Split CVE-2023-43804 patch into 2 parts

2023-12-14 18:15:08 +03:00 · 2023-12-14 18:15:08 +03:00 · 0edefe35cf
commit 0edefe35cf
parent fa59ce97fd
3 changed files with 31 additions and 14 deletions
--- a/SOURCES/CVE-2023-43804-aws.patch
+++ b/SOURCES/CVE-2023-43804-aws.patch
@ -11,19 +11,8 @@ Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f
 test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++-----
 5 files changed, 35 insertions(+), 9 deletions(-)

-diff --git a/kubevirt/urllib3/util/retry.py b/kubevirt/urllib3/util/retry.py
+diff --git a/aws/urllib3/util/retry.py b/aws/urllib3/util/retry.py
 index ea48afe3ca..7572bfd26a 100644
--- a/kubevirt/urllib3/util/retry.py
-+++ b/kubevirt/urllib3/util/retry.py
-@@ -187,7 +187,7 @@ class Retry:
-     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
- 
-     #: Default headers to be used for ``remove_headers_on_redirect``
-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
-+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
- 
-     #: Default maximum backoff time.
-     DEFAULT_BACKOFF_MAX = 120
 --- a/aws/urllib3/util/retry.py
 +++ b/aws/urllib3/util/retry.py
@@ -187,7 +187,7 @@ class Retry:
--- a/SOURCES/CVE-2023-43804-kubevirt.patch
+++ b/SOURCES/CVE-2023-43804-kubevirt.patch
@ -0,0 +1,26 @@
+From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 2 Oct 2023 19:46:16 +0400
+Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f
+
+---
+ CHANGES.rst                               |  5 ++++
+ docs/user-guide.rst                       |  3 +++
+ src/urllib3/util/retry.py                 |  2 +-
+ test/test_retry.py                        |  4 +--
+ test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++-----
+ 5 files changed, 35 insertions(+), 9 deletions(-)
+
+diff --git a/kubevirt/urllib3/util/retry.py b/kubevirt/urllib3/util/retry.py
+index ea48afe3ca..7572bfd26a 100644
+--- a/kubevirt/urllib3/util/retry.py
+++ b/kubevirt/urllib3/util/retry.py
+@@ -187,7 +187,7 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
--- a/SPECS/fence-agents.spec
+++ b/SPECS/fence-agents.spec
@ -243,7 +243,8 @@ Patch1001: bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch

 # Patches were taken from:
 # https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d
-Patch1002: CVE-2023-43804.patch
+Patch1002: CVE-2023-43804-kubevirt.patch
+Patch1003: CVE-2023-43804-aws.patch

 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
 %ifarch x86_64
@ -436,6 +437,7 @@ sed -i -e "/^import awscli.clidriver/isys.path.insert(0, '/usr/lib/%{name}/suppo
 %ifarch x86_64
 pushd support
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1003}
 popd
 %endif

@ -446,7 +448,7 @@ rm -rf kubevirt/rsa*

 pushd support
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1002}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1002}
 popd

 ./autogen.sh