The python-requests module has been updated to version 2.8.1, which brings several fixes and enhancements:
Fix handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing. (bsc#922448, CVE-2015-2296)
Add support for per-host proxies. This allows the proxies dictionary to have entries of the form {'<scheme>://<hostname>': '<proxy>'}. Host-specific proxies will be used in preference to the previously-supported scheme-specific ones, but the previous syntax will continue to work.
Update certificate bundle to match 'certifi' 2015.9.6.2's weak certificate bundle.
Response.raise_for_status now prints the URL that failed as part of the exception message.
requests.utils.get_netrc_auth now takes an raise_errors kwarg, defaulting to False. When True, errors parsing .netrc files cause exceptions to be thrown.
Change to bundled projects import logic to make it easier to unbundle requests downstream.
Change the default User-Agent string to avoid leaking data on Linux: now contains only the requests version.
The json parameter to post() and friends will now only be used if neither data nor files are present, consistent with the documentation.
Empty fields in the NO_PROXY environment variable are now ignored.
Fix problem where httplib.BadStatusLine would get raised if combining stream=True with contextlib.closing.
Prevent bugs where we would attempt to return the same connection back to the connection pool twice when sending a Chunked body.
Digest Auth support is now thread safe.
Resolved several bugs involving chunked transfer encoding and response framing.
Copy a PreparedRequest's CookieJar more reliably.
Support bytearrays when passed as parameters in the 'files' argument.
Avoid data duplication when creating a request with 'str', 'bytes', or 'bytearray' input to the 'files'...
2.8.1-6.9.1