Security fix for CVE-2024-47081

Resolves: RHEL-102420
This commit is contained in:
Lumir Balhar 2025-07-25 12:18:41 +02:00
parent a7ae828b4e
commit 39ae929aff
2 changed files with 42 additions and 1 deletions

31
CVE-2024-47081.patch Normal file
View File

@ -0,0 +1,31 @@
From c9fc8896562cc154eae41a51941bea6d701ed363 Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Fri, 25 Jul 2025 12:17:00 +0200
Subject: [PATCH] CVE-2024-47081
---
requests/utils.py | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/requests/utils.py b/requests/utils.py
index 04145c8..4a1b829 100644
--- a/requests/utils.py
+++ b/requests/utils.py
@@ -191,13 +191,7 @@ def get_netrc_auth(url, raise_errors=False):
return
ri = urlparse(url)
-
- # Strip port numbers from netloc. This weird `if...encode`` dance is
- # used for Python 3.2, which doesn't support unicode literals.
- splitstr = b':'
- if isinstance(url, str):
- splitstr = splitstr.decode('ascii')
- host = ri.netloc.split(splitstr)[0]
+ host = ri.hostname
try:
_netrc = netrc(netrc_path).authenticators(host)
--
2.50.1

View File

@ -10,7 +10,7 @@
Name: python-requests
Version: 2.20.0
Release: 5%{?dist}
Release: 6%{?dist}
Summary: HTTP library, written in Python, for human beings
License: ASL 2.0
@ -61,6 +61,12 @@ Patch7: CVE-2023-32681.patch
# The issue it tries to solve: https://github.com/psf/requests/issues/6726
Patch8: CVE-2024-35195.patch
# Security fix for CVE-2024-47081
# Requests vulnerable to .netrc credentials leak via malicious URLs.
# Fix backported from upstream:
# https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef
Patch9: CVE-2024-47081.patch
BuildArch: noarch
%description
@ -123,6 +129,10 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} %{__python3} -m pytest -v
%changelog
* Fri Jul 25 2025 Lumír Balhar <lbalhar@redhat.com> - 2.20.0-6
- Security fix for CVE-2024-47081
Resolves: RHEL-102420
* Tue Dec 17 2024 Lumír Balhar <lbalhar@redhat.com> - 2.20.0-5
- Security fix for CVE-2024-35195
Resolves: RHEL-37605