- bundled urllib3: fix CVE-2024-37891

Resolves: RHEL-43568
2024-06-25 11:44:29 +02:00 · 2024-06-25 11:44:29 +02:00 · ab409ca678
commit ab409ca678
parent 5a83386c35
3 changed files with 73 additions and 1 deletions
--- a/RHEL-43568-1-kubevirt-fix-bundled-urllib3-CVE-2024-37891.patch
+++ b/RHEL-43568-1-kubevirt-fix-bundled-urllib3-CVE-2024-37891.patch
@ -0,0 +1,32 @@
+From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 17 Jun 2024 11:09:06 +0400
+Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
+
+* Strip Proxy-Authorization header on redirects
+
+* Fix test_retry_default_remove_headers_on_redirect
+
+* Set release date
+---
+ CHANGES.rst                               |  5 +++++
+ src/urllib3/util/retry.py                 |  4 +++-
+ test/test_retry.py                        |  6 ++++-
+ test/with_dummyserver/test_poolmanager.py | 27 ++++++++++++++++++++---
+ 4 files changed, 37 insertions(+), 5 deletions(-)
+
+diff --git a/kubevirt/urllib3/util/retry.py b/kubevirt/urllib3/util/retry.py
+index 7a76a4a6ad..0456cceba4 100644
+--- a/kubevirt/urllib3/util/retry.py
+++ b/kubevirt/urllib3/util/retry.py
+@@ -189,7 +189,9 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
+        ["Cookie", "Authorization", "Proxy-Authorization"]
+    )
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
--- a/RHEL-43568-2-aws-fix-bundled-urllib3-CVE-2024-37891.patch
+++ b/RHEL-43568-2-aws-fix-bundled-urllib3-CVE-2024-37891.patch
@ -0,0 +1,32 @@
+From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 17 Jun 2024 11:09:06 +0400
+Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
+
+* Strip Proxy-Authorization header on redirects
+
+* Fix test_retry_default_remove_headers_on_redirect
+
+* Set release date
+---
+ CHANGES.rst                               |  5 +++++
+ src/urllib3/util/retry.py                 |  4 +++-
+ test/test_retry.py                        |  6 ++++-
+ test/with_dummyserver/test_poolmanager.py | 27 ++++++++++++++++++++---
+ 4 files changed, 37 insertions(+), 5 deletions(-)
+
+diff --git a/aws/urllib3/util/retry.py b/aws/urllib3/util/retry.py
+index 7a76a4a6ad..0456cceba4 100644
+--- a/aws/urllib3/util/retry.py
+++ b/aws/urllib3/util/retry.py
+@@ -189,7 +189,9 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
+        ["Cookie", "Authorization", "Proxy-Authorization"]
+    )
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
--- a/fence-agents.spec
+++ b/fence-agents.spec
@ -87,7 +87,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.2.1
-Release: 129%{?alphatag:.%{alphatag}}%{?dist}.2
+Release: 129%{?alphatag:.%{alphatag}}%{?dist}.3
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Base
 URL: https://github.com/ClusterLabs/fence-agents
@ -289,8 +289,10 @@ Patch143: RHEL-7734-fence_eps-add-fence_epsr2-for-ePowerSwitch-R2-and-newer.patc
 Patch1000: bz2218234-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
 Patch1001: RHEL-22174-kubevirt-fix-bundled-jinja2-CVE-2024-22195.patch
 Patch1002: RHEL-35655-kubevirt-fix-bundled-jinja2-CVE-2024-34064.patch
+Patch1003: RHEL-43568-1-kubevirt-fix-bundled-urllib3-CVE-2024-37891.patch
 # cloud (x86_64 only)
 Patch2000: bz2218234-2-aws-fix-bundled-dateutil-CVE-2007-4559.patch
+Patch2001: RHEL-43568-2-aws-fix-bundled-urllib3-CVE-2024-37891.patch

 %if 0%{?fedora} || 0%{?rhel} > 7
 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hds_cb hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
@ -627,9 +629,11 @@ pushd %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1000}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=1 < %{PATCH1001}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=1 < %{PATCH1002}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1003}

 %ifarch x86_64
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2000}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2001}
 %endif
 popd

@ -1520,6 +1524,10 @@ Fence agent for IBM z/VM over IP.
 %endif

 %changelog
+* Tue Jun 25 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-129.3
+- bundled urllib3: fix CVE-2024-37891
+  Resolves: RHEL-43568
+
 * Thu May 30 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-129.2
 - fence_eps: add fence_epsr2 for ePowerSwitch R2 and newer
  Resolves: RHEL-7734