- bundled urllib3: fix CVE-2023-43804

Resolves: RHEL-11988

RHEL-11988-1-kubevirt-fix-bundled-urllib3-CVE-2023-43804.patch

@@ -0,0 +1,26 @@
+From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 2 Oct 2023 19:46:16 +0400
+Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f
+
+---
+ CHANGES.rst                               |  5 ++++
+ docs/user-guide.rst                       |  3 +++
+ src/urllib3/util/retry.py                 |  2 +-
+ test/test_retry.py                        |  4 +--
+ test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++-----
+ 5 files changed, 35 insertions(+), 9 deletions(-)
+
+diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
+index ea48afe3ca..7572bfd26a 100644
+--- a/kubevirt/urllib3/util/retry.py
++++ b/kubevirt/urllib3/util/retry.py
+@@ -187,7 +187,7 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Maximum backoff time.
+     BACKOFF_MAX = 120

RHEL-11988-2-aws-fix-bundled-urllib3-CVE-2023-43804.patch

@@ -0,0 +1,26 @@
+From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 2 Oct 2023 19:46:16 +0400
+Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f
+
+---
+ CHANGES.rst                               |  5 ++++
+ docs/user-guide.rst                       |  3 +++
+ src/urllib3/util/retry.py                 |  2 +-
+ test/test_retry.py                        |  4 +--
+ test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++-----
+ 5 files changed, 35 insertions(+), 9 deletions(-)
+
+diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
+index ea48afe3ca..7572bfd26a 100644
+--- a/aws/urllib3/util/retry.py
++++ b/aws/urllib3/util/retry.py
+@@ -187,7 +187,7 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Maximum backoff time.
+     BACKOFF_MAX = 120

fence-agents.spec

@@ -87,7 +87,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.2.1
-Release: 122%{?alphatag:.%{alphatag}}%{?dist}
+Release: 123%{?alphatag:.%{alphatag}}%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Base
 URL: https://github.com/ClusterLabs/fence-agents
@@ -276,8 +276,12 @@ Patch133: bz2211460-fence_azure-arm-2-metadata-endpoint-error-message.patch
 Patch134: bz2155453-fence_ibm_powervs-performance-improvements.patch
 
 ### HA support libs/utils ###
-Patch1000: bz2218234-1-aws-fix-bundled-dateutil-CVE-2007-4559.patch
-Patch1001: bz2218234-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
+# all archs
+Patch1000: bz2218234-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
+Patch1001: RHEL-11988-1-kubevirt-fix-bundled-urllib3-CVE-2023-43804.patch
+# cloud (x86_64 only)
+Patch2000: bz2218234-2-aws-fix-bundled-dateutil-CVE-2007-4559.patch
+Patch2001: RHEL-11988-2-aws-fix-bundled-urllib3-CVE-2023-43804.patch
 
 %if 0%{?fedora} || 0%{?rhel} > 7
 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hds_cb hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
@@ -594,20 +598,21 @@ popd
 %{__python3} -m pip install --user --no-index --find-links %{_sourcedir} jmespath
 %{__python3} -m pip install --target %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}/aws --no-index --find-links %{_sourcedir} botocore
 %{__python3} -m pip install --target %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}/aws --no-index --find-links %{_sourcedir} requests
-
-# regular patch doesnt work in install-section
-# Patch1000
-pushd %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2218234-1-aws-fix-bundled-dateutil-CVE-2007-4559.patch
-popd
 %endif
 
 # kubevirt
 %{__python3} -m pip install --target %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}/kubevirt --no-index --find-links %{_sourcedir} openshift
 rm -rf %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}/kubevirt/rsa*
-# Patch1001
+
+# regular patch doesnt work in build-section
 pushd %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2218234-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1000}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1001}
+
+%ifarch x86_64
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2000}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2001}
+%endif
 popd
 
 ## tree fix up
@@ -1497,6 +1502,10 @@ Fence agent for IBM z/VM over IP.
 %endif
 
 %changelog
+* Thu Oct 12 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-123
+- bundled urllib3: fix CVE-2023-43804
+  Resolves: RHEL-11988
+
 * Tue Sep 26 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-122
 - bundled certifi: fix CVE-2023-37920
   Resolves: RHEL-6972