Security fix for CVE-2024-47081
Resolves: RHEL-102420
This commit is contained in:
Lumir Balhar
parent
a7ae828b4e
commit
39ae929aff
31
CVE-2024-47081.patch
Normal file
31
CVE-2024-47081.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
From c9fc8896562cc154eae41a51941bea6d701ed363 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lumir Balhar <lbalhar@redhat.com>
|
||||||
|
Date: Fri, 25 Jul 2025 12:17:00 +0200
|
||||||
|
Subject: [PATCH] CVE-2024-47081
|
||||||
|
|
||||||
|
---
|
||||||
|
requests/utils.py | 8 +-------
|
||||||
|
1 file changed, 1 insertion(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/requests/utils.py b/requests/utils.py
|
||||||
|
index 04145c8..4a1b829 100644
|
||||||
|
--- a/requests/utils.py
|
||||||
|
+++ b/requests/utils.py
|
||||||
|
@@ -191,13 +191,7 @@ def get_netrc_auth(url, raise_errors=False):
|
||||||
|
return
|
||||||
|
|
||||||
|
ri = urlparse(url)
|
||||||
|
-
|
||||||
|
- # Strip port numbers from netloc. This weird `if...encode`` dance is
|
||||||
|
- # used for Python 3.2, which doesn't support unicode literals.
|
||||||
|
- splitstr = b':'
|
||||||
|
- if isinstance(url, str):
|
||||||
|
- splitstr = splitstr.decode('ascii')
|
||||||
|
- host = ri.netloc.split(splitstr)[0]
|
||||||
|
+ host = ri.hostname
|
||||||
|
|
||||||
|
try:
|
||||||
|
_netrc = netrc(netrc_path).authenticators(host)
|
||||||
|
--
|
||||||
|
2.50.1
|
||||||
|
|
||||||
@ -10,7 +10,7 @@
|
|||||||
|
|
||||||
Name: python-requests
|
Name: python-requests
|
||||||
Version: 2.20.0
|
Version: 2.20.0
|
||||||
Release: 5%{?dist}
|
Release: 6%{?dist}
|
||||||
Summary: HTTP library, written in Python, for human beings
|
Summary: HTTP library, written in Python, for human beings
|
||||||
|
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
@ -61,6 +61,12 @@ Patch7: CVE-2023-32681.patch
|
|||||||
# The issue it tries to solve: https://github.com/psf/requests/issues/6726
|
# The issue it tries to solve: https://github.com/psf/requests/issues/6726
|
||||||
Patch8: CVE-2024-35195.patch
|
Patch8: CVE-2024-35195.patch
|
||||||
|
|
||||||
|
# Security fix for CVE-2024-47081
|
||||||
|
# Requests vulnerable to .netrc credentials leak via malicious URLs.
|
||||||
|
# Fix backported from upstream:
|
||||||
|
# https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef
|
||||||
|
Patch9: CVE-2024-47081.patch
|
||||||
|
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -123,6 +129,10 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} %{__python3} -m pytest -v
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jul 25 2025 Lumír Balhar <lbalhar@redhat.com> - 2.20.0-6
|
||||||
|
- Security fix for CVE-2024-47081
|
||||||
|
Resolves: RHEL-102420
|
||||||
|
|
||||||
* Tue Dec 17 2024 Lumír Balhar <lbalhar@redhat.com> - 2.20.0-5
|
* Tue Dec 17 2024 Lumír Balhar <lbalhar@redhat.com> - 2.20.0-5
|
||||||
- Security fix for CVE-2024-35195
|
- Security fix for CVE-2024-35195
|
||||||
Resolves: RHEL-37605
|
Resolves: RHEL-37605
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user