- bundled urllib3: fix issue with CVE-2026-21441 patch

Resolves: RHEL-146288
2026-02-03 10:17:03 +01:00 · 2026-02-03 10:17:03 +01:00 · e5144fbc70
commit e5144fbc70
parent 5354cffb63
3 changed files with 101 additions and 46 deletions
--- a/RHEL-140783-RHEL-146288-fix-bundled-urllib3-CVE-2026-21441.patch
+++ b/RHEL-140783-RHEL-146288-fix-bundled-urllib3-CVE-2026-21441.patch
@ -0,0 +1,95 @@
+--- a/aws/urllib3/response.py	2026-02-03 08:20:11.000000000 +0100
+++ b/aws/urllib3/response.py	2026-02-03 09:11:38.017998476 +0100
+@@ -350,6 +350,7 @@
+         self.reason = reason
+         self.strict = strict
+         self.decode_content = decode_content
+        self._has_decoded_content = False
+         self.retries = retries
+         self.enforce_content_length = enforce_content_length
+         self.auto_close = auto_close
+@@ -414,7 +415,11 @@
+         Unread data in the HTTPResponse connection blocks the connection from being released back to the pool.
+         """
+         try:
+-            self.read()
+            self.read(
+                # Do not spend resources decoding the content unless
+                # decoding has already been initiated.
+                decode_content=self._has_decoded_content,
+            )
+         except (HTTPError, SocketError, BaseSSLError, HTTPException):
+             pass
+ 
+@@ -536,6 +541,7 @@
+         try:
+             if self._decoder:
+                 data = self._decoder.decompress(data, max_length=max_length)
+                self._has_decoded_content = True
+         except self.DECODER_ERROR_CLASSES as e:
+             content_encoding = self.headers.get("content-encoding", "").lower()
+             raise DecodeError(
+
+--- a/azure/urllib3/response.py	2026-02-03 08:20:11.000000000 +0100
+++ b/azure/urllib3/response.py	2026-02-03 09:11:38.017998476 +0100
+@@ -350,6 +350,7 @@
+         self.reason = reason
+         self.strict = strict
+         self.decode_content = decode_content
+        self._has_decoded_content = False
+         self.retries = retries
+         self.enforce_content_length = enforce_content_length
+         self.auto_close = auto_close
+@@ -414,7 +415,11 @@
+         Unread data in the HTTPResponse connection blocks the connection from being released back to the pool.
+         """
+         try:
+-            self.read()
+            self.read(
+                # Do not spend resources decoding the content unless
+                # decoding has already been initiated.
+                decode_content=self._has_decoded_content,
+            )
+         except (HTTPError, SocketError, BaseSSLError, HTTPException):
+             pass
+ 
+@@ -536,6 +541,7 @@
+         try:
+             if self._decoder:
+                 data = self._decoder.decompress(data, max_length=max_length)
+                self._has_decoded_content = True
+         except self.DECODER_ERROR_CLASSES as e:
+             content_encoding = self.headers.get("content-encoding", "").lower()
+             raise DecodeError(
+
+--- a/kubevirt/urllib3/response.py	2026-02-03 08:20:11.000000000 +0100
+++ b/kubevirt/urllib3/response.py	2026-02-03 09:11:38.017998476 +0100
+@@ -350,6 +350,7 @@
+         self.reason = reason
+         self.strict = strict
+         self.decode_content = decode_content
+        self._has_decoded_content = False
+         self.retries = retries
+         self.enforce_content_length = enforce_content_length
+         self.auto_close = auto_close
+@@ -414,7 +415,11 @@
+         Unread data in the HTTPResponse connection blocks the connection from being released back to the pool.
+         """
+         try:
+-            self.read()
+            self.read(
+                # Do not spend resources decoding the content unless
+                # decoding has already been initiated.
+                decode_content=self._has_decoded_content,
+            )
+         except (HTTPError, SocketError, BaseSSLError, HTTPException):
+             pass
+ 
+@@ -536,6 +541,7 @@
+         try:
+             if self._decoder:
+                 data = self._decoder.decompress(data, max_length=max_length)
+                self._has_decoded_content = True
+         except self.DECODER_ERROR_CLASSES as e:
+             content_encoding = self.headers.get("content-encoding", "").lower()
+             raise DecodeError(
--- a/RHEL-140783-fix-bundled-urllib3-CVE-2026-21441.patch
+++ b/RHEL-140783-fix-bundled-urllib3-CVE-2026-21441.patch
@ -1,44 +0,0 @@
--- a/aws/urllib3/response.py	2023-10-17 19:42:56.000000000 +0200
-+++ b/aws/urllib3/response.py	2026-01-13 14:17:48.477104360 +0100
-@@ -292,7 +292,11 @@
-         Unread data in the HTTPResponse connection blocks the connection from being released back to the pool.
-         """
-         try:
-            self.read()
-+            self.read(
-+                # Do not spend resources decoding the content unless
-+                # decoding has already been initiated.
-+                decode_content=self._has_decoded_content,
-+            )
-         except (HTTPError, SocketError, BaseSSLError, HTTPException):
-             pass
-
--- a/azure/urllib3/response.py	2023-10-17 19:42:56.000000000 +0200
-+++ b/azure/urllib3/response.py	2026-01-13 14:17:48.477104360 +0100
-@@ -292,7 +292,11 @@
-         Unread data in the HTTPResponse connection blocks the connection from being released back to the pool.
-         """
-         try:
-            self.read()
-+            self.read(
-+                # Do not spend resources decoding the content unless
-+                # decoding has already been initiated.
-+                decode_content=self._has_decoded_content,
-+            )
-         except (HTTPError, SocketError, BaseSSLError, HTTPException):
-             pass
-
--- a/kubevirt/urllib3/response.py	2023-10-17 19:42:56.000000000 +0200
-+++ b/kubevirt/urllib3/response.py	2026-01-13 14:17:48.477104360 +0100
-@@ -292,7 +292,11 @@
-         Unread data in the HTTPResponse connection blocks the connection from being released back to the pool.
-         """
-         try:
-            self.read()
-+            self.read(
-+                # Do not spend resources decoding the content unless
-+                # decoding has already been initiated.
-+                decode_content=self._has_decoded_content,
-+            )
-         except (HTTPError, SocketError, BaseSSLError, HTTPException):
-             pass
--- a/fence-agents.spec
+++ b/fence-agents.spec
@ -87,7 +87,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.2.1
-Release: 129%{?alphatag:.%{alphatag}}%{?dist}.22
+Release: 129%{?alphatag:.%{alphatag}}%{?dist}.23
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Base
 URL: https://github.com/ClusterLabs/fence-agents
@ -339,7 +339,7 @@ Patch2002: RHEL-104741-2-aliyun-aws-azure-fix-bundled-requests-CVE-2024-47081.pa
 Patch2003: RHEL-109814-2-botocore-add-SkipOsShutdown.patch
 Patch2004: RHEL-136027-fix-bundled-urllib3-CVE-2025-66418.patch
 Patch2005: RHEL-139756-fix-bundled-urllib3-CVE-2025-66471.patch
-Patch2006: RHEL-140783-fix-bundled-urllib3-CVE-2026-21441.patch
+Patch2006: RHEL-140783-RHEL-146288-fix-bundled-urllib3-CVE-2026-21441.patch
 Patch2007: RHEL-142447-fix-bundled-pyasn1-CVE-2026-23490.patch

 %if 0%{?fedora} || 0%{?rhel} > 7
@ -1638,6 +1638,10 @@ Fence agent for IBM z/VM over IP.
 %endif

 %changelog
+* Tue Feb  3 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-129.23
+- bundled urllib3: fix issue with CVE-2026-21441 patch
+  Resolves: RHEL-146288
+
 * Thu Jan 29 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-129.22
 - fence_ibm_vpc: fix missing statuses
  Resolves: RHEL-145087