diff --git a/RHEL-104741-1-kubevirt-fix-bundled-requests-CVE-2024-47081.patch b/RHEL-104741-1-kubevirt-fix-bundled-requests-CVE-2024-47081.patch new file mode 100644 index 0000000..946ac59 --- /dev/null +++ b/RHEL-104741-1-kubevirt-fix-bundled-requests-CVE-2024-47081.patch @@ -0,0 +1,28 @@ +From 57acb7c26d809cf864ec439b8bcd6364702022d5 Mon Sep 17 00:00:00 2001 +From: Nate Prewitt +Date: Wed, 25 Sep 2024 08:03:20 -0700 +Subject: [PATCH] Only use hostname to do netrc lookup instead of netloc + +--- + src/requests/utils.py | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/kubevirt/requests/utils.py b/kubevirt/requests/utils.py +index 699683e5d9..8a307ca8a0 100644 +--- a/kubevirt/requests/utils.py ++++ b/kubevirt/requests/utils.py +@@ -236,13 +236,7 @@ def get_netrc_auth(url, raise_errors=False): + return + + ri = urlparse(url) +- +- # Strip port numbers from netloc. This weird `if...encode`` dance is +- # used for Python 3.2, which doesn't support unicode literals. +- splitstr = b':' +- if isinstance(url, str): +- splitstr = splitstr.decode('ascii') +- host = ri.netloc.split(splitstr)[0] ++ host = ri.hostname + + try: + _netrc = netrc(netrc_path).authenticators(host) diff --git a/RHEL-104741-2-aliyun-aws-azure-fix-bundled-requests-CVE-2024-47081.patch b/RHEL-104741-2-aliyun-aws-azure-fix-bundled-requests-CVE-2024-47081.patch new file mode 100644 index 0000000..1280800 --- /dev/null +++ b/RHEL-104741-2-aliyun-aws-azure-fix-bundled-requests-CVE-2024-47081.patch @@ -0,0 +1,66 @@ +From 57acb7c26d809cf864ec439b8bcd6364702022d5 Mon Sep 17 00:00:00 2001 +From: Nate Prewitt +Date: Wed, 25 Sep 2024 08:03:20 -0700 +Subject: [PATCH] Only use hostname to do netrc lookup instead of netloc + +--- + src/requests/utils.py | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/aliyun/aliyunsdkcore/vendored/requests/utils.py b/aliyun/aliyunsdkcore/vendored/requests/utils.py +index 699683e5d9..8a307ca8a0 100644 +--- a/aliyun/aliyunsdkcore/vendored/requests/utils.py ++++ b/aliyun/aliyunsdkcore/vendored/requests/utils.py +@@ -182,13 +182,7 @@ + return + + ri = urlparse(url) +- +- # Strip port numbers from netloc. This weird `if...encode`` dance is +- # used for Python 3.2, which doesn't support unicode literals. +- splitstr = b':' +- if isinstance(url, str): +- splitstr = splitstr.decode('ascii') +- host = ri.netloc.split(splitstr)[0] ++ host = ri.hostname + + try: + _netrc = netrc(netrc_path).authenticators(host) +diff --git a/aws/requests/utils.py b/aws/requests/utils.py +index 699683e5d9..8a307ca8a0 100644 +--- a/aws/requests/utils.py ++++ b/aws/requests/utils.py +@@ -236,13 +236,7 @@ def get_netrc_auth(url, raise_errors=False): + return + + ri = urlparse(url) +- +- # Strip port numbers from netloc. This weird `if...encode`` dance is +- # used for Python 3.2, which doesn't support unicode literals. +- splitstr = b':' +- if isinstance(url, str): +- splitstr = splitstr.decode('ascii') +- host = ri.netloc.split(splitstr)[0] ++ host = ri.hostname + + try: + _netrc = netrc(netrc_path).authenticators(host) +diff --git a/azure/requests/utils.py b/azure/requests/utils.py +index 699683e5d9..8a307ca8a0 100644 +--- a/azure/requests/utils.py ++++ b/azure/requests/utils.py +@@ -236,13 +236,7 @@ def get_netrc_auth(url, raise_errors=False): + return + + ri = urlparse(url) +- +- # Strip port numbers from netloc. This weird `if...encode`` dance is +- # used for Python 3.2, which doesn't support unicode literals. +- splitstr = b':' +- if isinstance(url, str): +- splitstr = splitstr.decode('ascii') +- host = ri.netloc.split(splitstr)[0] ++ host = ri.hostname + + try: + _netrc = netrc(netrc_path).authenticators(host) diff --git a/fence-agents.spec b/fence-agents.spec index ec56b82..88548c9 100644 --- a/fence-agents.spec +++ b/fence-agents.spec @@ -87,7 +87,7 @@ Name: fence-agents Summary: Set of unified programs capable of host isolation ("fencing") Version: 4.2.1 -Release: 129%{?alphatag:.%{alphatag}}%{?dist}.12 +Release: 129%{?alphatag:.%{alphatag}}%{?dist}.13 License: GPLv2+ and LGPLv2+ Group: System Environment/Base URL: https://github.com/ClusterLabs/fence-agents @@ -326,9 +326,11 @@ Patch1001: RHEL-22174-kubevirt-fix-bundled-jinja2-CVE-2024-22195.patch Patch1002: RHEL-35655-kubevirt-fix-bundled-jinja2-CVE-2024-34064.patch Patch1003: RHEL-43568-1-kubevirt-fix-bundled-urllib3-CVE-2024-37891.patch Patch1004: RHEL-50223-setuptools-fix-CVE-2024-6345.patch +Patch1005: RHEL-104741-1-kubevirt-fix-bundled-requests-CVE-2024-47081.patch # cloud (x86_64 only) Patch2000: bz2218234-2-aws-fix-bundled-dateutil-CVE-2007-4559.patch Patch2001: RHEL-43568-2-aws-fix-bundled-urllib3-CVE-2024-37891.patch +Patch2002: RHEL-104741-2-aliyun-aws-azure-fix-bundled-requests-CVE-2024-47081.patch %if 0%{?fedora} || 0%{?rhel} > 7 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hds_cb hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti @@ -677,10 +679,12 @@ pushd %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir} /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=1 < %{PATCH1002} /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1003} /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1004} +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1005} %ifarch x86_64 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2000} /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2001} +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2002} %endif popd @@ -1601,6 +1605,10 @@ Fence agent for IBM z/VM over IP. %endif %changelog +* Fri Aug 15 2025 Oyvind Albrigtsen - 4.2.1-129.13 +- bundled requests: fix CVE-2024-47081 + Resolves: RHEL-104741 + * Tue Aug 12 2025 Oyvind Albrigtsen - 4.2.1-129.12 - fence_ibm_vpc: add apikey file support Resolves: RHEL-107506