From e5144fbc701e22b22e484b0d8911a98e16e8ce35 Mon Sep 17 00:00:00 2001 From: Oyvind Albrigtsen Date: Tue, 3 Feb 2026 10:17:03 +0100 Subject: [PATCH] - bundled urllib3: fix issue with CVE-2026-21441 patch Resolves: RHEL-146288 --- ...8-fix-bundled-urllib3-CVE-2026-21441.patch | 95 +++++++++++++++++++ ...3-fix-bundled-urllib3-CVE-2026-21441.patch | 44 --------- fence-agents.spec | 8 +- 3 files changed, 101 insertions(+), 46 deletions(-) create mode 100644 RHEL-140783-RHEL-146288-fix-bundled-urllib3-CVE-2026-21441.patch delete mode 100644 RHEL-140783-fix-bundled-urllib3-CVE-2026-21441.patch diff --git a/RHEL-140783-RHEL-146288-fix-bundled-urllib3-CVE-2026-21441.patch b/RHEL-140783-RHEL-146288-fix-bundled-urllib3-CVE-2026-21441.patch new file mode 100644 index 0000000..2a112ba --- /dev/null +++ b/RHEL-140783-RHEL-146288-fix-bundled-urllib3-CVE-2026-21441.patch @@ -0,0 +1,95 @@ +--- a/aws/urllib3/response.py 2026-02-03 08:20:11.000000000 +0100 ++++ b/aws/urllib3/response.py 2026-02-03 09:11:38.017998476 +0100 +@@ -350,6 +350,7 @@ + self.reason = reason + self.strict = strict + self.decode_content = decode_content ++ self._has_decoded_content = False + self.retries = retries + self.enforce_content_length = enforce_content_length + self.auto_close = auto_close +@@ -414,7 +415,11 @@ + Unread data in the HTTPResponse connection blocks the connection from being released back to the pool. + """ + try: +- self.read() ++ self.read( ++ # Do not spend resources decoding the content unless ++ # decoding has already been initiated. ++ decode_content=self._has_decoded_content, ++ ) + except (HTTPError, SocketError, BaseSSLError, HTTPException): + pass + +@@ -536,6 +541,7 @@ + try: + if self._decoder: + data = self._decoder.decompress(data, max_length=max_length) ++ self._has_decoded_content = True + except self.DECODER_ERROR_CLASSES as e: + content_encoding = self.headers.get("content-encoding", "").lower() + raise DecodeError( + +--- a/azure/urllib3/response.py 2026-02-03 08:20:11.000000000 +0100 ++++ b/azure/urllib3/response.py 2026-02-03 09:11:38.017998476 +0100 +@@ -350,6 +350,7 @@ + self.reason = reason + self.strict = strict + self.decode_content = decode_content ++ self._has_decoded_content = False + self.retries = retries + self.enforce_content_length = enforce_content_length + self.auto_close = auto_close +@@ -414,7 +415,11 @@ + Unread data in the HTTPResponse connection blocks the connection from being released back to the pool. + """ + try: +- self.read() ++ self.read( ++ # Do not spend resources decoding the content unless ++ # decoding has already been initiated. ++ decode_content=self._has_decoded_content, ++ ) + except (HTTPError, SocketError, BaseSSLError, HTTPException): + pass + +@@ -536,6 +541,7 @@ + try: + if self._decoder: + data = self._decoder.decompress(data, max_length=max_length) ++ self._has_decoded_content = True + except self.DECODER_ERROR_CLASSES as e: + content_encoding = self.headers.get("content-encoding", "").lower() + raise DecodeError( + +--- a/kubevirt/urllib3/response.py 2026-02-03 08:20:11.000000000 +0100 ++++ b/kubevirt/urllib3/response.py 2026-02-03 09:11:38.017998476 +0100 +@@ -350,6 +350,7 @@ + self.reason = reason + self.strict = strict + self.decode_content = decode_content ++ self._has_decoded_content = False + self.retries = retries + self.enforce_content_length = enforce_content_length + self.auto_close = auto_close +@@ -414,7 +415,11 @@ + Unread data in the HTTPResponse connection blocks the connection from being released back to the pool. + """ + try: +- self.read() ++ self.read( ++ # Do not spend resources decoding the content unless ++ # decoding has already been initiated. ++ decode_content=self._has_decoded_content, ++ ) + except (HTTPError, SocketError, BaseSSLError, HTTPException): + pass + +@@ -536,6 +541,7 @@ + try: + if self._decoder: + data = self._decoder.decompress(data, max_length=max_length) ++ self._has_decoded_content = True + except self.DECODER_ERROR_CLASSES as e: + content_encoding = self.headers.get("content-encoding", "").lower() + raise DecodeError( diff --git a/RHEL-140783-fix-bundled-urllib3-CVE-2026-21441.patch b/RHEL-140783-fix-bundled-urllib3-CVE-2026-21441.patch deleted file mode 100644 index f00b940..0000000 --- a/RHEL-140783-fix-bundled-urllib3-CVE-2026-21441.patch +++ /dev/null @@ -1,44 +0,0 @@ ---- a/aws/urllib3/response.py 2023-10-17 19:42:56.000000000 +0200 -+++ b/aws/urllib3/response.py 2026-01-13 14:17:48.477104360 +0100 -@@ -292,7 +292,11 @@ - Unread data in the HTTPResponse connection blocks the connection from being released back to the pool. - """ - try: -- self.read() -+ self.read( -+ # Do not spend resources decoding the content unless -+ # decoding has already been initiated. -+ decode_content=self._has_decoded_content, -+ ) - except (HTTPError, SocketError, BaseSSLError, HTTPException): - pass - ---- a/azure/urllib3/response.py 2023-10-17 19:42:56.000000000 +0200 -+++ b/azure/urllib3/response.py 2026-01-13 14:17:48.477104360 +0100 -@@ -292,7 +292,11 @@ - Unread data in the HTTPResponse connection blocks the connection from being released back to the pool. - """ - try: -- self.read() -+ self.read( -+ # Do not spend resources decoding the content unless -+ # decoding has already been initiated. -+ decode_content=self._has_decoded_content, -+ ) - except (HTTPError, SocketError, BaseSSLError, HTTPException): - pass - ---- a/kubevirt/urllib3/response.py 2023-10-17 19:42:56.000000000 +0200 -+++ b/kubevirt/urllib3/response.py 2026-01-13 14:17:48.477104360 +0100 -@@ -292,7 +292,11 @@ - Unread data in the HTTPResponse connection blocks the connection from being released back to the pool. - """ - try: -- self.read() -+ self.read( -+ # Do not spend resources decoding the content unless -+ # decoding has already been initiated. -+ decode_content=self._has_decoded_content, -+ ) - except (HTTPError, SocketError, BaseSSLError, HTTPException): - pass diff --git a/fence-agents.spec b/fence-agents.spec index deaf7a5..88c78d3 100644 --- a/fence-agents.spec +++ b/fence-agents.spec @@ -87,7 +87,7 @@ Name: fence-agents Summary: Set of unified programs capable of host isolation ("fencing") Version: 4.2.1 -Release: 129%{?alphatag:.%{alphatag}}%{?dist}.22 +Release: 129%{?alphatag:.%{alphatag}}%{?dist}.23 License: GPLv2+ and LGPLv2+ Group: System Environment/Base URL: https://github.com/ClusterLabs/fence-agents @@ -339,7 +339,7 @@ Patch2002: RHEL-104741-2-aliyun-aws-azure-fix-bundled-requests-CVE-2024-47081.pa Patch2003: RHEL-109814-2-botocore-add-SkipOsShutdown.patch Patch2004: RHEL-136027-fix-bundled-urllib3-CVE-2025-66418.patch Patch2005: RHEL-139756-fix-bundled-urllib3-CVE-2025-66471.patch -Patch2006: RHEL-140783-fix-bundled-urllib3-CVE-2026-21441.patch +Patch2006: RHEL-140783-RHEL-146288-fix-bundled-urllib3-CVE-2026-21441.patch Patch2007: RHEL-142447-fix-bundled-pyasn1-CVE-2026-23490.patch %if 0%{?fedora} || 0%{?rhel} > 7 @@ -1638,6 +1638,10 @@ Fence agent for IBM z/VM over IP. %endif %changelog +* Tue Feb 3 2026 Oyvind Albrigtsen - 4.2.1-129.23 +- bundled urllib3: fix issue with CVE-2026-21441 patch + Resolves: RHEL-146288 + * Thu Jan 29 2026 Oyvind Albrigtsen - 4.2.1-129.22 - fence_ibm_vpc: fix missing statuses Resolves: RHEL-145087