- bundled urllib3: fix CVE-2023-43804

Resolves: RHEL-11999
2023-10-11 13:13:16 +02:00 · 2023-10-11 13:13:16 +02:00 · 7a2b9f5865
commit 7a2b9f5865
parent 6fbe4aa99c
5 changed files with 105 additions and 13 deletions
--- a/RHEL-11999-1-kubevirt-fix-bundled-urllib3-CVE-2023-43804.patch
+++ b/RHEL-11999-1-kubevirt-fix-bundled-urllib3-CVE-2023-43804.patch
@ -0,0 +1,26 @@
 From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001
 From: Quentin Pradet <quentin.pradet@gmail.com>
 Date: Mon, 2 Oct 2023 19:46:16 +0400
 Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f
 ---
 CHANGES.rst                               |  5 ++++
 docs/user-guide.rst                       |  3 +++
 src/urllib3/util/retry.py                 |  2 +-
 test/test_retry.py                        |  4 +--
 test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++-----
 5 files changed, 35 insertions(+), 9 deletions(-)
 diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
 index ea48afe3ca..7572bfd26a 100644
 --- a/kubevirt/urllib3/util/retry.py
 +++ b/kubevirt/urllib3/util/retry.py
@@ -187,7 +187,7 @@ class Retry:
     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
     #: Default headers to be used for ``remove_headers_on_redirect``
 -    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
 +    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
     #: Default maximum backoff time.
     DEFAULT_BACKOFF_MAX = 120
--- a/RHEL-11999-2-aws-awscli-azure-google-fix-bundled-urllib3-CVE-2023-43804.patch
+++ b/RHEL-11999-2-aws-awscli-azure-google-fix-bundled-urllib3-CVE-2023-43804.patch
@ -0,0 +1,59 @@
 From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001
 From: Quentin Pradet <quentin.pradet@gmail.com>
 Date: Mon, 2 Oct 2023 19:46:16 +0400
 Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f
 ---
 CHANGES.rst                               |  5 ++++
 docs/user-guide.rst                       |  3 +++
 src/urllib3/util/retry.py                 |  2 +-
 test/test_retry.py                        |  4 +--
 test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++-----
 5 files changed, 35 insertions(+), 9 deletions(-)
 diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
 index ea48afe3ca..7572bfd26a 100644
 --- a/aws/urllib3/util/retry.py
 +++ b/aws/urllib3/util/retry.py
@@ -187,7 +187,7 @@ class Retry:
     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
     #: Default headers to be used for ``remove_headers_on_redirect``
 -    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
 +    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
     #: Default maximum backoff time.
     DEFAULT_BACKOFF_MAX = 120
 --- a/awscli/urllib3/util/retry.py
 +++ b/awscli/urllib3/util/retry.py
@@ -187,7 +187,7 @@ class Retry:
     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
     #: Default headers to be used for ``remove_headers_on_redirect``
 -    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
 +    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
     #: Default maximum backoff time.
     DEFAULT_BACKOFF_MAX = 120
 --- a/azure/urllib3/util/retry.py
 +++ b/azure/urllib3/util/retry.py
@@ -187,7 +187,7 @@ class Retry:
     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
     #: Default headers to be used for ``remove_headers_on_redirect``
 -    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
 +    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
     #: Default maximum backoff time.
     DEFAULT_BACKOFF_MAX = 120
 --- a/google/urllib3/util/retry.py
 +++ b/google/urllib3/util/retry.py
@@ -187,7 +187,7 @@ class Retry:
     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
     #: Default headers to be used for ``remove_headers_on_redirect``
 -    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
 +    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
     #: Default maximum backoff time.
     DEFAULT_BACKOFF_MAX = 120
--- a/bz2217902-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
+++ b/bz2217902-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
--- a/bz2217902-2-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
+++ b/bz2217902-2-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
--- a/fence-agents.spec
+++ b/fence-agents.spec
@ -59,7 +59,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.10.0
-Release: 56%{?alphatag:.%{alphatag}}%{?dist}
+Release: 57%{?alphatag:.%{alphatag}}%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: https://github.com/ClusterLabs/fence-agents
 Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz
@ -240,8 +240,12 @@ Patch47: RHEL-5396-fence_scsi-1-fix-ISID-reg-handling.patch
 Patch48: RHEL-5396-fence_scsi-2-fix-ISID-reg-handling-off.patch
 ### HA support libs/utils ###
-Patch1000: bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
+# all archs
-Patch1001: bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
+Patch1000: bz2217902-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
 Patch1001: RHEL-11999-1-kubevirt-fix-bundled-urllib3-CVE-2023-43804.patch
 # cloud (x86_64 only)
 Patch2000: bz2217902-2-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
 Patch2001: RHEL-11999-2-aws-awscli-azure-google-fix-bundled-urllib3-CVE-2023-43804.patch
 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
 %ifarch x86_64
@ -431,21 +435,20 @@ sed -i -e "/^#\!\/Users/c#\!%{__python3}" support/aws/bin/jp support/aliyun/bin/
 sed -i -e "/^import awscli.clidriver/isys.path.insert(0, '/usr/lib/%{name}/support/awscli')" support/awscli/bin/aws
 %endif
 # regular patch doesnt work in build-section
 # Patch1000
 %ifarch x86_64
 pushd support
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
 popd
 %endif
 # kubevirt
 %{__python3} -m pip install --user --no-index --find-links %{_sourcedir} setuptools-scm
 %{__python3} -m pip install --target support/kubevirt --no-index --find-links %{_sourcedir} openshift
 rm -rf kubevirt/rsa*
-# Patch1001
+
 # regular patch doesnt work in build-section
 pushd support
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1000}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1001}
 %ifarch x86_64
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2000}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2001}
 %endif
 popd
 ./autogen.sh
@ -1480,6 +1483,10 @@ are located on corosync cluster nodes.
 %endif
 %changelog
 * Wed Oct 11 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-57
 - bundled urllib3: fix CVE-2023-43804
  Resolves: RHEL-11999
 * Wed Sep 27 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-56
 - fence_scsi: fix registration handling if ISID conflicts
  Resolves: RHEL-5396