From ab409ca678dc015d7e5bfa60004f22eb515228f1 Mon Sep 17 00:00:00 2001 From: Oyvind Albrigtsen Date: Tue, 25 Jun 2024 11:44:29 +0200 Subject: [PATCH] - bundled urllib3: fix CVE-2024-37891 Resolves: RHEL-43568 --- ...t-fix-bundled-urllib3-CVE-2024-37891.patch | 32 +++++++++++++++++++ ...s-fix-bundled-urllib3-CVE-2024-37891.patch | 32 +++++++++++++++++++ fence-agents.spec | 10 +++++- 3 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 RHEL-43568-1-kubevirt-fix-bundled-urllib3-CVE-2024-37891.patch create mode 100644 RHEL-43568-2-aws-fix-bundled-urllib3-CVE-2024-37891.patch diff --git a/RHEL-43568-1-kubevirt-fix-bundled-urllib3-CVE-2024-37891.patch b/RHEL-43568-1-kubevirt-fix-bundled-urllib3-CVE-2024-37891.patch new file mode 100644 index 0000000..f5abf83 --- /dev/null +++ b/RHEL-43568-1-kubevirt-fix-bundled-urllib3-CVE-2024-37891.patch @@ -0,0 +1,32 @@ +From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001 +From: Quentin Pradet +Date: Mon, 17 Jun 2024 11:09:06 +0400 +Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf + +* Strip Proxy-Authorization header on redirects + +* Fix test_retry_default_remove_headers_on_redirect + +* Set release date +--- + CHANGES.rst | 5 +++++ + src/urllib3/util/retry.py | 4 +++- + test/test_retry.py | 6 ++++- + test/with_dummyserver/test_poolmanager.py | 27 ++++++++++++++++++++--- + 4 files changed, 37 insertions(+), 5 deletions(-) + +diff --git a/kubevirt/urllib3/util/retry.py b/kubevirt/urllib3/util/retry.py +index 7a76a4a6ad..0456cceba4 100644 +--- a/kubevirt/urllib3/util/retry.py ++++ b/kubevirt/urllib3/util/retry.py +@@ -189,7 +189,9 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset( ++ ["Cookie", "Authorization", "Proxy-Authorization"] ++ ) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 diff --git a/RHEL-43568-2-aws-fix-bundled-urllib3-CVE-2024-37891.patch b/RHEL-43568-2-aws-fix-bundled-urllib3-CVE-2024-37891.patch new file mode 100644 index 0000000..d6583b2 --- /dev/null +++ b/RHEL-43568-2-aws-fix-bundled-urllib3-CVE-2024-37891.patch @@ -0,0 +1,32 @@ +From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001 +From: Quentin Pradet +Date: Mon, 17 Jun 2024 11:09:06 +0400 +Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf + +* Strip Proxy-Authorization header on redirects + +* Fix test_retry_default_remove_headers_on_redirect + +* Set release date +--- + CHANGES.rst | 5 +++++ + src/urllib3/util/retry.py | 4 +++- + test/test_retry.py | 6 ++++- + test/with_dummyserver/test_poolmanager.py | 27 ++++++++++++++++++++--- + 4 files changed, 37 insertions(+), 5 deletions(-) + +diff --git a/aws/urllib3/util/retry.py b/aws/urllib3/util/retry.py +index 7a76a4a6ad..0456cceba4 100644 +--- a/aws/urllib3/util/retry.py ++++ b/aws/urllib3/util/retry.py +@@ -189,7 +189,9 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset( ++ ["Cookie", "Authorization", "Proxy-Authorization"] ++ ) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 diff --git a/fence-agents.spec b/fence-agents.spec index 0f116bc..0b838e9 100644 --- a/fence-agents.spec +++ b/fence-agents.spec @@ -87,7 +87,7 @@ Name: fence-agents Summary: Set of unified programs capable of host isolation ("fencing") Version: 4.2.1 -Release: 129%{?alphatag:.%{alphatag}}%{?dist}.2 +Release: 129%{?alphatag:.%{alphatag}}%{?dist}.3 License: GPLv2+ and LGPLv2+ Group: System Environment/Base URL: https://github.com/ClusterLabs/fence-agents @@ -289,8 +289,10 @@ Patch143: RHEL-7734-fence_eps-add-fence_epsr2-for-ePowerSwitch-R2-and-newer.patc Patch1000: bz2218234-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch Patch1001: RHEL-22174-kubevirt-fix-bundled-jinja2-CVE-2024-22195.patch Patch1002: RHEL-35655-kubevirt-fix-bundled-jinja2-CVE-2024-34064.patch +Patch1003: RHEL-43568-1-kubevirt-fix-bundled-urllib3-CVE-2024-37891.patch # cloud (x86_64 only) Patch2000: bz2218234-2-aws-fix-bundled-dateutil-CVE-2007-4559.patch +Patch2001: RHEL-43568-2-aws-fix-bundled-urllib3-CVE-2024-37891.patch %if 0%{?fedora} || 0%{?rhel} > 7 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hds_cb hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti @@ -627,9 +629,11 @@ pushd %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir} /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1000} /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=1 < %{PATCH1001} /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=1 < %{PATCH1002} +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1003} %ifarch x86_64 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2000} +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2001} %endif popd @@ -1520,6 +1524,10 @@ Fence agent for IBM z/VM over IP. %endif %changelog +* Tue Jun 25 2024 Oyvind Albrigtsen - 4.2.1-129.3 +- bundled urllib3: fix CVE-2024-37891 + Resolves: RHEL-43568 + * Thu May 30 2024 Oyvind Albrigtsen - 4.2.1-129.2 - fence_eps: add fence_epsr2 for ePowerSwitch R2 and newer Resolves: RHEL-7734