None:
 +        if not os.path.isdir(cert_loc):
 +            pool_kwargs["ca_certs"] = cert_loc
         else:
 -            pool_kwargs["ca_cert_dir"] = verify
 +            pool_kwargs["ca_cert_dir"] = cert_loc
     pool_kwargs["cert_reqs"] = cert_reqs
     if client_cert is not None:
         if isinstance(client_cert, tuple) and len(client_cert) == 2:
@@ -277,10 +294,8 @@ class HTTPAdapter(BaseAdapter):
             conn.cert_reqs = "CERT_REQUIRED"
 -            # Only load the CA certificates if 'verify' is a string indicating the CA bundle to use.
 -            # Otherwise, if verify is a boolean, we don't load anything since
 -            # the connection will be using a context with the default certificates already loaded,
 -            # and this avoids a call to the slow load_verify_locations()
 +            # Only load the CA certificates if `verify` is a
 +            # string indicating the CA bundle to use.
             if verify is not True:
                 # `verify` must be a str with a path then
                 cert_loc = verify
 -- 
 2.47.1
--- a/SOURCES/Don-t-inject-pyopenssl-into-urllib3.patch
+++ b/SOURCES/Don-t-inject-pyopenssl-into-urllib3.patch
@ -1,38 +0,0 @@
 From 86b1fa39fdebdb7bc57131c1a198d4d18e104f95 Mon Sep 17 00:00:00 2001
 From: Jeremy Cline <jeremy@jcline.org>
 Date: Mon, 16 Apr 2018 10:35:35 -0400
 Subject: [PATCH] Don't inject pyopenssl into urllib3
 Fedora ships sufficiently new versions of Python 2 and 3 to make this
 unnecessary (rhbz 1567862)
 Signed-off-by: Jeremy Cline <jeremy@jcline.org>
 ---
 requests/__init__.py | 7 -------
 1 file changed, 7 deletions(-)
 diff --git a/requests/__init__.py b/requests/__init__.py
 index a5b3c9c3..e312d314 100644
 --- a/requests/__init__.py
 +++ b/requests/__init__.py
@@ -90,17 +90,6 @@ except (AssertionError, ValueError):
                   "version!".format(urllib3.__version__, chardet.__version__),
                   RequestsDependencyWarning)
 -# Attempt to enable urllib3's SNI support, if possible
 -try:
 -    from urllib3.contrib import pyopenssl
 -    pyopenssl.inject_into_urllib3()
 -
 -    # Check cryptography version
 -    from cryptography import __version__ as cryptography_version
 -    _check_cryptography(cryptography_version)
 -except ImportError:
 -    pass
 -
 # urllib3's DependencyWarnings should be silenced.
 from urllib3.exceptions import DependencyWarning
 warnings.simplefilter('ignore', DependencyWarning)
 -- 
 2.17.0
--- a/SOURCES/Empty-security-extras.patch
+++ b/SOURCES/Empty-security-extras.patch
@ -0,0 +1,13 @@
 diff --git a/setup.py b/setup.py
 index 065eb22..043ae42 100755
 --- a/setup.py
 +++ b/setup.py
@@ -100,7 +100,7 @@ setup(
     cmdclass={'test': PyTest},
     tests_require=test_requirements,
     extras_require={
 -        'security': ['pyOpenSSL >= 0.14', 'cryptography>=1.3.4'],
 +        'security': [],
         'socks': ['PySocks>=1.5.6, !=1.5.7'],
         'socks:sys_platform == "win32" and python_version == "2.7"': ['win_inet_pton'],
     },
--- a/SOURCES/Remove-tests-that-use-the-tarpit.patch
+++ b/SOURCES/Remove-tests-that-use-the-tarpit.patch
@ -1,4 +1,4 @@
-From 524cd22fb77e69db9bb3f017bbb1d9782c37b0cd Mon Sep 17 00:00:00 2001
+From bb1c91432c5e9a1f402692db5c80c65136656afb Mon Sep 17 00:00:00 2001
 From: Jeremy Cline <jeremy@jcline.org>
 Date: Tue, 13 Jun 2017 09:08:09 -0400
 Subject: [PATCH] Remove tests that use the tarpit
@ -15,10 +15,10 @@ Signed-off-by: Jeremy Cline <jeremy@jcline.org>
 1 file changed, 25 deletions(-)
 diff --git a/tests/test_requests.py b/tests/test_requests.py
-index b8350cb..46b7e9e 100755
+index 7d4a4eb5..8d1c55fc 100644
 --- a/tests/test_requests.py
 +++ b/tests/test_requests.py
-@@ -2049,31 +2049,6 @@ class TestTimeout:
+@@ -2186,31 +2186,6 @@ class TestTimeout:
         except ReadTimeout:
             pass
@ -48,8 +48,8 @@ index b8350cb..46b7e9e 100755
 -            pass
 -
     def test_encoded_methods(self, httpbin):
-         """See: https://github.com/requests/requests/issues/2316"""
+         """See: https://github.com/psf/requests/issues/2316"""
         r = requests.request(b'GET', httpbin('get'))
 -- 
-2.9.4
+2.24.1
--- a/SOURCES/Skip-all-tests-needing-httpbin.patch
+++ b/SOURCES/Skip-all-tests-needing-httpbin.patch
@ -1,33 +0,0 @@
 From 650da6c0267ba711d9d02d2bba8d79540437055f Mon Sep 17 00:00:00 2001
 From: Tomas Orsava <torsava@redhat.com>
 Date: Wed, 13 Jun 2018 15:44:42 +0200
 Subject: [PATCH] Skip all tests needing httpbin
 httpbin has too many dependencies to be shipped in RHEL just for
 build-time package tests
 ---
 tests/conftest.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
 diff --git a/tests/conftest.py b/tests/conftest.py
 index cd64a76..6cdc95a 100644
 --- a/tests/conftest.py
 +++ b/tests/conftest.py
@@ -15,10 +15,12 @@ def prepare_url(value):
 @pytest.fixture
 -def httpbin(httpbin):
 +def httpbin():
 +    pytest.skip()
     return prepare_url(httpbin)
 @pytest.fixture
 -def httpbin_secure(httpbin_secure):
 +def httpbin_secure():
 +    pytest.skip()
     return prepare_url(httpbin_secure)
 -- 
 2.14.4
--- a/SOURCES/patch-requests-certs.py-to-use-the-system-CA-bundle.patch
+++ b/SOURCES/patch-requests-certs.py-to-use-the-system-CA-bundle.patch
@ -1,19 +1,7 @@
-From a8ef690988f92a56226f8b688f1a3638346bca8e Mon Sep 17 00:00:00 2001
+diff --color -Nur requests-2.25.1.orig/requests/certs.py requests-2.25.1/requests/certs.py
-From: Jeremy Cline <jeremy@jcline.org>
+--- requests-2.25.1.orig/requests/certs.py	2021-01-10 16:27:05.027059634 -0800
-Date: Mon, 19 Jun 2017 16:09:02 -0400
+++ requests-2.25.1/requests/certs.py	2021-01-10 16:29:06.973238179 -0800
-Subject: [PATCH] Patch requests/certs.py to use the system CA bundle
+@@ -10,8 +10,13 @@
 Signed-off-by: Jeremy Cline <jeremy@jcline.org>
 ---
 requests/certs.py | 11 ++++++++++-
 setup.py          |  1 -
 2 files changed, 10 insertions(+), 2 deletions(-)
 diff --git a/requests/certs.py b/requests/certs.py
 index d1a378d7..7b103baf 100644
 --- a/requests/certs.py
 +++ b/requests/certs.py
@@ -11,8 +11,17 @@ only one — the one from the certifi package.
 If you are packaging Requests, e.g., for a Linux distribution or a managed
 environment, you can change the definition of where() to return a separately
 packaged CA bundle.
@ -22,28 +10,20 @@ index d1a378d7..7b103baf 100644
 +by the ca-certificates RPM package.
 """
 -from certifi import where
-+try:
+def where():
-+    from certifi import where
+    """Return the absolute path to the system CA bundle."""
-+except ImportError:
+    return '/etc/pki/tls/certs/ca-bundle.crt'
 +    def where():
 +        """Return the absolute path to the system CA bundle."""
 +        return '/etc/pki/tls/certs/ca-bundle.crt'
 +
 if __name__ == '__main__':
     print(where())
-diff --git a/setup.py b/setup.py
+diff --color -Nur requests-2.25.1.orig/setup.py requests-2.25.1/setup.py
-index 4e2ad936..60de5861 100755
+--- requests-2.25.1.orig/setup.py	2020-12-16 11:34:26.000000000 -0800
--- a/setup.py
+++ requests-2.25.1/setup.py	2021-01-10 16:29:21.570259552 -0800
-+++ b/setup.py
+@@ -45,7 +45,6 @@
-@@ -45,7 +45,6 @@ requires = [
+     'chardet>=3.0.2,<5',
-     'chardet>=3.0.2,<3.1.0',
+     'idna>=2.5,<3',
-     'idna>=2.5,<2.8',
+     'urllib3>=1.21.1,<1.27',
     'urllib3>=1.21.1,<1.25',
 -    'certifi>=2017.4.17'
 ]
 test_requirements = [
 -- 
 2.19.1
--- a/SOURCES/properly-handle-default-ports-in-auth-stripping.patch
+++ b/SOURCES/properly-handle-default-ports-in-auth-stripping.patch
@ -1,67 +0,0 @@
 diff --git a/requests/sessions.py b/requests/sessions.py
 index a448bd8..d73d700 100644
 --- a/requests/sessions.py
 +++ b/requests/sessions.py
@@ -19,7 +19,7 @@ from .cookies import (
 from .models import Request, PreparedRequest, DEFAULT_REDIRECT_LIMIT
 from .hooks import default_hooks, dispatch_hook
 from ._internal_utils import to_native_string
 -from .utils import to_key_val_list, default_headers
 +from .utils import to_key_val_list, default_headers, DEFAULT_PORTS
 from .exceptions import (
     TooManyRedirects, InvalidSchema, ChunkedEncodingError, ContentDecodingError)
@@ -128,8 +128,17 @@ class SessionRedirectMixin(object):
         if (old_parsed.scheme == 'http' and old_parsed.port in (80, None)
                 and new_parsed.scheme == 'https' and new_parsed.port in (443, None)):
             return False
 +
 +        # Handle default port usage corresponding to scheme.
 +        changed_port = old_parsed.port != new_parsed.port
 +        changed_scheme = old_parsed.scheme != new_parsed.scheme
 +        default_port = (DEFAULT_PORTS.get(old_parsed.scheme, None), None)
 +        if (not changed_scheme and old_parsed.port in default_port
 +                and new_parsed.port in default_port):
 +            return False
 +
         # Standard case: root URI must match
 -        return old_parsed.port != new_parsed.port or old_parsed.scheme != new_parsed.scheme
 +        return changed_port or changed_scheme
     def resolve_redirects(self, resp, req, stream=False, timeout=None,
                           verify=True, cert=None, proxies=None, yield_requests=False, **adapter_kwargs):
 diff --git a/requests/utils.py b/requests/utils.py
 index 0ce7fe1..04145c8 100644
 --- a/requests/utils.py
 +++ b/requests/utils.py
@@ -38,6 +38,8 @@ NETRC_FILES = ('.netrc', '_netrc')
 DEFAULT_CA_BUNDLE_PATH = certs.where()
 +DEFAULT_PORTS = {'http': 80, 'https': 443}
 +
 if sys.platform == 'win32':
     # provide a proxy_bypass version on Windows without DNS lookups
 diff --git a/tests/test_requests.py b/tests/test_requests.py
 index f46561e..f99fdaf 100644
 --- a/tests/test_requests.py
 +++ b/tests/test_requests.py
@@ -1611,6 +1611,17 @@ class TestRequests:
         s = requests.Session()
         assert s.should_strip_auth('http://example.com:1234/foo', 'https://example.com:4321/bar')
 +    @pytest.mark.parametrize(
 +        'old_uri, new_uri', (
 +            ('https://example.com:443/foo', 'https://example.com/bar'),
 +            ('http://example.com:80/foo', 'http://example.com/bar'),
 +            ('https://example.com/foo', 'https://example.com:443/bar'),
 +            ('http://example.com/foo', 'http://example.com:80/bar')
 +        ))
 +    def test_should_strip_auth_default_port(self, old_uri, new_uri):
 +        s = requests.Session()
 +        assert not s.should_strip_auth(old_uri, new_uri)
 +
     def test_manual_redirect_with_partial_body_read(self, httpbin):
         s = requests.Session()
         r1 = s.get(httpbin('redirect/2'), allow_redirects=False, stream=True)
--- a/SPECS/python-requests.spec
+++ b/SPECS/python-requests.spec
@ -1,16 +1,11 @@
-%if 0%{?_module_build}
+# Disable tests on RHEL9 as to not pull in the test dependencies
-# Don't run tests on module-build for now
+# Specify --with tests to run the tests e.g. on EPEL
 # See: https://bugzilla.redhat.com/show_bug.cgi?id=1450608
 %bcond_with tests
 %else
 # When bootstrapping Python, we cannot test this yet
 %bcond_without tests
 %endif
 Name:           python-requests
-Version:        2.20.0
+Version:        2.25.1
-Release:        5%{?dist}
+Release:        7%{?dist}
 Summary:        HTTP library, written in Python, for human beings
 License:        ASL 2.0
@ -30,36 +25,25 @@ Patch2:         Remove-tests-that-use-the-tarpit.patch
 # a pretty odd one so this is a niche requirement.
 Patch3:         requests-2.12.4-tests_nonet.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1567862
+# The [security] extra as present in upstream 2.25.1 is not possible,
-Patch4:         Don-t-inject-pyopenssl-into-urllib3.patch
+# because the PyOpenSSL package is not part of RHEL 9.
-
+# We backport a pre-2.26.0 commit that makes request[security] a no-op:
-# Skip all tests needing httpbin
+#   https://github.com/psf/requests/pull/5867
-#   httpbin has too many dependencies to be shipped in RHEL just for
+# """
-#   build-time package tests
+# We initially removed default support for PyOpenSSL in Requests 2.24.0
-Patch5:         Skip-all-tests-needing-httpbin.patch
+# as it is now considered less secure. Deprecation of the extras_require was
-
+# announced in Requests 2.25.0 and we're officially removing the extras_require
-# Properly handle default ports when stripping the authorization header.
+# functionality in Requests 2.26.0.
-# This fixes a regression introduced with fixing CVE-2018-18074.
+# Projects currently using requests[security] after this change will continue
-# Fixed upstream: https://github.com/psf/requests/pull/4851
+# to operate as if performing a standard requests installation (secure by default).
-# Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1752799
+# """
-Patch6:         properly-handle-default-ports-in-auth-stripping.patch
+Patch4:         Empty-security-extras.patch
 # Security fix for CVE-2023-32681
 # Unintended leak of Proxy-Authorization header
 # Resolved upstream: https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
 # Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2209469
-Patch7:         CVE-2023-32681.patch
+Patch5:         CVE-2023-32681.patch
 # Security fix for CVE-2024-35195
 # Subsequent requests to the same host ignore cert verification.
 # The patch is a combination of many upstream changes. Each commit contains
 # the respective upstream commit. The first one is the fix for the vulnerability
 # see: https://github.com/psf/requests/pull/6655
 # and the rest tries to make it more backward compatible.
 # The last commit is still a draft upstream and therefore the link points to the PR.
 # PR: https://github.com/psf/requests/pull/6731
 # The issue it tries to solve: https://github.com/psf/requests/issues/6726
 Patch8:         CVE-2024-35195.patch
 BuildArch:      noarch
@ -75,17 +59,14 @@ Summary: HTTP library, written in Python, for human beings
 %{?python_provide:%python_provide python%{python3_pkgversion}-requests}
 BuildRequires:  python%{python3_pkgversion}-devel
-BuildRequires:  python%{python3_pkgversion}-chardet
+BuildRequires:  pyproject-rpm-macros
-BuildRequires:  python%{python3_pkgversion}-urllib3
+
 BuildRequires:  python%{python3_pkgversion}-idna
 %if %{with tests}
-BuildRequires:  python%{python3_pkgversion}-pytest
+BuildRequires:  python3dist(pytest)
-BuildRequires:  python%{python3_pkgversion}-pytest-mock
+BuildRequires:  python3dist(pytest-httpbin)
 BuildRequires:  python3dist(pytest-mock)
 %endif
 Requires:       python%{python3_pkgversion}-chardet
 Requires:       python%{python3_pkgversion}-urllib3
 Requires:       python%{python3_pkgversion}-idna
 %description -n python%{python3_pkgversion}-requests
 Most existing Python modules for sending HTTP requests are extremely verbose and
@ -93,6 +74,16 @@ cumbersome. Python’s built-in urllib2 module provides most of the HTTP
 capabilities you should need, but the API is thoroughly broken. This library is
 designed to make HTTP requests easy for developers.
 %pyproject_extras_subpkg -n python%{python3_pkgversion}-requests security socks
 %generate_buildrequires
 %if %{with tests}
 %pyproject_buildrequires -r
 %else
 %pyproject_buildrequires
 %endif
 %prep
 %autosetup -p1 -n requests-%{version}
@ -102,72 +93,153 @@ rm -rf requests/cacert.pem
 # env shebang in nonexecutable file
 sed -i '/#!\/usr\/.*python/d' requests/certs.py
 # Some doctests use the internet and fail to pass in Koji. Since doctests don't have names, I don't
 # know a way to skip them. We also don't want to patch them out, because patching them out will
 # change the docs. Thus, we set pytest not to run doctests at all.
 sed -i 's/ --doctest-modules//' pytest.ini
 %build
-%py3_build
+%pyproject_wheel
 %install
-%py3_install
+%pyproject_install
 %pyproject_save_files requests
 %if %{with tests}
 %check
-PYTHONPATH=%{buildroot}%{python3_sitelib} %{__python3} -m pytest -v
+# test_https_warnings: https://github.com/psf/requests/issues/5530
-%endif # tests
+%pytest -v -k "not test_https_warnings"
 %endif
-%files -n python%{python3_pkgversion}-requests
+%files -n python%{python3_pkgversion}-requests -f %{pyproject_files}
 %license LICENSE
 %doc README.md HISTORY.md
 %{python3_sitelib}/*.egg-info
 %{python3_sitelib}/requests/
 %changelog
-* Tue Dec 17 2024 Lumír Balhar <lbalhar@redhat.com> - 2.20.0-5
+* Fri Jun 16 2023 Charalampos Stratakis <cstratak@redhat.com> - 2.25.1-7
- Security fix for CVE-2024-35195
+- Security fix for CVE-2023-32681
-Resolves: RHEL-37605
+Resolves: rhbz#2209469
-* Wed Jul 26 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 2.20.0-4
+* Tue Feb 08 2022 Tomáš Hrnčiar <thrnciar@redhat.com> - 2.25.1-6
- Rebuilt for MSVSphere 8.8
+- Add automatically generated Obsoletes tag with the python39- prefix
  for smoother upgrade from RHEL8
 - Related: rhbz#1990421
-* Mon Jun 26 2023 Lumír Balhar <lbalhar@redhat.com> - 2.20.0-4
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 2.25.1-5
- Bump release to fix upgrade path
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  from 2.20.0-2.1.el8_1 via 2.20.0-3.el8_8 to 2.20.0-4.el8
+  Related: rhbz#1991688
 Related: rhbz#2209469
-* Wed Jun 21 2023 Lumír Balhar <lbalhar@redhat.com> - 2.20.0-3
+* Thu Jul 15 2021 Miro Hrončok <mhroncok@redhat.com> - 2.25.1-4
- Security fix for CVE-2023-32681
+- Make requests[security] extras a no-op (backported from future 2.26.0)
 Resolves: rhbz#2209469
-* Mon Oct 14 2019 Charalampos Stratakis <cstratak@redhat.com> - 2.20.0-2
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.25.1-3
- Properly handle default ports when stripping the authorization header
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 Resolves: rhbz#1752799
-* Mon Oct 29 2018 Jeremy Cline <jeremy@jcline.org> - 2.20.0-1
+* Mon Mar 08 2021 Charalampos Stratakis <cstratak@redhat.com> - 2.25.1-2
- Update to v2.20.0 for CVE-2018-18074.
+- Disable tests on RHEL9 to avoid pulling in the test dependencies
 * Tue Feb 02 2021 Kevin Fenzi <kevin@scrye.com> - 2.25.1-1
 - Update 2.25.1. Fix is rhbz#1908487
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.25.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Wed Nov 25 2020 Petr Viktorin <pviktori@redhat.com> - 2.25.0-1
 - Update to 2.25.0
 * Fri Nov 13 2020 Miro Hrončok <mhroncok@redhat.com> - 2.24.0-5
 - Don't BR pytest-cov
-* Wed Jul 11 2018 Petr Viktorin <pviktori@redhat.com> - 2.19.1-4
+* Fri Sep 18 2020 Petr Viktorin <pviktori@redhat.com> - 2.24.0-4
- Remove the Python 2 subpackage
+- Port to pyproject macros
  https://bugzilla.redhat.com/show_bug.cgi?id=1590396
-* Thu Jun 21 2018 Lumír Balhar <lbalhar@redhat.com> - 2.19.1-3
+* Fri Sep 18 2020 Miro Hrončok <mhroncok@redhat.com> - 2.24.0-3
- Allow build with Python 2
+- Build with pytest 6, older version is no longer required
-* Tue Jun 19 2018 Charalampos Stratakis <cstratak@redhat.com> - 2.19.1-2
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.24.0-2
- Remove the python-pytest-cov dependency
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-* Tue Jun 19 2018 Jeremy Cline <jeremy@jcline.org> - 2.19.1-1
+* Fri Jul 10 2020 Miro Hrončok <mhroncok@redhat.com> - 2.24.0-1
 - Update to 2.24.0
 - Resolves rhbz#1848104
 * Fri Jul 10 2020 Miro Hrončok <mhroncok@redhat.com> - 2.23.0-5
 - Add requests[security] and requests[socks] subpackages
 * Sat May 30 2020 Miro Hrončok <mhroncok@redhat.com> - 2.23.0-4
 - Test with pytest 4, drop manual requires
 * Mon May 25 2020 Miro Hrončok <mhroncok@redhat.com> - 2.23.0-3
 - Rebuilt for Python 3.9
 * Fri May 22 2020 Miro Hrončok <mhroncok@redhat.com> - 2.23.0-2
 - Bootstrap for Python 3.9
 * Fri Feb 21 2020 Randy Barlow <bowlofeggs@fedoraproject.org> - 2.23.0-1
 - Update to 2.23.0 (#1804863).
 - https://requests.readthedocs.io/en/latest/community/updates/
 * Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.22.0-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Tue Oct 22 2019 Charalampos Stratakis <cstratak@redhat.com> - 2.22.0-7
 - Remove the python2 subpackage (rhbz#1761787)
 * Wed Sep 18 2019 Petr Viktorin <pviktori@redhat.com> - 2.22.0-6
 - Python 2: Remove tests and test dependencies
 * Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 2.22.0-5
 - Rebuilt for Python 3.8
 * Thu Aug 15 2019 Miro Hrončok <mhroncok@redhat.com> - 2.22.0-4
 - Bootstrap for Python 3.8
 * Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.22.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Tue Jun 11 2019 Yatin Karel <ykarel@redhat.com> - 2.22.0-2
 - Add minimum requirement for chardet and urllib3
 * Thu May 23 2019 Jeremy Cline <jcline@redhat.com> - 2.22.0-1
 - Update to v2.22.0
 * Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.21.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Thu Dec 13 2018 Jeremy Cline <jeremy@jcline.org> - 2.21.0-1
 - Update to v2.21.0
 - Don't rely on certifi being patched properly to use the system CA bundle
 * Mon Nov 26 2018 Miro Hrončok <mhroncok@redhat.com> - 2.20.0-2
 - No pytest-httpbin for Python 2
 * Mon Oct 29 2018 Jeremy Cline <jeremy@jcline.org> - 2.20.0-1
 - Update to v2.20.0
 * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.19.1-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Mon Jun 18 2018 Miro Hrončok <mhroncok@redhat.com> - 2.19.1-2
 - Rebuilt for Python 3.7
 * Thu Jun 14 2018 Jeremy Cline <jeremy@jcline.org> - 2.19.1-1
 - Update to v2.19.1 (rhbz 1591531)
-* Tue Jun 19 2018 Jeremy Cline <jeremy@jcline.org> - 2.19.0-1
+* Thu Jun 14 2018 Miro Hrončok <mhroncok@redhat.com> - 2.19.0-2
 - Bootstrap for Python 3.7
 * Tue Jun 12 2018 Jeremy Cline <jeremy@jcline.org> - 2.19.0-1
 - Update to v2.19.0 (rhbz 1590508)
-* Wed Jun 13 2018 Tomas Orsava <torsava@redhat.com> - 2.18.4-6
+* Fri Jun 08 2018 Jeremy Cline <jeremy@jcline.org> - 2.18.4-6
- Skip all tests needing httpbin: httpbin has too many dependencies to be
+- Don't print runtime warning about urllib3 v1.23 (rhbz 1589306)
  shipped in RHEL just for build-time package tests
-* Tue Jun 12 2018 Tomas Orsava <torsava@redhat.com> - 2.18.4-5
+* Tue Jun 05 2018 Jeremy Cline <jeremy@jcline.org> - 2.18.4-5
- BR idna, or the tests fail to start
+- Allow urllib3 v1.23 (rhbz 1586311)
 * Mon Apr 16 2018 Jeremy Cline <jeremy@jcline.org> - 2.18.4-4
 - Stop injecting PyOpenSSL (rhbz 1567862)
`@ -1 +1 @@`
	`SOURCES/requests-v2.20.0.tar.gz`	`SOURCES/requests-v2.25.1.tar.gz`
`@ -1 +1 @@`
	`2c0728fc3aca17419b2b574341a0b019e117d4f5 SOURCES/requests-v2.20.0.tar.gz`	`804fdbaf3dbc57f49a66cef920e9d4a5ce3460eb SOURCES/requests-v2.25.1.tar.gz`