From 7a2b9f586591b59d363eec34bdfabf4ec6f468e5 Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Wed, 11 Oct 2023 13:13:16 +0200
Subject: [PATCH] - bundled urllib3: fix CVE-2023-43804   Resolves: RHEL-11999

---
 ...t-fix-bundled-urllib3-CVE-2023-43804.patch | 26 ++++++++
 ...e-fix-bundled-urllib3-CVE-2023-43804.patch | 59 +++++++++++++++++++
 ...t-fix-bundled-dateutil-CVE-2007-4559.patch |  0
 ...e-fix-bundled-dateutil-CVE-2007-4559.patch |  0
 fence-agents.spec                             | 33 +++++++----
 5 files changed, 105 insertions(+), 13 deletions(-)
 create mode 100644 RHEL-11999-1-kubevirt-fix-bundled-urllib3-CVE-2023-43804.patch
 create mode 100644 RHEL-11999-2-aws-awscli-azure-google-fix-bundled-urllib3-CVE-2023-43804.patch
 rename bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch => bz2217902-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch (100%)
 rename bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch => bz2217902-2-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch (100%)

diff --git a/RHEL-11999-1-kubevirt-fix-bundled-urllib3-CVE-2023-43804.patch b/RHEL-11999-1-kubevirt-fix-bundled-urllib3-CVE-2023-43804.patch
new file mode 100644
index 0000000..f7e5004
--- /dev/null
+++ b/RHEL-11999-1-kubevirt-fix-bundled-urllib3-CVE-2023-43804.patch
@@ -0,0 +1,26 @@
+From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 2 Oct 2023 19:46:16 +0400
+Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f
+
+---
+ CHANGES.rst                               |  5 ++++
+ docs/user-guide.rst                       |  3 +++
+ src/urllib3/util/retry.py                 |  2 +-
+ test/test_retry.py                        |  4 +--
+ test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++-----
+ 5 files changed, 35 insertions(+), 9 deletions(-)
+
+diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
+index ea48afe3ca..7572bfd26a 100644
+--- a/kubevirt/urllib3/util/retry.py
++++ b/kubevirt/urllib3/util/retry.py
+@@ -187,7 +187,7 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
diff --git a/RHEL-11999-2-aws-awscli-azure-google-fix-bundled-urllib3-CVE-2023-43804.patch b/RHEL-11999-2-aws-awscli-azure-google-fix-bundled-urllib3-CVE-2023-43804.patch
new file mode 100644
index 0000000..1d6feb9
--- /dev/null
+++ b/RHEL-11999-2-aws-awscli-azure-google-fix-bundled-urllib3-CVE-2023-43804.patch
@@ -0,0 +1,59 @@
+From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 2 Oct 2023 19:46:16 +0400
+Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f
+
+---
+ CHANGES.rst                               |  5 ++++
+ docs/user-guide.rst                       |  3 +++
+ src/urllib3/util/retry.py                 |  2 +-
+ test/test_retry.py                        |  4 +--
+ test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++-----
+ 5 files changed, 35 insertions(+), 9 deletions(-)
+
+diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
+index ea48afe3ca..7572bfd26a 100644
+--- a/aws/urllib3/util/retry.py
++++ b/aws/urllib3/util/retry.py
+@@ -187,7 +187,7 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
+--- a/awscli/urllib3/util/retry.py
++++ b/awscli/urllib3/util/retry.py
+@@ -187,7 +187,7 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
+--- a/azure/urllib3/util/retry.py
++++ b/azure/urllib3/util/retry.py
+@@ -187,7 +187,7 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
+--- a/google/urllib3/util/retry.py
++++ b/google/urllib3/util/retry.py
+@@ -187,7 +187,7 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
diff --git a/bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch b/bz2217902-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
similarity index 100%
rename from bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
rename to bz2217902-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
diff --git a/bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch b/bz2217902-2-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
similarity index 100%
rename from bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
rename to bz2217902-2-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
diff --git a/fence-agents.spec b/fence-agents.spec
index aa2ab3e..b0507ad 100644
--- a/fence-agents.spec
+++ b/fence-agents.spec
@@ -59,7 +59,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.10.0
-Release: 56%{?alphatag:.%{alphatag}}%{?dist}
+Release: 57%{?alphatag:.%{alphatag}}%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: https://github.com/ClusterLabs/fence-agents
 Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz
@@ -240,8 +240,12 @@ Patch47: RHEL-5396-fence_scsi-1-fix-ISID-reg-handling.patch
 Patch48: RHEL-5396-fence_scsi-2-fix-ISID-reg-handling-off.patch
 
 ### HA support libs/utils ###
-Patch1000: bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
-Patch1001: bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
+# all archs
+Patch1000: bz2217902-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
+Patch1001: RHEL-11999-1-kubevirt-fix-bundled-urllib3-CVE-2023-43804.patch
+# cloud (x86_64 only)
+Patch2000: bz2217902-2-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
+Patch2001: RHEL-11999-2-aws-awscli-azure-google-fix-bundled-urllib3-CVE-2023-43804.patch
 
 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
 %ifarch x86_64
@@ -431,21 +435,20 @@ sed -i -e "/^#\!\/Users/c#\!%{__python3}" support/aws/bin/jp support/aliyun/bin/
 sed -i -e "/^import awscli.clidriver/isys.path.insert(0, '/usr/lib/%{name}/support/awscli')" support/awscli/bin/aws
 %endif
 
-# regular patch doesnt work in build-section
-# Patch1000
-%ifarch x86_64
-pushd support
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
-popd
-%endif
-
 # kubevirt
 %{__python3} -m pip install --user --no-index --find-links %{_sourcedir} setuptools-scm
 %{__python3} -m pip install --target support/kubevirt --no-index --find-links %{_sourcedir} openshift
 rm -rf kubevirt/rsa*
-# Patch1001
+
+# regular patch doesnt work in build-section
 pushd support
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1000}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1001}
+
+%ifarch x86_64
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2000}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2001}
+%endif
 popd
 
 ./autogen.sh
@@ -1480,6 +1483,10 @@ are located on corosync cluster nodes.
 %endif
 
 %changelog
+* Wed Oct 11 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-57
+- bundled urllib3: fix CVE-2023-43804
+  Resolves: RHEL-11999
+
 * Wed Sep 27 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-56
 - fence_scsi: fix registration handling if ISID conflicts
   Resolves: RHEL-5396