An update for python-requests is now available for openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2,openEuler-24.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-1791 Final 1.0 1.0 2026-04-03 Initial 2026-04-03 2026-04-03 openEuler SA Tool V1.0 2026-04-03 python-requests security update An update for python-requests is now available for openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2,openEuler-24.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS Requests is an HTTP library, written in Python, as an alternative to Python's builtin urllib2 which requires work (even method overrides) to perform basic tasks. Features of Requests: - GET, HEAD, POST, PUT, DELETE Requests: + HTTP Header Request Attachment. + Data/Params Request Attachment. + Multipart File Uploads. + CookieJar Support. + Redirection History. + Redirection Recursion Urllib Fix. + Automatic Decompression of GZipped Content. + Unicode URL Support. - Authentication: + URL + HTTP Auth Registry. Security Fix(es): Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.(CVE-2026-25645) An update for python-requests is now available for openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2,openEuler-24.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium python-requests https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1791 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-25645 https://nvd.nist.gov/vuln/detail/CVE-2026-25645 openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS python-requests-2.31.0-5.oe2403sp1.src.rpm python-requests-2.31.0-5.oe2403sp2.src.rpm python-requests-2.31.0-5.oe2403sp3.src.rpm python-requests-2.24.0-6.oe2003sp4.src.rpm python-requests-2.26.0-12.oe2203sp4.src.rpm python-requests-2.31.0-5.oe2403.src.rpm python-requests-help-2.31.0-5.oe2403sp1.noarch.rpm python3-requests-2.31.0-5.oe2403sp1.noarch.rpm python-requests-help-2.31.0-5.oe2403sp2.noarch.rpm python3-requests-2.31.0-5.oe2403sp2.noarch.rpm python-requests-help-2.31.0-5.oe2403sp3.noarch.rpm python3-requests-2.31.0-5.oe2403sp3.noarch.rpm python-requests-help-2.24.0-6.oe2003sp4.noarch.rpm python2-requests-2.24.0-6.oe2003sp4.noarch.rpm python3-requests-2.24.0-6.oe2003sp4.noarch.rpm python-requests-help-2.26.0-12.oe2203sp4.noarch.rpm python3-requests-2.26.0-12.oe2203sp4.noarch.rpm python-requests-help-2.31.0-5.oe2403.noarch.rpm python3-requests-2.31.0-5.oe2403.noarch.rpm Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access. 2026-04-03 CVE-2026-25645 openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N python-requests security update 2026-04-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1791