- bundled requests: fix CVE-2024-47081

Resolves: RHEL-104741

RHEL-104741-1-kubevirt-fix-bundled-requests-CVE-2024-47081.patch

@@ -0,0 +1,28 @@
+From 57acb7c26d809cf864ec439b8bcd6364702022d5 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Wed, 25 Sep 2024 08:03:20 -0700
+Subject: [PATCH] Only use hostname to do netrc lookup instead of netloc
+
+---
+ src/requests/utils.py | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/kubevirt/requests/utils.py b/kubevirt/requests/utils.py
+index 699683e5d9..8a307ca8a0 100644
+--- a/kubevirt/requests/utils.py
++++ b/kubevirt/requests/utils.py
+@@ -236,13 +236,7 @@ def get_netrc_auth(url, raise_errors=False):
+             return
+ 
+         ri = urlparse(url)
+-
+-        # Strip port numbers from netloc. This weird `if...encode`` dance is
+-        # used for Python 3.2, which doesn't support unicode literals.
+-        splitstr = b':'
+-        if isinstance(url, str):
+-            splitstr = splitstr.decode('ascii')
+-        host = ri.netloc.split(splitstr)[0]
++        host = ri.hostname
+ 
+         try:
+             _netrc = netrc(netrc_path).authenticators(host)

RHEL-104741-2-aliyun-aws-azure-fix-bundled-requests-CVE-2024-47081.patch

@@ -0,0 +1,66 @@
+From 57acb7c26d809cf864ec439b8bcd6364702022d5 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Wed, 25 Sep 2024 08:03:20 -0700
+Subject: [PATCH] Only use hostname to do netrc lookup instead of netloc
+
+---
+ src/requests/utils.py | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/aliyun/aliyunsdkcore/vendored/requests/utils.py b/aliyun/aliyunsdkcore/vendored/requests/utils.py
+index 699683e5d9..8a307ca8a0 100644
+--- a/aliyun/aliyunsdkcore/vendored/requests/utils.py
++++ b/aliyun/aliyunsdkcore/vendored/requests/utils.py
+@@ -182,13 +182,7 @@
+             return
+ 
+         ri = urlparse(url)
+-
+-        # Strip port numbers from netloc. This weird `if...encode`` dance is
+-        # used for Python 3.2, which doesn't support unicode literals.
+-        splitstr = b':'
+-        if isinstance(url, str):
+-            splitstr = splitstr.decode('ascii')
+-        host = ri.netloc.split(splitstr)[0]
++        host = ri.hostname
+ 
+         try:
+             _netrc = netrc(netrc_path).authenticators(host)
+diff --git a/aws/requests/utils.py b/aws/requests/utils.py
+index 699683e5d9..8a307ca8a0 100644
+--- a/aws/requests/utils.py
++++ b/aws/requests/utils.py
+@@ -236,13 +236,7 @@ def get_netrc_auth(url, raise_errors=False):
+             return
+ 
+         ri = urlparse(url)
+-
+-        # Strip port numbers from netloc. This weird `if...encode`` dance is
+-        # used for Python 3.2, which doesn't support unicode literals.
+-        splitstr = b':'
+-        if isinstance(url, str):
+-            splitstr = splitstr.decode('ascii')
+-        host = ri.netloc.split(splitstr)[0]
++        host = ri.hostname
+ 
+         try:
+             _netrc = netrc(netrc_path).authenticators(host)
+diff --git a/azure/requests/utils.py b/azure/requests/utils.py
+index 699683e5d9..8a307ca8a0 100644
+--- a/azure/requests/utils.py
++++ b/azure/requests/utils.py
+@@ -236,13 +236,7 @@ def get_netrc_auth(url, raise_errors=False):
+             return
+ 
+         ri = urlparse(url)
+-
+-        # Strip port numbers from netloc. This weird `if...encode`` dance is
+-        # used for Python 3.2, which doesn't support unicode literals.
+-        splitstr = b':'
+-        if isinstance(url, str):
+-            splitstr = splitstr.decode('ascii')
+-        host = ri.netloc.split(splitstr)[0]
++        host = ri.hostname
+ 
+         try:
+             _netrc = netrc(netrc_path).authenticators(host)

fence-agents.spec

@@ -87,7 +87,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.2.1
-Release: 129%{?alphatag:.%{alphatag}}%{?dist}.12
+Release: 129%{?alphatag:.%{alphatag}}%{?dist}.13
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Base
 URL: https://github.com/ClusterLabs/fence-agents
@@ -326,9 +326,11 @@ Patch1001: RHEL-22174-kubevirt-fix-bundled-jinja2-CVE-2024-22195.patch
 Patch1002: RHEL-35655-kubevirt-fix-bundled-jinja2-CVE-2024-34064.patch
 Patch1003: RHEL-43568-1-kubevirt-fix-bundled-urllib3-CVE-2024-37891.patch
 Patch1004: RHEL-50223-setuptools-fix-CVE-2024-6345.patch
+Patch1005: RHEL-104741-1-kubevirt-fix-bundled-requests-CVE-2024-47081.patch
 # cloud (x86_64 only)
 Patch2000: bz2218234-2-aws-fix-bundled-dateutil-CVE-2007-4559.patch
 Patch2001: RHEL-43568-2-aws-fix-bundled-urllib3-CVE-2024-37891.patch
+Patch2002: RHEL-104741-2-aliyun-aws-azure-fix-bundled-requests-CVE-2024-47081.patch
 
 %if 0%{?fedora} || 0%{?rhel} > 7
 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hds_cb hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
@@ -677,10 +679,12 @@ pushd %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=1 < %{PATCH1002}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1003}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1004}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1005}
 
 %ifarch x86_64
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2000}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2001}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2002}
 %endif
 popd
 
@@ -1601,6 +1605,10 @@ Fence agent for IBM z/VM over IP.
 %endif
 
 %changelog
+* Fri Aug 15 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-129.13
+- bundled requests: fix CVE-2024-47081
+  Resolves: RHEL-104741
+
 * Tue Aug 12 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-129.12
 - fence_ibm_vpc: add apikey file support
   Resolves: RHEL-107506