new file mode 100644
@@ -0,0 +1,171 @@
+From 18792aaa0476efa64e88c7c45d627ae3cb28d0bc Mon Sep 17 00:00:00 2001
+From: Jiaying Song <jiaying.song.cn@windriver.com>
+Date: Tue, 3 Dec 2024 11:21:37 +0800
+Subject: [PATCH] python3-requests: fix CVE-2024-35195
+
+Requests is a HTTP library. Prior to 2.32.0, when making requests
+through a Requests `Session`, if the first request is made with
+`verify=False` to disable cert verification, all subsequent requests to
+the same host will continue to ignore cert verification regardless of
+changes to the value of `verify`. This behavior will continue for the
+lifecycle of the connection in the connection pool. This vulnerability
+is fixed in 2.32.0.
+
+References:
+https://nvd.nist.gov/vuln/detail/CVE-2024-35195
+
+Upstream patches:
+https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac
+
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ .../python3-requests/CVE-2024-35195.patch | 121 ++++++++++++++++++
+ .../python/python3-requests_2.27.1.bb | 4 +-
+ 2 files changed, 124 insertions(+), 1 deletion(-)
+ create mode 100644 meta/recipes-devtools/python/python3-requests/CVE-2024-35195.patch
+
+diff --git a/meta/recipes-devtools/python/python3-requests/CVE-2024-35195.patch b/meta/recipes-devtools/python/python3-requests/CVE-2024-35195.patch
+new file mode 100644
+index 0000000000..be74ce60f3
+--- /dev/null
++++ b/meta/recipes-devtools/python/python3-requests/CVE-2024-35195.patch
+@@ -0,0 +1,121 @@
++From d3718bf834660e62649951e92970bda3e57740de Mon Sep 17 00:00:00 2001
++From: Ian Stapleton Cordasco <graffatcolmingov@gmail.com>
++Date: Sun, 3 Mar 2024 07:00:49 -0600
++Subject: [PATCH] Use TLS settings in selecting connection pool
++
++Previously, if someone made a request with `verify=False` then made a
++request where they expected verification to be enabled to the same host,
++they would potentially reuse a connection where TLS had not been
++verified.
++
++This fixes that issue.
++
++Upstream-Status: Backport
++[https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac]
++
++CVE: CVE-2024-35195
++
++Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
++---
++ requests/adapters.py | 58 +++++++++++++++++++++++++++++++++++++++++++-
++ 1 file changed, 57 insertions(+), 1 deletion(-)
++
++diff --git a/requests/adapters.py b/requests/adapters.py
++index d3b2d5b..0e5cf7c 100644
++--- a/requests/adapters.py
+++++ b/requests/adapters.py
++@@ -8,6 +8,7 @@ and maintain connections.
++
++ import os.path
++ import socket # noqa: F401
+++import typing
++
++ from urllib3.exceptions import ClosedPoolError, ConnectTimeoutError
++ from urllib3.exceptions import HTTPError as _HTTPError
++@@ -62,12 +63,38 @@ except ImportError:
++ raise InvalidSchema("Missing dependencies for SOCKS support.")
++
++
+++if typing.TYPE_CHECKING:
+++
+++
++ DEFAULT_POOLBLOCK = False
++ DEFAULT_POOLSIZE = 10
++ DEFAULT_RETRIES = 0
++ DEFAULT_POOL_TIMEOUT = None
++
++
+++def _urllib3_request_context(
+++) -> "(typing.Dict[str, typing.Any], typing.Dict[str, typing.Any])":
+++
+++
++ class BaseAdapter:
++ """The Base Transport Adapter"""
++
++@@ -330,6 +357,35 @@ class HTTPAdapter(BaseAdapter):
++
++ return response
++
+++
+++
++ def get_connection(self, url, proxies=None):
++ """Returns a urllib3 connection for the given URL. This should not be
++ called from user code, and is only exposed for use when subclassing the
++@@ -453,7 +509,7 @@ class HTTPAdapter(BaseAdapter):
++ """
++
++ try:
++- conn = self.get_connection(request.url, proxies)
++ except LocationValueError as e:
++ raise InvalidURL(e, request=request)
++
++--
++2.25.1
++
+diff --git a/meta/recipes-devtools/python/python3-requests_2.27.1.bb b/meta/recipes-devtools/python/python3-requests_2.27.1.bb
+index 635a6af31f..689a1dffb7 100644
+--- a/meta/recipes-devtools/python/python3-requests_2.27.1.bb
++++ b/meta/recipes-devtools/python/python3-requests_2.27.1.bb
+@@ -3,7 +3,9 @@ HOMEPAGE = "http://python-requests.org"
+ LICENSE = "Apache-2.0"
+ LIC_FILES_CHKSUM = "file://LICENSE;md5=34400b68072d710fecd0a2940a0d1658"
+
+-SRC_URI += "file://CVE-2023-32681.patch"
++SRC_URI += "file://CVE-2023-32681.patch \
++ file://CVE-2024-35195.patch \
++ "
+
+ SRC_URI[sha256sum] = "68d7c56fd5a8999887728ef304a6d12edc7be74f1cfa47714fc8b414525c9a61"
+
+--
+2.25.1
+
@@ -1,4 +1,4 @@
-From d3718bf834660e62649951e92970bda3e57740de Mon Sep 17 00:00:00 2001
+From 5bedf76da0f76ab2d489972055a5d62066013427 Mon Sep 17 00:00:00 2001
From: Ian Stapleton Cordasco <graffatcolmingov@gmail.com>
Date: Sun, 3 Mar 2024 07:00:49 -0600
Subject: [PATCH] Use TLS settings in selecting connection pool
@@ -21,21 +21,21 @@ Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
1 file changed, 57 insertions(+), 1 deletion(-)
diff --git a/requests/adapters.py b/requests/adapters.py
-index d3b2d5b..0e5cf7c 100644
+index fe22ff4..7ff6998 100644
--- a/requests/adapters.py
+++ b/requests/adapters.py
-@@ -8,6 +8,7 @@ and maintain connections.
+@@ -10,6 +10,7 @@ and maintain connections.
import os.path
- import socket # noqa: F401
+ import socket
+import typing
- from urllib3.exceptions import ClosedPoolError, ConnectTimeoutError
- from urllib3.exceptions import HTTPError as _HTTPError
-@@ -62,12 +63,38 @@ except ImportError:
+ from urllib3.poolmanager import PoolManager, proxy_from_url
+ from urllib3.response import HTTPResponse
+@@ -47,12 +48,38 @@ except ImportError:
+ def SOCKSProxyManager(*args, **kwargs):
raise InvalidSchema("Missing dependencies for SOCKS support.")
-
+if typing.TYPE_CHECKING:
+ from .models import PreparedRequest
+
@@ -68,10 +68,10 @@ index d3b2d5b..0e5cf7c 100644
+ return host_params, pool_kwargs
+
+
- class BaseAdapter:
+ class BaseAdapter(object):
"""The Base Transport Adapter"""
-@@ -330,6 +357,35 @@ class HTTPAdapter(BaseAdapter):
+@@ -290,6 +317,35 @@ class HTTPAdapter(BaseAdapter):
return response
@@ -107,7 +107,7 @@ index d3b2d5b..0e5cf7c 100644
def get_connection(self, url, proxies=None):
"""Returns a urllib3 connection for the given URL. This should not be
called from user code, and is only exposed for use when subclassing the
-@@ -453,7 +509,7 @@ class HTTPAdapter(BaseAdapter):
+@@ -410,7 +466,7 @@ class HTTPAdapter(BaseAdapter):
"""
try: