- Fix CVE-2023-43804.patch

- Update certifi to 2023.07.22

.fence-agents.metadata

@@ -19,8 +19,7 @@ e20df6c9635f1db9a3c891b9239b4319d88b1747 SOURCES/azure_mgmt_core-1.2.2-py2.py3-n
 6ef53a76455b377b02b4774c32a04e241cdb24eb SOURCES/botocore-2.0.0dev123.zip
 c953dcd6e69587e5b182d77255ed836172fea70a SOURCES/cachetools-4.2.2-py3-none-any.whl
 0d12f48faa727f0979e9ad5c4c80dfa32b73caff SOURCES/cachetools-4.2.4.tar.gz
-b13e22d55867e2ca5f92e5289cfdc21ba6e343aa SOURCES/certifi-2021.10.8.tar.gz
-2fcaa39108a9c99700c6f3f4198fcaa47b8ed707 SOURCES/certifi-2021.5.30-py2.py3-none-any.whl
+e8217d20c809f93bf1df6c57f38c9c56f406e1bb SOURCES/certifi-2023.7.22.tar.gz
 17953cc85717e0f4501dbc7b5fb8e75d67dcdcd3 SOURCES/cffi-1.14.5-cp39-cp39-manylinux1_x86_64.whl
 96faab7de7e9a71b37f22adb64daf2898e967e3e SOURCES/chardet-3.0.4-py2.py3-none-any.whl
 e9eb83c71c09b3c8249bd7d6d2619b65fff03874 SOURCES/chardet-4.0.0-py2.py3-none-any.whl

.gitignore

@@ -19,8 +19,7 @@ SOURCES/botocore-1.20.102-py2.py3-none-any.whl
 SOURCES/botocore-2.0.0dev123.zip
 SOURCES/cachetools-4.2.2-py3-none-any.whl
 SOURCES/cachetools-4.2.4.tar.gz
-SOURCES/certifi-2021.10.8.tar.gz
-SOURCES/certifi-2021.5.30-py2.py3-none-any.whl
+SOURCES/certifi-2023.7.22.tar.gz
 SOURCES/cffi-1.14.5-cp39-cp39-manylinux1_x86_64.whl
 SOURCES/chardet-3.0.4-py2.py3-none-any.whl
 SOURCES/chardet-4.0.0-py2.py3-none-any.whl

SOURCES/CVE-2023-43804.patch

@@ -0,0 +1,70 @@
+From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 2 Oct 2023 19:46:16 +0400
+Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f
+
+---
+ CHANGES.rst                               |  5 ++++
+ docs/user-guide.rst                       |  3 +++
+ src/urllib3/util/retry.py                 |  2 +-
+ test/test_retry.py                        |  4 +--
+ test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++-----
+ 5 files changed, 35 insertions(+), 9 deletions(-)
+
+diff --git a/kubevirt/urllib3/util/retry.py b/kubevirt/urllib3/util/retry.py
+index ea48afe3ca..7572bfd26a 100644
+--- a/kubevirt/urllib3/util/retry.py
++++ b/kubevirt/urllib3/util/retry.py
+@@ -187,7 +187,7 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
+--- a/aws/urllib3/util/retry.py
++++ b/aws/urllib3/util/retry.py
+@@ -187,7 +187,7 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
+--- a/awscli/urllib3/util/retry.py
++++ b/awscli/urllib3/util/retry.py
+@@ -187,7 +187,7 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
+--- a/azure/urllib3/util/retry.py
++++ b/azure/urllib3/util/retry.py
+@@ -187,7 +187,7 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
+--- a/google/urllib3/util/retry.py
++++ b/google/urllib3/util/retry.py
+@@ -187,7 +187,7 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120

SPECS/fence-agents.spec

@@ -18,7 +18,7 @@
 %global kubernetes		kubernetes
 %global kubernetes_version	12.0.1
 %global certifi			certifi
-%global certifi_version		2021.10.8
+%global certifi_version		2023.7.22
 %global googleauth		google-auth
 %global googleauth_version	2.3.0
 %global cachetools		cachetools
@@ -59,7 +59,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.10.0
-Release: 55%{?alphatag:.%{alphatag}}%{?dist}
+Release: 55%{?alphatag:.%{alphatag}}%{?dist}.2.alma.1
 License: GPLv2+ and LGPLv2+
 URL: https://github.com/ClusterLabs/fence-agents
 Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz
@@ -109,7 +109,6 @@ Source1025: azure_mgmt_compute-21.0.0-py2.py3-none-any.whl
 Source1026: azure_mgmt_core-1.2.2-py2.py3-none-any.whl
 Source1027: azure_mgmt_network-19.0.0-py2.py3-none-any.whl
 Source1028: azure-identity-1.10.0.zip
-Source1029: certifi-2021.5.30-py2.py3-none-any.whl
 Source1030: chardet-4.0.0-py2.py3-none-any.whl
 Source1031: idna-2.10-py2.py3-none-any.whl
 Source1032: isodate-0.6.0-py2.py3-none-any.whl
@@ -242,6 +241,10 @@ Patch46: bz2224267-fence_ipmilan-fix-typos-in-metadata.patch
 Patch1000: bz2217902-1-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch
 Patch1001: bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
 
+# Patches were taken from:
+# https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d
+Patch1002: CVE-2023-43804.patch
+
 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
 %ifarch x86_64
 %global testagents virsh heuristics_ping aliyun aws azure_arm gce openstack virt
@@ -440,9 +443,10 @@ popd
 %{__python3} -m pip install --user --no-index --find-links %{_sourcedir} setuptools-scm
 %{__python3} -m pip install --target support/kubevirt --no-index --find-links %{_sourcedir} openshift
 rm -rf kubevirt/rsa*
-# Patch1001
+
 pushd support
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{_sourcedir}/bz2217902-2-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1002}
 popd
 
 ./autogen.sh
@@ -600,7 +604,7 @@ Provides: bundled(python-azure-core) = 1.15.0
 Provides: bundled(python-azure-mgmt-compute) = 21.0.0
 Provides: bundled(python-azure-mgmt-core) = 1.2.2
 Provides: bundled(python-azure-mgmt-network) = 19.0.0
-Provides: bundled(python-certifi) = 2021.5.30
+Provides: bundled(python-certifi) = %{certifi_version}
 Provides: bundled(python-chardet) = 4.0.0
 Provides: bundled(python-idna) = 2.10
 Provides: bundled(python-isodate) = 0.6.0
@@ -1477,6 +1481,10 @@ are located on corosync cluster nodes.
 %endif
 
 %changelog
+* Thu Dec 14 2023 Eduard Abdullin <eabdullin@almalinux.org> - 4.10.0-55.2.alma.1
+- Fix CVE-2023-43804.patch
+- Update certifi to 2023.07.22
+
 * Thu Aug  3 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-55
 - bundled dateutil: fix tarfile CVE-2007-4559
   Resolves: rhbz#2217902