- bundled urllib3: fix CVE-2024-37891, CVE-2025-66418, CVE-2025-66471,

and CVE-2026-21441 on ppc64le Resolves: RHEL-146344
2026-02-09 13:00:29 +01:00 · 2026-02-09 13:00:29 +01:00 · 1b4747eee3
commit 1b4747eee3
parent b7f32f4979
5 changed files with 360 additions and 4 deletions
--- a/RHEL-146344-RHEL-146282-fix-bundled-urllib3-CVE-2026-21441.patch
+++ b/RHEL-146344-RHEL-146282-fix-bundled-urllib3-CVE-2026-21441.patch
@ -29,3 +29,35 @@
         except self.DECODER_ERROR_CLASSES as e:
             content_encoding = self.headers.get("content-encoding", "").lower()
             raise DecodeError(
+
+--- a/kubevirt/urllib3/response.py	2026-02-03 08:20:11.000000000 +0100
+++ b/kubevirt/urllib3/response.py	2026-02-03 09:11:38.017998476 +0100
+@@ -350,6 +350,7 @@
+         self.reason = reason
+         self.strict = strict
+         self.decode_content = decode_content
+        self._has_decoded_content = False
+         self.retries = retries
+         self.enforce_content_length = enforce_content_length
+         self.auto_close = auto_close
+@@ -414,7 +415,11 @@
+         Unread data in the HTTPResponse connection blocks the connection from being released back to the pool.
+         """
+         try:
+-            self.read()
+            self.read(
+                # Do not spend resources decoding the content unless
+                # decoding has already been initiated.
+                decode_content=self._has_decoded_content,
+            )
+         except (HTTPError, SocketError, BaseSSLError, HTTPException):
+             pass
+ 
+@@ -536,6 +541,7 @@
+         try:
+             if self._decoder:
+                 data = self._decoder.decompress(data, max_length=max_length)
+                self._has_decoded_content = True
+         except self.DECODER_ERROR_CLASSES as e:
+             content_encoding = self.headers.get("content-encoding", "").lower()
+             raise DecodeError(
--- a/RHEL-146344-fix-bundled-urllib3-CVE-2024-37891.patch
+++ b/RHEL-146344-fix-bundled-urllib3-CVE-2024-37891.patch
@ -30,3 +30,19 @@ index 7a76a4a6ad..0456cceba4 100644
 
     #: Default maximum backoff time.
     DEFAULT_BACKOFF_MAX = 120
+
+diff --git a/kubevirt/urllib3/util/retry.py b/kubevirt/urllib3/util/retry.py
+index 7a76a4a6ad..0456cceba4 100644
+--- a/kubevirt/urllib3/util/retry.py
+++ b/kubevirt/urllib3/util/retry.py
+@@ -189,7 +189,9 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
+        ["Cookie", "Authorization", "Proxy-Authorization"]
+    )
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
--- a/RHEL-146344-fix-bundled-urllib3-CVE-2025-66418.patch
+++ b/RHEL-146344-fix-bundled-urllib3-CVE-2025-66418.patch
@ -20,3 +20,26 @@
 
     def flush(self):
         return self._decoders[0].flush()
+
+--- a/kubevirt/urllib3/response.py	2023-10-17 19:42:56.000000000 +0200
+++ b/kubevirt/urllib3/response.py	2026-01-02 11:19:25.583808492 +0100
+@@ -135,8 +135,18 @@
+         they were applied.
+     """
+ 
+    # Maximum allowed number of chained HTTP encodings in the
+    # Content-Encoding header.
+    max_decode_links = 5
+
+     def __init__(self, modes):
+-        self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")]
+        encodings = [m.strip() for m in modes.split(",")]
+        if len(encodings) > self.max_decode_links:
+            raise DecodeError(
+                "Too many content encodings in the chain: "
+                f"{len(encodings)} > {self.max_decode_links}"
+            )
+        self._decoders = [_get_decoder(e) for e in encodings]
+ 
+     def flush(self):
+         return self._decoders[0].flush()
--- a/RHEL-146344-fix-bundled-urllib3-CVE-2025-66471.patch
+++ b/RHEL-146344-fix-bundled-urllib3-CVE-2025-66471.patch
@ -226,6 +226,288 @@
 +        return any(d.has_unconsumed_tail for d in self._decoders)
 
 
+ def _get_decoder(mode):
+@@ -405,16 +517,25 @@
+     if brotli is not None:
+         DECODER_ERROR_CLASSES += (brotli.error,)
+ 
+-    def _decode(self, data, decode_content, flush_decoder):
+    def _decode(
+        self,
+        data: bytes,
+        decode_content: bool,
+        flush_decoder: bool,
+        max_length: int = None,
+    ) -> bytes:
+         """
+         Decode the data passed in and potentially flush the decoder.
+         """
+         if not decode_content:
+             return data
+ 
+        if max_length is None or flush_decoder:
+            max_length = -1
+
+         try:
+             if self._decoder:
+-                data = self._decoder.decompress(data)
+                data = self._decoder.decompress(data, max_length=max_length)
+         except self.DECODER_ERROR_CLASSES as e:
+             content_encoding = self.headers.get("content-encoding", "").lower()
+             raise DecodeError(
+@@ -634,7 +755,10 @@
+             for line in self.read_chunked(amt, decode_content=decode_content):
+                 yield line
+         else:
+-            while not is_fp_closed(self._fp):
+            while (
+                not is_fp_closed(self._fp)
+                or (self._decoder and self._decoder.has_unconsumed_tail)
+            ):
+                 data = self.read(amt=amt, decode_content=decode_content)
+ 
+                 if data:
+@@ -840,7 +964,10 @@
+                     break
+                 chunk = self._handle_chunk(amt)
+                 decoded = self._decode(
+-                    chunk, decode_content=decode_content, flush_decoder=False
+                    chunk,
+                    decode_content=decode_content,
+                    flush_decoder=False,
+                    max_length=amt,
+                 )
+                 if decoded:
+                     yield decoded
+
+--- a/kubevirt/urllib3/response.py	2026-01-20 10:46:57.006470161 +0100
+++ b/kubevirt/urllib3/response.py	2026-01-20 10:55:44.090084896 +0100
+@@ -23,6 +23,7 @@
+ from .exceptions import (
+     BodyNotHttplibCompatible,
+     DecodeError,
+    DependencyWarning,
+     HTTPError,
+     IncompleteRead,
+     InvalidChunkLength,
+@@ -41,34 +42,60 @@
+ class DeflateDecoder(object):
+     def __init__(self):
+         self._first_try = True
+-        self._data = b""
+        self._first_try_data = b""
+        self._unfed_data = b""
+         self._obj = zlib.decompressobj()
+ 
+     def __getattr__(self, name):
+         return getattr(self._obj, name)
+ 
+-    def decompress(self, data):
+-        if not data:
+    def decompress(self, data: bytes, max_length: int = -1) -> bytes:
+        data = self._unfed_data + data
+        self._unfed_data = b""
+        if not data and not self._obj.unconsumed_tail:
+             return data
+        original_max_length = max_length
+        if original_max_length < 0:
+            max_length = 0
+        elif original_max_length == 0:
+            # We should not pass 0 to the zlib decompressor because 0 is
+            # the default value that will make zlib decompress without a
+            # length limit.
+            # Data should be stored for subsequent calls.
+            self._unfed_data = data
+            return b""
+ 
+        # Subsequent calls always reuse `self._obj`. zlib requires
+        # passing the unconsumed tail if decompression is to continue.
+         if not self._first_try:
+-            return self._obj.decompress(data)
+            return self._obj.decompress(
+                self._obj.unconsumed_tail + data, max_length=max_length
+            )
+ 
+-        self._data += data
+        # First call tries with RFC 1950 ZLIB format.
+        self._first_try_data += data
+         try:
+-            decompressed = self._obj.decompress(data)
+            decompressed = self._obj.decompress(data, max_length=max_length)
+             if decompressed:
+                 self._first_try = False
+-                self._data = None
+                self._first_try_data = b""
+             return decompressed
+        # On failure, it falls back to RFC 1951 DEFLATE format.
+         except zlib.error:
+             self._first_try = False
+             self._obj = zlib.decompressobj(-zlib.MAX_WBITS)
+             try:
+-                return self.decompress(self._data)
+                return self.decompress(
+                    self._first_try_data, max_length=original_max_length
+                )
+             finally:
+-                self._data = None
+                self._first_try_data = b""
+ 
+    @property
+    def has_unconsumed_tail(self) -> bool:
+        return bool(self._unfed_data) or (
+            bool(self._obj.unconsumed_tail) and not self._first_try
+        )
+ 
+ class GzipDecoderState(object):
+ 
+@@ -81,30 +108,64 @@
+     def __init__(self):
+         self._obj = zlib.decompressobj(16 + zlib.MAX_WBITS)
+         self._state = GzipDecoderState.FIRST_MEMBER
+        self._unconsumed_tail = b""
+ 
+     def __getattr__(self, name):
+         return getattr(self._obj, name)
+ 
+-    def decompress(self, data):
+    def decompress(self, data: bytes, max_length: int = -1) -> bytes:
+         ret = bytearray()
+-        if self._state == GzipDecoderState.SWALLOW_DATA or not data:
+        if self._state == GzipDecoderState.SWALLOW_DATA:
+            return bytes(ret)
+
+        if max_length == 0:
+            # We should not pass 0 to the zlib decompressor because 0 is
+            # the default value that will make zlib decompress without a
+            # length limit.
+            # Data should be stored for subsequent calls.
+            self._unconsumed_tail += data
+            return b""
+
+        # zlib requires passing the unconsumed tail to the subsequent
+        # call if decompression is to continue.
+        data = self._unconsumed_tail + data
+        if not data and self._obj.eof:
+             return bytes(ret)
+
+         while True:
+             try:
+-                ret += self._obj.decompress(data)
+                ret += self._obj.decompress(
+                    data, max_length=max(max_length - len(ret), 0)
+                )
+             except zlib.error:
+                 previous_state = self._state
+                 # Ignore data after the first error
+                 self._state = GzipDecoderState.SWALLOW_DATA
+                self._unconsumed_tail = b""
+                 if previous_state == GzipDecoderState.OTHER_MEMBERS:
+                     # Allow trailing garbage acceptable in other gzip clients
+                     return bytes(ret)
+                 raise
+-            data = self._obj.unused_data
+
+            self._unconsumed_tail = data = (
+                self._obj.unconsumed_tail or self._obj.unused_data
+            )
+            if max_length > 0 and len(ret) >= max_length:
+                break
+
+             if not data:
+                 return bytes(ret)
+-            self._state = GzipDecoderState.OTHER_MEMBERS
+-            self._obj = zlib.decompressobj(16 + zlib.MAX_WBITS)
+            # When the end of a gzip member is reached, a new decompressor
+            # must be created for unused (possibly future) data.
+            if self._obj.eof:
+                self._state = GzipDecoderState.OTHER_MEMBERS
+                self._obj = zlib.decompressobj(16 + zlib.MAX_WBITS)
+
+        return bytes(ret)
+
+    @property
+    def has_unconsumed_tail(self) -> bool:
+        return bool(self._unconsumed_tail)
+ 
+ 
+ if brotli is not None:
+@@ -116,9 +177,35 @@
+         def __init__(self):
+             self._obj = brotli.Decompressor()
+             if hasattr(self._obj, "decompress"):
+-                self.decompress = self._obj.decompress
+                setattr(self, "_decompress", self._obj.decompress)
+             else:
+-                self.decompress = self._obj.process
+                setattr(self, "_decompress", self._obj.process)
+
+        # Requires Brotli >= 1.2.0 for `output_buffer_limit`.
+        def _decompress(self, data: bytes, output_buffer_limit: int = -1) -> bytes:
+            raise NotImplementedError()
+
+        def decompress(self, data: bytes, max_length: int = -1) -> bytes:
+            try:
+                if max_length > 0:
+                    return self._decompress(data, output_buffer_limit=max_length)
+                else:
+                    return self._decompress(data)
+            except TypeError:
+                # Fallback for Brotli/brotlicffi/brotlipy versions without
+                # the `output_buffer_limit` parameter.
+                warnings.warn(
+                    "Brotli >= 1.2.0 is required to prevent decompression bombs.",
+                    DependencyWarning,
+                )
+                return self._decompress(data)
+
+        @property
+        def has_unconsumed_tail(self) -> bool:
+            try:
+                return not self._obj.can_accept_more_data()
+            except AttributeError:
+                return False
+ 
+         def flush(self):
+             if hasattr(self._obj, "flush"):
+@@ -151,10 +238,35 @@
+     def flush(self):
+         return self._decoders[0].flush()
+ 
+-    def decompress(self, data):
+-        for d in reversed(self._decoders):
+-            data = d.decompress(data)
+-        return data
+    def decompress(self, data: bytes, max_length: int = -1) -> bytes:
+        if max_length <= 0:
+            for d in reversed(self._decoders):
+                data = d.decompress(data)
+            return data
+
+        ret = bytearray()
+        # Every while loop iteration goes through all decoders once.
+        # It exits when enough data is read or no more data can be read.
+        # It is possible that the while loop iteration does not produce
+        # any data because we retrieve up to `max_length` from every
+        # decoder, and the amount of bytes may be insufficient for the
+        # next decoder to produce enough/any output.
+        while True:
+            any_data = False
+            for d in reversed(self._decoders):
+                data = d.decompress(data, max_length=max_length - len(ret))
+                if data:
+                    any_data = True
+                # We should not break when no data is returned because
+                # next decoders may produce data even with empty input.
+            ret += data
+            if not any_data or len(ret) >= max_length:
+                return bytes(ret)
+            data = b""
+
+    @property
+    def has_unconsumed_tail(self) -> bool:
+        return any(d.has_unconsumed_tail for d in self._decoders)
+ 
+ 
 def _get_decoder(mode):
@@ -405,16 +517,25 @@
     if brotli is not None:
--- a/fence-agents.spec
+++ b/fence-agents.spec
@ -57,7 +57,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.10.0
-Release: 108%{?alphatag:.%{alphatag}}%{?dist}
+Release: 109%{?alphatag:.%{alphatag}}%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: https://github.com/ClusterLabs/fence-agents
 Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz
@ -1595,11 +1595,14 @@ are located on corosync cluster nodes.
 %endif

 %changelog
-* Thu Feb  5 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-108
- bundled urllib3: fix issue with CVE-2026-21441 patch
+* Mon Feb  9 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-109
 - bundled urllib3: fix CVE-2024-37891, CVE-2025-66418, CVE-2025-66471,
  and CVE-2026-21441 on ppc64le
-  Resolves: RHEL-146282, RHEL-146344
+  Resolves: RHEL-146344
+
+* Thu Feb  5 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-108
+- bundled urllib3: fix issue with CVE-2026-21441 patch
+  Resolves: RHEL-146282

 * Thu Jan 29 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-107
 - fence_ibm_vpc: fix missing statuses