From 0edefe35cf4beacd34d3818c023d8bf42853d211 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 14 Dec 2023 18:15:08 +0300 Subject: [PATCH] Split CVE-2023-43804 patch into 2 parts --- ...3-43804.patch => CVE-2023-43804-aws.patch} | 13 +--------- SOURCES/CVE-2023-43804-kubevirt.patch | 26 +++++++++++++++++++ SPECS/fence-agents.spec | 6 +++-- 3 files changed, 31 insertions(+), 14 deletions(-) rename SOURCES/{CVE-2023-43804.patch => CVE-2023-43804-aws.patch} (81%) create mode 100644 SOURCES/CVE-2023-43804-kubevirt.patch diff --git a/SOURCES/CVE-2023-43804.patch b/SOURCES/CVE-2023-43804-aws.patch similarity index 81% rename from SOURCES/CVE-2023-43804.patch rename to SOURCES/CVE-2023-43804-aws.patch index 6c3433e..67eee0b 100644 --- a/SOURCES/CVE-2023-43804.patch +++ b/SOURCES/CVE-2023-43804-aws.patch @@ -11,19 +11,8 @@ Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++----- 5 files changed, 35 insertions(+), 9 deletions(-) -diff --git a/kubevirt/urllib3/util/retry.py b/kubevirt/urllib3/util/retry.py +diff --git a/aws/urllib3/util/retry.py b/aws/urllib3/util/retry.py index ea48afe3ca..7572bfd26a 100644 ---- a/kubevirt/urllib3/util/retry.py -+++ b/kubevirt/urllib3/util/retry.py -@@ -187,7 +187,7 @@ class Retry: - RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) - - #: Default headers to be used for ``remove_headers_on_redirect`` -- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) -+ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) - - #: Default maximum backoff time. - DEFAULT_BACKOFF_MAX = 120 --- a/aws/urllib3/util/retry.py +++ b/aws/urllib3/util/retry.py @@ -187,7 +187,7 @@ class Retry: diff --git a/SOURCES/CVE-2023-43804-kubevirt.patch b/SOURCES/CVE-2023-43804-kubevirt.patch new file mode 100644 index 0000000..fb484e8 --- /dev/null +++ b/SOURCES/CVE-2023-43804-kubevirt.patch @@ -0,0 +1,26 @@ +From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001 +From: Quentin Pradet +Date: Mon, 2 Oct 2023 19:46:16 +0400 +Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f + +--- + CHANGES.rst | 5 ++++ + docs/user-guide.rst | 3 +++ + src/urllib3/util/retry.py | 2 +- + test/test_retry.py | 4 +-- + test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++----- + 5 files changed, 35 insertions(+), 9 deletions(-) + +diff --git a/kubevirt/urllib3/util/retry.py b/kubevirt/urllib3/util/retry.py +index ea48afe3ca..7572bfd26a 100644 +--- a/kubevirt/urllib3/util/retry.py ++++ b/kubevirt/urllib3/util/retry.py +@@ -187,7 +187,7 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 diff --git a/SPECS/fence-agents.spec b/SPECS/fence-agents.spec index 749e6ac..d0aa985 100644 --- a/SPECS/fence-agents.spec +++ b/SPECS/fence-agents.spec @@ -243,7 +243,8 @@ Patch1001: bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch # Patches were taken from: # https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d -Patch1002: CVE-2023-43804.patch +Patch1002: CVE-2023-43804-kubevirt.patch +Patch1003: CVE-2023-43804-aws.patch %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti %ifarch x86_64 @@ -436,6 +437,7 @@ sed -i -e "/^import awscli.clidriver/isys.path.insert(0, '/usr/lib/%{name}/suppo %ifarch x86_64 pushd support /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1003} popd %endif @@ -446,7 +448,7 @@ rm -rf kubevirt/rsa* pushd support /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch -/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1002} +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1002} popd ./autogen.sh