diff --git a/CVE-2023-32681.patch b/CVE-2023-32681.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2b4cd79a3ad4207cdc0d3f391f7a4521a7044099
--- /dev/null
+++ b/CVE-2023-32681.patch
@@ -0,0 +1,56 @@
+From 74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Mon, 22 May 2023 08:08:57 -0700
+Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q
+
+---
+ requests/sessions.py   |  4 +++-
+ tests/test_requests.py | 20 ++++++++++++++++++++
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/requests/sessions.py b/requests/sessions.py
+index 6cb3b4dae3..dbcf2a7b0e 100644
+--- a/requests/sessions.py
++++ b/requests/sessions.py
+@@ -324,7 +324,9 @@ def rebuild_proxies(self, prepared_request, proxies):
+         except KeyError:
+             username, password = None, None
+ 
+-        if username and password:
++        # urllib3 handles proxy authorization for us in the standard adapter.
++        # Avoid appending this to TLS tunneled requests where it may be leaked.
++        if not scheme.startswith('https') and username and password:
+             headers["Proxy-Authorization"] = _basic_auth_str(username, password)
+ 
+         return new_proxies
+diff --git a/tests/test_requests.py b/tests/test_requests.py
+index b1c8dd4534..b420c44d73 100644
+--- a/tests/test_requests.py
++++ b/tests/test_requests.py
+@@ -647,6 +647,26 @@ def test_proxy_authorization_preserved_on_request(self, httpbin):
+ 
+         assert sent_headers.get("Proxy-Authorization") == proxy_auth_value
+ 
++
++    @pytest.mark.parametrize(
++        "url,has_proxy_auth",
++        (
++            ('http://example.com', True),
++            ('https://example.com', False),
++        ),
++    )
++    def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth):
++        session = requests.Session()
++        proxies = {
++            'http': 'http://test:pass@localhost:8080',
++            'https': 'http://test:pass@localhost:8090',
++        }
++        req = requests.Request('GET', url)
++        prep = req.prepare()
++        session.rebuild_proxies(prep, proxies)
++
++        assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth
++
+     def test_basicauth_with_netrc(self, httpbin):
+         auth = ("user", "pass")
+         wrong_auth = ("wronguser", "wrongpass")
diff --git a/python-requests.spec b/python-requests.spec
index 5d2250e911d8111f392b7f5e7663dd4df131e603..a87e3fa4858435e101ac3fc329cbef179f24581c 100644
--- a/python-requests.spec
+++ b/python-requests.spec
@@ -1,4 +1,4 @@
-%define anolis_release 1
+%define anolis_release 2\n
 %bcond_without tests
 
 
@@ -10,6 +10,7 @@ Summary:        HTTP library, written in Python, for human beings
 License:        ASL 2.0
 URL:            https://pypi.io/project/requests
 Source0:        https://github.com/requests/requests/archive/v%{version}/requests-v%{version}.tar.gz
+Patch1: CVE-2023-32681.patch\n
 
 BuildArch:      noarch
 
@@ -59,6 +60,7 @@ BuildArch:      noarch
 The python%{python3_pkgversion}-requests-doc package contains documentation files for python%{python3_pkgversion}-requests.
 
 %prep
+|
 %autosetup -p1 -n requests-%{version}
 
 # env shebang in nonexecutable file
@@ -91,6 +93,11 @@ sed -i 's/ --doctest-modules//' pyproject.toml
 %doc README.md HISTORY.md
 
 %changelog 
+|
+* Thu Jun 01 2023 Anolis Security Team - 2.28.2-2
+- Sync upstream changes from commit d9c9c5dd57c680d8dbd84f1b3c6b964994ea2df6
+- Apply patch for CVE-2023-32681: Prevent Proxy-Authorization header leakage in HTTPS requests via CONNECT tunnel
+
 * Wed Feb 22 2023 mgb01105731 <mgb01105731@alibaba-inc.com> - 2.28.2-1
 - update to version 2.28.2