- bundled urllib3: fix CVE-2023-43804

Resolves: RHEL-11999
2023-10-11 13:13:16 +02:00 · 2023-10-11 13:13:16 +02:00 · 7a2b9f5865
commit 7a2b9f5865
parent 6fbe4aa99c
5 changed files with 105 additions and 13 deletions
--- a/RHEL-11999-1-kubevirt-fix-bundled-urllib3-CVE-2023-43804.patch
+++ b/RHEL-11999-1-kubevirt-fix-bundled-urllib3-CVE-2023-43804.patch
@ -0,0 +1,26 @@
+From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 2 Oct 2023 19:46:16 +0400
+Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f
+
+---
+ CHANGES.rst                               |  5 ++++
+ docs/user-guide.rst                       |  3 +++
+ src/urllib3/util/retry.py                 |  2 +-
+ test/test_retry.py                        |  4 +--
+ test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++-----
+ 5 files changed, 35 insertions(+), 9 deletions(-)
+
+diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
+index ea48afe3ca..7572bfd26a 100644
+--- a/kubevirt/urllib3/util/retry.py
+++ b/kubevirt/urllib3/util/retry.py
+@@ -187,7 +187,7 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
--- a/RHEL-11999-2-aws-awscli-azure-google-fix-bundled-urllib3-CVE-2023-43804.patch
+++ b/RHEL-11999-2-aws-awscli-azure-google-fix-bundled-urllib3-CVE-2023-43804.patch
@ -0,0 +1,59 @@
+From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 2 Oct 2023 19:46:16 +0400
+Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f
+
+---
+ CHANGES.rst                               |  5 ++++
+ docs/user-guide.rst                       |  3 +++
+ src/urllib3/util/retry.py                 |  2 +-
+ test/test_retry.py                        |  4 +--
+ test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++-----
+ 5 files changed, 35 insertions(+), 9 deletions(-)
+
+diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
+index ea48afe3ca..7572bfd26a 100644
+--- a/aws/urllib3/util/retry.py
+++ b/aws/urllib3/util/retry.py
+@@ -187,7 +187,7 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
+--- a/awscli/urllib3/util/retry.py
+++ b/awscli/urllib3/util/retry.py
+@@ -187,7 +187,7 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
+--- a/azure/urllib3/util/retry.py
+++ b/azure/urllib3/util/retry.py
+@@ -187,7 +187,7 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
+--- a/google/urllib3/util/retry.py
+++ b/google/urllib3/util/retry.py
+@@ -187,7 +187,7 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
--- a/bz2217902-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
+++ b/bz2217902-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
--- a/bz2217902-2-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
+++ b/bz2217902-2-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
--- a/fence-agents.spec
+++ b/fence-agents.spec
@ -59,7 +59,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.10.0
-Release: 56%{?alphatag:.%{alphatag}}%{?dist}
+Release: 57%{?alphatag:.%{alphatag}}%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: https://github.com/ClusterLabs/fence-agents
 Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz
@ -240,8 +240,12 @@ Patch47: RHEL-5396-fence_scsi-1-fix-ISID-reg-handling.patch
 Patch48: RHEL-5396-fence_scsi-2-fix-ISID-reg-handling-off.patch

 ### HA support libs/utils ###
-Patch1000: bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
-Patch1001: bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
+# all archs
+Patch1000: bz2217902-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
+Patch1001: RHEL-11999-1-kubevirt-fix-bundled-urllib3-CVE-2023-43804.patch
+# cloud (x86_64 only)
+Patch2000: bz2217902-2-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
+Patch2001: RHEL-11999-2-aws-awscli-azure-google-fix-bundled-urllib3-CVE-2023-43804.patch

 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
 %ifarch x86_64
@ -431,21 +435,20 @@ sed -i -e "/^#\!\/Users/c#\!%{__python3}" support/aws/bin/jp support/aliyun/bin/
 sed -i -e "/^import awscli.clidriver/isys.path.insert(0, '/usr/lib/%{name}/support/awscli')" support/awscli/bin/aws
 %endif

-# regular patch doesnt work in build-section
-# Patch1000
-%ifarch x86_64
-pushd support
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
-popd
-%endif
-
 # kubevirt
 %{__python3} -m pip install --user --no-index --find-links %{_sourcedir} setuptools-scm
 %{__python3} -m pip install --target support/kubevirt --no-index --find-links %{_sourcedir} openshift
 rm -rf kubevirt/rsa*
-# Patch1001
+
+# regular patch doesnt work in build-section
 pushd support
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1000}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1001}
+
+%ifarch x86_64
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2000}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2001}
+%endif
 popd

 ./autogen.sh
@ -1480,6 +1483,10 @@ are located on corosync cluster nodes.
 %endif

 %changelog
+* Wed Oct 11 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-57
+- bundled urllib3: fix CVE-2023-43804
+  Resolves: RHEL-11999
+
 * Wed Sep 27 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-56
 - fence_scsi: fix registration handling if ISID conflicts
  Resolves: RHEL-5396