- bundled urllib3: fix CVE-2025-66471

- bundled urllib3: fix CVE-2026-21441
  Resolves: RHEL-139799, RHEL-140796
This commit is contained in:
Oyvind Albrigtsen 2026-01-13 14:54:43 +01:00
parent 1715eda529
commit ba7a3e16eb
3 changed files with 1086 additions and 1 deletions

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,59 @@
--- a/aws/urllib3/response.py 2023-10-17 19:42:56.000000000 +0200
+++ b/aws/urllib3/response.py 2026-01-13 14:17:48.477104360 +0100
@@ -292,7 +292,11 @@
Unread data in the HTTPResponse connection blocks the connection from being released back to the pool.
"""
try:
- self.read()
+ self.read(
+ # Do not spend resources decoding the content unless
+ # decoding has already been initiated.
+ decode_content=self._has_decoded_content,
+ )
except (HTTPError, SocketError, BaseSSLError, HTTPException):
pass
--- a/azure/urllib3/response.py 2023-10-17 19:42:56.000000000 +0200
+++ b/azure/urllib3/response.py 2026-01-13 14:17:48.477104360 +0100
@@ -292,7 +292,11 @@
Unread data in the HTTPResponse connection blocks the connection from being released back to the pool.
"""
try:
- self.read()
+ self.read(
+ # Do not spend resources decoding the content unless
+ # decoding has already been initiated.
+ decode_content=self._has_decoded_content,
+ )
except (HTTPError, SocketError, BaseSSLError, HTTPException):
pass
--- a/google/urllib3/response.py 2023-10-17 19:42:56.000000000 +0200
+++ b/google/urllib3/response.py 2026-01-13 14:17:48.477104360 +0100
@@ -292,7 +292,11 @@
Unread data in the HTTPResponse connection blocks the connection from being released back to the pool.
"""
try:
- self.read()
+ self.read(
+ # Do not spend resources decoding the content unless
+ # decoding has already been initiated.
+ decode_content=self._has_decoded_content,
+ )
except (HTTPError, SocketError, BaseSSLError, HTTPException):
pass
--- a/kubevirt/urllib3/response.py 2023-10-17 19:42:56.000000000 +0200
+++ b/kubevirt/urllib3/response.py 2026-01-13 14:17:48.477104360 +0100
@@ -292,7 +292,11 @@
Unread data in the HTTPResponse connection blocks the connection from being released back to the pool.
"""
try:
- self.read()
+ self.read(
+ # Do not spend resources decoding the content unless
+ # decoding has already been initiated.
+ decode_content=self._has_decoded_content,
+ )
except (HTTPError, SocketError, BaseSSLError, HTTPException):
pass

View File

@ -57,7 +57,7 @@
Name: fence-agents
Summary: Set of unified programs capable of host isolation ("fencing")
Version: 4.10.0
Release: 102%{?alphatag:.%{alphatag}}%{?dist}
Release: 103%{?alphatag:.%{alphatag}}%{?dist}
License: GPLv2+ and LGPLv2+
URL: https://github.com/ClusterLabs/fence-agents
Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz
@ -266,6 +266,8 @@ Patch2000: bz2217902-2-aws-azure-fix-bundled-dateutil-CVE-2007-4559.patch
Patch2001: RHEL-43562-fix-bundled-urllib3-CVE-2024-37891.patch
Patch2002: RHEL-95901-pkg_resources-suppress-UserWarning.patch
Patch2003: RHEL-136069-fix-bundled-urllib3-CVE-2025-66418.patch
Patch2004: RHEL-139799-fix-bundled-urllib3-CVE-2025-66471.patch
Patch2005: RHEL-140796-fix-bundled-urllib3-CVE-2026-21441.patch
%global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath nutanix_ahv redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
%ifarch x86_64
@ -516,6 +518,8 @@ pushd support
/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH2001}
/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2002}
/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2003}
/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2004}
/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2005}
%endif
popd
@ -1576,6 +1580,11 @@ are located on corosync cluster nodes.
%endif
%changelog
* Tue Jan 13 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-103
- bundled urllib3: fix CVE-2025-66471
- bundled urllib3: fix CVE-2026-21441
Resolves: RHEL-139799, RHEL-140796
* Fri Jan 2 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-102
- bundled urllib3: fix CVE-2025-66418
Resolves: RHEL-136069