diff --git a/RHEL-136069-fix-bundled-urllib3-CVE-2025-66418.patch b/RHEL-136069-fix-bundled-urllib3-CVE-2025-66418.patch new file mode 100644 index 0000000..91dcdf7 --- /dev/null +++ b/RHEL-136069-fix-bundled-urllib3-CVE-2025-66418.patch @@ -0,0 +1,91 @@ +--- a/aws/urllib3/response.py 2023-10-17 19:42:56.000000000 +0200 ++++ b/aws/urllib3/response.py 2026-01-02 11:19:25.583808492 +0100 +@@ -135,8 +135,18 @@ + they were applied. + """ + ++ # Maximum allowed number of chained HTTP encodings in the ++ # Content-Encoding header. ++ max_decode_links = 5 ++ + def __init__(self, modes): +- self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")] ++ encodings = [m.strip() for m in modes.split(",")] ++ if len(encodings) > self.max_decode_links: ++ raise DecodeError( ++ "Too many content encodings in the chain: " ++ f"{len(encodings)} > {self.max_decode_links}" ++ ) ++ self._decoders = [_get_decoder(e) for e in encodings] + + def flush(self): + return self._decoders[0].flush() + +--- a/azure/urllib3/response.py 2023-10-17 19:42:56.000000000 +0200 ++++ b/azure/urllib3/response.py 2026-01-02 11:19:25.583808492 +0100 +@@ -135,8 +135,18 @@ + they were applied. + """ + ++ # Maximum allowed number of chained HTTP encodings in the ++ # Content-Encoding header. ++ max_decode_links = 5 ++ + def __init__(self, modes): +- self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")] ++ encodings = [m.strip() for m in modes.split(",")] ++ if len(encodings) > self.max_decode_links: ++ raise DecodeError( ++ "Too many content encodings in the chain: " ++ f"{len(encodings)} > {self.max_decode_links}" ++ ) ++ self._decoders = [_get_decoder(e) for e in encodings] + + def flush(self): + return self._decoders[0].flush() + +--- a/google/urllib3/response.py 2023-10-17 19:42:56.000000000 +0200 ++++ b/google/urllib3/response.py 2026-01-02 11:19:25.583808492 +0100 +@@ -135,8 +135,18 @@ + they were applied. + """ + ++ # Maximum allowed number of chained HTTP encodings in the ++ # Content-Encoding header. ++ max_decode_links = 5 ++ + def __init__(self, modes): +- self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")] ++ encodings = [m.strip() for m in modes.split(",")] ++ if len(encodings) > self.max_decode_links: ++ raise DecodeError( ++ "Too many content encodings in the chain: " ++ f"{len(encodings)} > {self.max_decode_links}" ++ ) ++ self._decoders = [_get_decoder(e) for e in encodings] + + def flush(self): + return self._decoders[0].flush() + +--- a/kubevirt/urllib3/response.py 2023-10-17 19:42:56.000000000 +0200 ++++ b/kubevirt/urllib3/response.py 2026-01-02 11:19:25.583808492 +0100 +@@ -135,8 +135,18 @@ + they were applied. + """ + ++ # Maximum allowed number of chained HTTP encodings in the ++ # Content-Encoding header. ++ max_decode_links = 5 ++ + def __init__(self, modes): +- self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")] ++ encodings = [m.strip() for m in modes.split(",")] ++ if len(encodings) > self.max_decode_links: ++ raise DecodeError( ++ "Too many content encodings in the chain: " ++ f"{len(encodings)} > {self.max_decode_links}" ++ ) ++ self._decoders = [_get_decoder(e) for e in encodings] + + def flush(self): + return self._decoders[0].flush() diff --git a/fence-agents.spec b/fence-agents.spec index 970f531..444a6be 100644 --- a/fence-agents.spec +++ b/fence-agents.spec @@ -57,7 +57,7 @@ Name: fence-agents Summary: Set of unified programs capable of host isolation ("fencing") Version: 4.10.0 -Release: 101%{?alphatag:.%{alphatag}}%{?dist} +Release: 102%{?alphatag:.%{alphatag}}%{?dist} License: GPLv2+ and LGPLv2+ URL: https://github.com/ClusterLabs/fence-agents Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz @@ -265,6 +265,7 @@ Patch1000: bz2217902-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch Patch2000: bz2217902-2-aws-azure-fix-bundled-dateutil-CVE-2007-4559.patch Patch2001: RHEL-43562-fix-bundled-urllib3-CVE-2024-37891.patch Patch2002: RHEL-95901-pkg_resources-suppress-UserWarning.patch +Patch2003: RHEL-136069-fix-bundled-urllib3-CVE-2025-66418.patch %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath nutanix_ahv redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti %ifarch x86_64 @@ -514,6 +515,7 @@ pushd support /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2000} /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2001} /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2002} +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2003} %endif popd @@ -1574,6 +1576,10 @@ are located on corosync cluster nodes. %endif %changelog +* Fri Jan 2 2026 Oyvind Albrigtsen - 4.10.0-102 +- bundled urllib3: fix CVE-2025-66418 + Resolves: RHEL-136069 + * Tue Nov 18 2025 Oyvind Albrigtsen - 4.10.0-101 - fence_gce: fix node list limit Resolves: RHEL-128926