- bundled urllib3: fix CVE-2023-45803

Resolves: RHEL-18132
- bundled pycryptodome: fix CVE-2023-52323
  Resolves: RHEL-20915

RHEL-11988-1-kubevirt-fix-bundled-urllib3-CVE-2023-43804.patch

@@ -1,26 +0,0 @@
-From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001
-From: Quentin Pradet <quentin.pradet@gmail.com>
-Date: Mon, 2 Oct 2023 19:46:16 +0400
-Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f
-
----
- CHANGES.rst                               |  5 ++++
- docs/user-guide.rst                       |  3 +++
- src/urllib3/util/retry.py                 |  2 +-
- test/test_retry.py                        |  4 +--
- test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++-----
- 5 files changed, 35 insertions(+), 9 deletions(-)
-
-diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
-index ea48afe3ca..7572bfd26a 100644
---- a/kubevirt/urllib3/util/retry.py
-+++ b/kubevirt/urllib3/util/retry.py
-@@ -187,7 +187,7 @@ class Retry:
-     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
- 
-     #: Default headers to be used for ``remove_headers_on_redirect``
--    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
-+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
- 
-     #: Maximum backoff time.
-     BACKOFF_MAX = 120

RHEL-11988-2-aws-fix-bundled-urllib3-CVE-2023-43804.patch

@@ -1,26 +0,0 @@
-From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001
-From: Quentin Pradet <quentin.pradet@gmail.com>
-Date: Mon, 2 Oct 2023 19:46:16 +0400
-Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f
-
----
- CHANGES.rst                               |  5 ++++
- docs/user-guide.rst                       |  3 +++
- src/urllib3/util/retry.py                 |  2 +-
- test/test_retry.py                        |  4 +--
- test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++-----
- 5 files changed, 35 insertions(+), 9 deletions(-)
-
-diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
-index ea48afe3ca..7572bfd26a 100644
---- a/aws/urllib3/util/retry.py
-+++ b/aws/urllib3/util/retry.py
-@@ -187,7 +187,7 @@ class Retry:
-     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
- 
-     #: Default headers to be used for ``remove_headers_on_redirect``
--    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
-+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
- 
-     #: Maximum backoff time.
-     BACKOFF_MAX = 120

fence-agents.spec

@@ -11,7 +11,7 @@
 # alibaba
 # python-pycryptodome bundle
 %global pycryptodome		pycryptodome
-%global pycryptodome_version	3.6.4
+%global pycryptodome_version	3.20.0
 %global pycryptodome_dir	%{bundled_lib_dir}/aliyun/%{pycryptodome}
 # python-aliyun-sdk-core bundle
 %global aliyunsdkcore		aliyun-python-sdk-core
@@ -60,7 +60,7 @@
 %global six			six
 %global six_version		1.16.0
 %global urllib3 		urllib3
-%global urllib3_version		1.26.7
+%global urllib3_version 	1.26.18
 %global websocketclient 	websocket-client
 %global websocketclient_version 1.2.1
 %global jinja2			Jinja2
@@ -87,7 +87,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.2.1
-Release: 127%{?alphatag:.%{alphatag}}%{?dist}
+Release: 128%{?alphatag:.%{alphatag}}%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Base
 URL: https://github.com/ClusterLabs/fence-agents
@@ -286,10 +286,8 @@ Patch142: RHEL-14343-fence_zvmip-2-fix-manpage-formatting.patch
 ### HA support libs/utils ###
 # all archs
 Patch1000: bz2218234-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
-Patch1001: RHEL-11988-1-kubevirt-fix-bundled-urllib3-CVE-2023-43804.patch
 # cloud (x86_64 only)
 Patch2000: bz2218234-2-aws-fix-bundled-dateutil-CVE-2007-4559.patch
-Patch2001: RHEL-11988-2-aws-fix-bundled-urllib3-CVE-2023-43804.patch
 
 %if 0%{?fedora} || 0%{?rhel} > 7
 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hds_cb hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
@@ -623,11 +621,9 @@ rm -rf %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}/kubevirt/rsa*
 # regular patch doesnt work in build-section
 pushd %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1000}
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1001}
 
 %ifarch x86_64
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2000}
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2001}
 %endif
 popd
 
@@ -1518,6 +1514,12 @@ Fence agent for IBM z/VM over IP.
 %endif
 
 %changelog
+* Thu Jan 18 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-128
+- bundled urllib3: fix CVE-2023-45803
+  Resolves: RHEL-18132
+- bundled pycryptodome: fix CVE-2023-52323
+  Resolves: RHEL-20915
+
 * Wed Jan  3 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-127
 - fence_scsi: fix registration handling if ISID conflicts
   Resolves: RHEL-5397

sources

@@ -20,7 +20,7 @@ SHA512 (openshift-0.12.1.tar.gz) = 35a0ecfbc12d657f5f79d4c752a7c023a2a5e3fc5e7b3
 SHA512 (packaging-21.2-py3-none-any.whl) = 620a077783da21db677eda413c7cfcd9a9112afd573deda853615fad5b7f79b0ddfae4a7ee5d69834ba45e2299ebf343c6398b8eb60bb04569883520ada4a381
 SHA512 (pyasn1-0.4.8.tar.gz) = e64e70b325c8067f87ace7c0673149e82fe564aa4b0fa146d29b43cb588ecd6e81b1b82803b8cfa7a17d3d0489b6d88b4af5afb3aa0052bf92e8a1769fe8f7b0
 SHA512 (pyasn1-modules-0.2.8.tar.gz) = fdfcaa065deffdd732deaa1fa30dec2fc4a90ffe15bd12de40636ce0212f447611096d2f4e652ed786b5c47544439e6a93721fabe121f3320f13965692a1ca5b
-SHA512 (pycryptodome-3.6.4.tar.gz) = b565acf2d4dad80842a677dac2e69719dedb870d93d35948f3ef04da120c89fdf80f5b08864c182e2537ff60bbce8487cec6bfe8bb9acc1833194a667932a5c6
+SHA512 (pycryptodome-3.20.0.tar.gz) = 9fed02190db9ae71b6895af2525d7670858817acf213c494969104da81138dacb11bc00be83b308e070a2c90766cd763e25a611ada402b32f6160a8ac9283f85
 SHA512 (pyparsing-2.4.7-py2.py3-none-any.whl) = acb6b4ff90254d73804621d302926deb69bc99ffde16d7aa16cba7d0af7a53c25b7197d422309d9e82a766704fd7ea4c8b078a48d2e7d8658a8b237266fe24f5
 SHA512 (python-dateutil-2.8.2.tar.gz) = 6538858e4a3e2d1de1bf25b6d8b25e3a8d20bf60fb85e32d07ac491c90ce193e268bb5641371b8a79fb0f033a184bac9896b3bc643c1aca9ee9c6478286ac20c
 SHA512 (python-string-utils-1.0.0.tar.gz) = 23ee48053848edd74915a985ee9edec48bbba468e228745f7d27b6a855c67f6b7ddf1cf71049458bf0b1c6c4d4f905ebacfac960597cbadbbe2daa1fe9472280
@@ -33,5 +33,5 @@ SHA512 (setuptools-58.3.0.tar.gz) = 5a38231c2ce361ad45befbd0de34dd7dde9d15f25e7f
 SHA512 (setuptools_scm-6.3.2.tar.gz) = 9a16552803ef92367ad71007cf322737b5baa58b924083f04c860875bf6cb2e2bb4f43a7f89778b040c2eb55c5d32de479a918056519339820c6d0f1a6a386f0
 SHA512 (six-1.16.0.tar.gz) = 076fe31c8f03b0b52ff44346759c7dc8317da0972403b84dfe5898179f55acdba6c78827e0f8a53ff20afe8b76432c6fe0d655a75c24259d9acbaa4d9e8015c0
 SHA512 (tomli-1.0.1.tar.gz) = 2731ff827bda17471bf75a44b445062bd4c43adfc9f0fdab4f8953e559f60708bc3e3500b424bf914c5e472fc9afbab72316c5a3b47c3a7654b2eb5343e62d21
-SHA512 (urllib3-1.26.7.tar.gz) = 6f5a5e6dd5ff99950fcc051495e0a698153b57e20b6c83d869b54c7fece9616909bcf2fe99efc40815f8722996ad93e430bf765ce5c629b912690c286014b86f
+SHA512 (urllib3-1.26.18.tar.gz) = c89e93a032bf6b11375c06ef7c5abc1868f93e7655cfdca09e9bd939ad415d206ea159fe151ecd2e5f725e0e18a831c7a5382ad01dbc32264154fc8af7aec156
 SHA512 (websocket-client-1.2.1.tar.gz) = fdbeb7ac2add27478a17b388ac62e9378094a368f29749d8b63c274ee41836506369dddd083956f42f1f2d74948392b3ddd59b801c98f9e028c126bdb54c636b