import UBI python-urllib3-1.26.5-5.el9_4.1
This commit is contained in:
parent
695dc8a6f0
commit
1b43723584
38
SOURCES/Add-server_hostname-to-SSL_KEYWORDS.patch
Normal file
38
SOURCES/Add-server_hostname-to-SSL_KEYWORDS.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From f1d40fd07f7b5d9cf846a18fb5a920b4be07dfc5 Mon Sep 17 00:00:00 2001
|
||||
From: Hasan Ramezani <hasan.r67@gmail.com>
|
||||
Date: Thu, 20 Jan 2022 15:56:02 +0100
|
||||
Subject: [PATCH] [1.26] Add server_hostname to SSL_KEYWORDS
|
||||
|
||||
---
|
||||
src/urllib3/poolmanager.py | 1 +
|
||||
test/with_dummyserver/test_poolmanager.py | 5 +++++
|
||||
2 files changed, 6 insertions(+)
|
||||
|
||||
diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py
|
||||
index 3a31a285bf..ca4ec34118 100644
|
||||
--- a/src/urllib3/poolmanager.py
|
||||
+++ b/src/urllib3/poolmanager.py
|
||||
@@ -34,6 +34,7 @@
|
||||
"ca_cert_dir",
|
||||
"ssl_context",
|
||||
"key_password",
|
||||
+ "server_hostname",
|
||||
)
|
||||
|
||||
# All known keyword arguments that could be provided to the pool manager, its
|
||||
diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py
|
||||
index d877cc99ac..fa07a372a9 100644
|
||||
--- a/test/with_dummyserver/test_poolmanager.py
|
||||
+++ b/test/with_dummyserver/test_poolmanager.py
|
||||
@@ -346,6 +346,11 @@ def test_http_with_ssl_keywords(self):
|
||||
r = http.request("GET", "http://%s:%s/" % (self.host, self.port))
|
||||
assert r.status == 200
|
||||
|
||||
+ def test_http_with_server_hostname(self):
|
||||
+ with PoolManager(server_hostname="example.com") as http:
|
||||
+ r = http.request("GET", "http://%s:%s/" % (self.host, self.port))
|
||||
+ assert r.status == 200
|
||||
+
|
||||
def test_http_with_ca_cert_dir(self):
|
||||
with PoolManager(ca_certs="REQUIRED", ca_cert_dir="/nosuchdir") as http:
|
||||
r = http.request("GET", "http://%s:%s/" % (self.host, self.port))
|
66
SOURCES/CVE-2024-37891.patch
Normal file
66
SOURCES/CVE-2024-37891.patch
Normal file
@ -0,0 +1,66 @@
|
||||
From 3606f6166c000213f1e1e9bace3c12f924dd0132 Mon Sep 17 00:00:00 2001
|
||||
From: Quentin Pradet <quentin.pradet@gmail.com>
|
||||
Date: Wed, 26 Jun 2024 15:56:34 +0200
|
||||
Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
|
||||
|
||||
* [1.26] Strip Proxy-Authorization header on redirects
|
||||
|
||||
* Set release date
|
||||
---
|
||||
src/urllib3/util/retry.py | 4 +++-
|
||||
test/test_retry.py | 6 +++++-
|
||||
test/test_retry_deprecated.py | 6 +++++-
|
||||
3 files changed, 13 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
|
||||
index 63c02ee..42fa619 100644
|
||||
--- a/src/urllib3/util/retry.py
|
||||
+++ b/src/urllib3/util/retry.py
|
||||
@@ -217,7 +217,9 @@ class Retry(object):
|
||||
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
|
||||
|
||||
#: Default headers to be used for ``remove_headers_on_redirect``
|
||||
- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
|
||||
+ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
|
||||
+ ["Cookie", "Authorization", "Proxy-Authorization"]
|
||||
+ )
|
||||
|
||||
#: Maximum backoff time.
|
||||
BACKOFF_MAX = 120
|
||||
diff --git a/test/test_retry.py b/test/test_retry.py
|
||||
index e9270bb..cf60bf1 100644
|
||||
--- a/test/test_retry.py
|
||||
+++ b/test/test_retry.py
|
||||
@@ -293,7 +293,11 @@ class TestRetry(object):
|
||||
def test_retry_default_remove_headers_on_redirect(self):
|
||||
retry = Retry()
|
||||
|
||||
- assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
|
||||
+ assert retry.remove_headers_on_redirect == {
|
||||
+ "authorization",
|
||||
+ "proxy-authorization",
|
||||
+ "cookie",
|
||||
+ }
|
||||
|
||||
def test_retry_set_remove_headers_on_redirect(self):
|
||||
retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
|
||||
diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py
|
||||
index d18f94c..a107f7b 100644
|
||||
--- a/test/test_retry_deprecated.py
|
||||
+++ b/test/test_retry_deprecated.py
|
||||
@@ -295,7 +295,11 @@ class TestRetry(object):
|
||||
def test_retry_default_remove_headers_on_redirect(self):
|
||||
retry = Retry()
|
||||
|
||||
- assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
|
||||
+ assert retry.remove_headers_on_redirect == {
|
||||
+ "authorization",
|
||||
+ "proxy-authorization",
|
||||
+ "cookie",
|
||||
+ }
|
||||
|
||||
def test_retry_set_remove_headers_on_redirect(self):
|
||||
retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
|
||||
--
|
||||
2.44.0
|
||||
|
@ -6,7 +6,7 @@
|
||||
|
||||
Name: python-%{srcname}
|
||||
Version: 1.26.5
|
||||
Release: 5%{?dist}
|
||||
Release: 5%{?dist}.1
|
||||
Summary: Python HTTP library with thread-safe connection pooling and file post
|
||||
|
||||
License: MIT
|
||||
@ -32,6 +32,17 @@ Patch1: CVE-2023-43804.patch
|
||||
# Upstream fix: https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9
|
||||
Patch2: CVE-2023-45803.patch
|
||||
|
||||
# PoolManager.urlopen fails with TypeError for http connection if the PoolManager is instantiated with server_hostname
|
||||
# Tracking bug: https://issues.redhat.com/browse/RHEL-39285
|
||||
# Upstream fix: https://github.com/urllib3/urllib3/commit/f1d40fd07f7b5d9cf846a18fb5a920b4be07dfc5
|
||||
Patch3: Add-server_hostname-to-SSL_KEYWORDS.patch
|
||||
|
||||
# CVE-2024-37891
|
||||
# Proxy-authorization request header is not stripped during cross-origin redirects.
|
||||
# Tracking bug: https://issues.redhat.com/browse/RHEL-43172
|
||||
# Upstream fix: https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468
|
||||
Patch4: CVE-2024-37891.patch
|
||||
|
||||
%description
|
||||
Python HTTP module with connection pooling and file POST abilities.
|
||||
|
||||
@ -134,6 +145,12 @@ ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.pyc \
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Jun 18 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 1.26.5-5.1
|
||||
- Security fix for CVE-2024-37891
|
||||
- Backport upstream patch to fix TypeError for http connection if the PoolManager
|
||||
- is instantiated with server_hostname
|
||||
Resolves: RHEL-49853
|
||||
|
||||
* Tue Dec 12 2023 Lumír Balhar <lbalhar@redhat.com> - 1.26.5-5
|
||||
- Security fix for CVE-2023-45803
|
||||
Resolves: RHEL-16874
|
||||
|
Loading…
Reference in New Issue
Block a user