OpenSUSE vulnerability from 2026? Old news. What matters: How to detect broken TLS verification in Python requests. Commands, automation script, and fallback mitigations inside.
The Problem That Won’t Age
In early 2026, an openSUSE security advisory (2026-1644-1) highlighted a flaw in python-requests – the library sometimes skipped SSL/TLS certificate validation. That’s a man-in-the-middle attack waiting to happen.
The specific CVE is patched now. But the underlying issue – silently trusting unverified HTTPS connections – keeps reappearing in misconfigured systems, outdated containers, or careless code.
This guide is your reusable playbook for openSUSE. Use it today. Use it next year.
How to Check If You Are Vulnerable (Right Now)
Run these commands to see if your python-requests ignores certificate errors:
# Check installed version (vulnerable if < 2.32.0) zypper info python-requests | grep Version # Test actual behavior (no internet required) python3 -c "import requests; requests.get('https://expired.badssl.com', verify=False)" 2>/dev/null && echo "VULNERABLE: verify=False works" || echo "OK: verify=True enforced" # Check if your code disables verification grep -r "verify=False" /home/*/ --include="*.py" 2>/dev/null
What you’re looking for:
Package version below 2.32.0 → update now
Any script using verify=False → rewrite to use valid certs or proper CA bundles
Automation Script to Apply the Fix (For This & Future CVEs)
Save as fix_requests_tls.sh – works on openSUSE Leap 15.x / Tumbleweed:
#!/bin/bash # Hardens python-requests against TLS verification bypass # Run as root or with sudo set -e echo "[*] Updating python-requests to latest secure version..." zypper --non-interactive update python-requests echo "[*] Forcing system CA trust store usage..." # Ensure certifi uses system CA bundle zypper --non-interactive install ca-certificates ca-certificates-mozilla # Create sitecustomize.py to globally enforce verification SITECUSTOMIZE="/usr/lib/python3*/site-packages/sitecustomize.py" cat > $SITECUSTOMIZE << 'EOF' import warnings import requests original_request = requests.Session.request def verified_request(self, method, url, **kwargs): if kwargs.get('verify') is False: warnings.warn("verify=False blocked by system policy", RuntimeWarning) kwargs['verify'] = True return original_request(self, method, url, **kwargs) requests.Session.request = verified_request EOF echo "[✓] Fix applied. Test with: python3 -c 'import requests; requests.get(\"https://expired.badssl.com\")'"
This script solves one CVE.
To learn how to create your own scripts for any future CVE – binary analysis, memory corruption, API hooking – you need the book:
Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly (https://amzn.to/4edo1k1 ) on Amazon .
This script fixes one vulnerability. That book teaches you to fix ALL the CVEs you’ve never seen.
Affiliate disclosure: As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing .
Alternative Mitigation (If You Can’t Update Now)
Stuck on an old version? Block the risky behavior without changing code:
1. iptables – Block unexpected external requests
# Allow only specific trusted IPs (e.g., internal API) iptables -A OUTPUT -p tcp --dport 443 -d 10.0.0.0/8 -j ACCEPT iptables -A OUTPUT -p tcp --dport 443 -j LOG --log-prefix "BLOCKED_REQUESTS: " iptables -A OUTPUT -p tcp --dport 443 -j REJECT
2. AppArmor – Restrict Python’s network access
Create /etc/apparmor.d/usr.bin.python3:
/usr/bin/python3 {
# Allow only necessary DNS & HTTPS to your API
network inet stream,
deny /etc/ssl/certs/** r, # force cert failure if verify=False
}
Then apparmor_parser -r /etc/apparmor.d/usr.bin.python3
3. HTTP proxy with TLS inspection
Set export REQUESTS_CA_BUNDLE=/path/to/your-ca.pem and route through Squid + SSL bump – any verify=False call will fail because the proxy rejects invalid certs.
Conclusion
Most security advisories expire in weeks. Your systems shouldn’t.
You’ve now got a reusable script to lock down python-requests, three fallback mitigations when you can’t update, and a reliable way to check your own code for dangerous verify=False.
But here’s the hard truth: next month’s CVE will look different. That’s why the real investment isn’t in one-off patches – it’s in learning how to build your own analysis tools.
One script fixes a CVE.
Practical Binary Analysis fixes the CVEs you haven’t seen yet.
Run the script today. Master the craft for tomorrow.
Nenhum comentário:
Postar um comentário