diff --git a/fix-cve-2024-35195.patch b/fix-cve-2024-35195.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b8dc53b1fdc17892fdd02ce0981a73dd767ab182
--- /dev/null
+++ b/fix-cve-2024-35195.patch
@@ -0,0 +1,125 @@
+From 73b12bb30809b0f842011b800027e31953a78f38 Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Thu, 11 Jul 2024 15:46:51 +0800
+Subject: [PATCH] fix-cve-2024-35195
+
+---
+ requests/adapters.py   | 58 +++++++++++++++++++++++++++++++++++++++++-
+ tests/test_requests.py |  8 ++++++
+ 2 files changed, 65 insertions(+), 1 deletion(-)
+
+diff --git a/requests/adapters.py b/requests/adapters.py
+index 78e3bb6..7eafebb 100644
+--- a/requests/adapters.py
++++ b/requests/adapters.py
+@@ -8,6 +8,7 @@ and maintain connections.
+ 
+ import os.path
+ import socket  # noqa: F401
++import typing
+ 
+ from urllib3.exceptions import ClosedPoolError, ConnectTimeoutError
+ from urllib3.exceptions import HTTPError as _HTTPError
+@@ -61,12 +62,38 @@ except ImportError:
+         raise InvalidSchema("Missing dependencies for SOCKS support.")
+ 
+ 
++if typing.TYPE_CHECKING:
++    from .models import PreparedRequest
++
++
+ DEFAULT_POOLBLOCK = False
+ DEFAULT_POOLSIZE = 10
+ DEFAULT_RETRIES = 0
+ DEFAULT_POOL_TIMEOUT = None
+ 
+ 
++def _urllib3_request_context(
++    request: "PreparedRequest", verify: "bool | str | None"
++) -> "(typing.Dict[str, typing.Any], typing.Dict[str, typing.Any])":
++    host_params = {}
++    pool_kwargs = {}
++    parsed_request_url = urlparse(request.url)
++    scheme = parsed_request_url.scheme.lower()
++    port = parsed_request_url.port
++    cert_reqs = "CERT_REQUIRED"
++    if verify is False:
++        cert_reqs = "CERT_NONE"
++    if isinstance(verify, str):
++        pool_kwargs["ca_certs"] = verify
++    pool_kwargs["cert_reqs"] = cert_reqs
++    host_params = {
++        "scheme": scheme,
++        "host": parsed_request_url.hostname,
++        "port": port,
++    }
++    return host_params, pool_kwargs
++
++
+ class BaseAdapter:
+     """The Base Transport Adapter"""
+ 
+@@ -328,6 +355,35 @@ class HTTPAdapter(BaseAdapter):
+ 
+         return response
+ 
++    def _get_connection(self, request, verify, proxies=None):
++        # Replace the existing get_connection without breaking things and
++        # ensure that TLS settings are considered when we interact with
++        # urllib3 HTTP Pools
++        proxy = select_proxy(request.url, proxies)
++        try:
++            host_params, pool_kwargs = _urllib3_request_context(request, verify)
++        except ValueError as e:
++            raise InvalidURL(e, request=request)
++        if proxy:
++            proxy = prepend_scheme_if_needed(proxy, "http")
++            proxy_url = parse_url(proxy)
++            if not proxy_url.host:
++                raise InvalidProxyURL(
++                    "Please check proxy URL. It is malformed "
++                    "and could be missing the host."
++                )
++            proxy_manager = self.proxy_manager_for(proxy)
++            conn = proxy_manager.connection_from_host(
++                **host_params, pool_kwargs=pool_kwargs
++            )
++        else:
++            # Only scheme should be lower case
++            conn = self.poolmanager.connection_from_host(
++                **host_params, pool_kwargs=pool_kwargs
++            )
++
++        return conn
++
+     def get_connection(self, url, proxies=None):
+         """Returns a urllib3 connection for the given URL. This should not be
+         called from user code, and is only exposed for use when subclassing the
+@@ -451,7 +507,7 @@ class HTTPAdapter(BaseAdapter):
+         """
+ 
+         try:
+-            conn = self.get_connection(request.url, proxies)
++            conn = self._get_connection(request.verify, proxies)
+         except LocationValueError as e:
+             raise InvalidURL(e, request=request)
+ 
+diff --git a/tests/test_requests.py b/tests/test_requests.py
+index b420c44..9f33cf7 100644
+--- a/tests/test_requests.py
++++ b/tests/test_requests.py
+@@ -2808,3 +2808,11 @@ class TestPreparingURLs:
+         with pytest.raises(requests.exceptions.JSONDecodeError) as excinfo:
+             r.json()
+         assert excinfo.value.doc == r.text
++    
++    def test_different_connection_pool_for_tls_settings(self):
++        s = requests.Session()
++        r1 = s.get("https://invalid.badssl.com", verify=False)
++        assert r1.status_code == 421
++        with pytest.raises(requests.exceptions.SSLError):
++            s.get("https://invalid.badssl.com")
++
+-- 
+2.33.0
+
diff --git a/python-requests.spec b/python-requests.spec
index d0b47b40282dc7403e9bfaaafcec1dc1d456c64e..e36dde2a73055c120599e1742a5264891fae00a5 100644
--- a/python-requests.spec
+++ b/python-requests.spec
@@ -1,4 +1,4 @@
-%define anolis_release 2
+%define anolis_release 3
 %bcond_with tests
 
 
@@ -21,6 +21,8 @@ designed to make HTTP requests easy for developers.
 
 %package -n python%{python3_pkgversion}-requests
 Summary: HTTP library, written in Python, for human beings
+#https://github.com/psf/requests/commit/c0813a2d910ea6b4f8438b91d315b8d181302356
+Patch1: fix-cve-2024-35195.patch
 
 %{?python_provide:%python_provide python%{python3_pkgversion}-requests}
 
@@ -91,6 +93,9 @@ sed -i 's/ --doctest-modules//' pyproject.toml
 %doc README.md HISTORY.md
 
 %changelog
+* Thu Jul 11 2024 yangxinyu <yangxinyu@nfschina.com> - 2.31.0-3
+- fix-cve-2024-35195
+
 * Tue Mar 12 2024 Zhao Hang <wb-zh951434@alibaba-inc.com> - 2.31.0-2
 - Rebuild with python3.11