- bundled urllib3: fix CVE-2025-66418
Resolves: RHEL-136069
This commit is contained in:
parent
d01d564d85
commit
1715eda529
91
RHEL-136069-fix-bundled-urllib3-CVE-2025-66418.patch
Normal file
91
RHEL-136069-fix-bundled-urllib3-CVE-2025-66418.patch
Normal file
@ -0,0 +1,91 @@
|
||||
--- a/aws/urllib3/response.py 2023-10-17 19:42:56.000000000 +0200
|
||||
+++ b/aws/urllib3/response.py 2026-01-02 11:19:25.583808492 +0100
|
||||
@@ -135,8 +135,18 @@
|
||||
they were applied.
|
||||
"""
|
||||
|
||||
+ # Maximum allowed number of chained HTTP encodings in the
|
||||
+ # Content-Encoding header.
|
||||
+ max_decode_links = 5
|
||||
+
|
||||
def __init__(self, modes):
|
||||
- self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")]
|
||||
+ encodings = [m.strip() for m in modes.split(",")]
|
||||
+ if len(encodings) > self.max_decode_links:
|
||||
+ raise DecodeError(
|
||||
+ "Too many content encodings in the chain: "
|
||||
+ f"{len(encodings)} > {self.max_decode_links}"
|
||||
+ )
|
||||
+ self._decoders = [_get_decoder(e) for e in encodings]
|
||||
|
||||
def flush(self):
|
||||
return self._decoders[0].flush()
|
||||
|
||||
--- a/azure/urllib3/response.py 2023-10-17 19:42:56.000000000 +0200
|
||||
+++ b/azure/urllib3/response.py 2026-01-02 11:19:25.583808492 +0100
|
||||
@@ -135,8 +135,18 @@
|
||||
they were applied.
|
||||
"""
|
||||
|
||||
+ # Maximum allowed number of chained HTTP encodings in the
|
||||
+ # Content-Encoding header.
|
||||
+ max_decode_links = 5
|
||||
+
|
||||
def __init__(self, modes):
|
||||
- self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")]
|
||||
+ encodings = [m.strip() for m in modes.split(",")]
|
||||
+ if len(encodings) > self.max_decode_links:
|
||||
+ raise DecodeError(
|
||||
+ "Too many content encodings in the chain: "
|
||||
+ f"{len(encodings)} > {self.max_decode_links}"
|
||||
+ )
|
||||
+ self._decoders = [_get_decoder(e) for e in encodings]
|
||||
|
||||
def flush(self):
|
||||
return self._decoders[0].flush()
|
||||
|
||||
--- a/google/urllib3/response.py 2023-10-17 19:42:56.000000000 +0200
|
||||
+++ b/google/urllib3/response.py 2026-01-02 11:19:25.583808492 +0100
|
||||
@@ -135,8 +135,18 @@
|
||||
they were applied.
|
||||
"""
|
||||
|
||||
+ # Maximum allowed number of chained HTTP encodings in the
|
||||
+ # Content-Encoding header.
|
||||
+ max_decode_links = 5
|
||||
+
|
||||
def __init__(self, modes):
|
||||
- self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")]
|
||||
+ encodings = [m.strip() for m in modes.split(",")]
|
||||
+ if len(encodings) > self.max_decode_links:
|
||||
+ raise DecodeError(
|
||||
+ "Too many content encodings in the chain: "
|
||||
+ f"{len(encodings)} > {self.max_decode_links}"
|
||||
+ )
|
||||
+ self._decoders = [_get_decoder(e) for e in encodings]
|
||||
|
||||
def flush(self):
|
||||
return self._decoders[0].flush()
|
||||
|
||||
--- a/kubevirt/urllib3/response.py 2023-10-17 19:42:56.000000000 +0200
|
||||
+++ b/kubevirt/urllib3/response.py 2026-01-02 11:19:25.583808492 +0100
|
||||
@@ -135,8 +135,18 @@
|
||||
they were applied.
|
||||
"""
|
||||
|
||||
+ # Maximum allowed number of chained HTTP encodings in the
|
||||
+ # Content-Encoding header.
|
||||
+ max_decode_links = 5
|
||||
+
|
||||
def __init__(self, modes):
|
||||
- self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")]
|
||||
+ encodings = [m.strip() for m in modes.split(",")]
|
||||
+ if len(encodings) > self.max_decode_links:
|
||||
+ raise DecodeError(
|
||||
+ "Too many content encodings in the chain: "
|
||||
+ f"{len(encodings)} > {self.max_decode_links}"
|
||||
+ )
|
||||
+ self._decoders = [_get_decoder(e) for e in encodings]
|
||||
|
||||
def flush(self):
|
||||
return self._decoders[0].flush()
|
||||
@ -57,7 +57,7 @@
|
||||
Name: fence-agents
|
||||
Summary: Set of unified programs capable of host isolation ("fencing")
|
||||
Version: 4.10.0
|
||||
Release: 101%{?alphatag:.%{alphatag}}%{?dist}
|
||||
Release: 102%{?alphatag:.%{alphatag}}%{?dist}
|
||||
License: GPLv2+ and LGPLv2+
|
||||
URL: https://github.com/ClusterLabs/fence-agents
|
||||
Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz
|
||||
@ -265,6 +265,7 @@ Patch1000: bz2217902-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
|
||||
Patch2000: bz2217902-2-aws-azure-fix-bundled-dateutil-CVE-2007-4559.patch
|
||||
Patch2001: RHEL-43562-fix-bundled-urllib3-CVE-2024-37891.patch
|
||||
Patch2002: RHEL-95901-pkg_resources-suppress-UserWarning.patch
|
||||
Patch2003: RHEL-136069-fix-bundled-urllib3-CVE-2025-66418.patch
|
||||
|
||||
%global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath nutanix_ahv redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
|
||||
%ifarch x86_64
|
||||
@ -514,6 +515,7 @@ pushd support
|
||||
/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2000}
|
||||
/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2001}
|
||||
/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2002}
|
||||
/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2003}
|
||||
%endif
|
||||
popd
|
||||
|
||||
@ -1574,6 +1576,10 @@ are located on corosync cluster nodes.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Jan 2 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-102
|
||||
- bundled urllib3: fix CVE-2025-66418
|
||||
Resolves: RHEL-136069
|
||||
|
||||
* Tue Nov 18 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-101
|
||||
- fence_gce: fix node list limit
|
||||
Resolves: RHEL-128926
|
||||
|
||||
Loading…
Reference in New Issue
Block a user