From 293038c8cb877a16f2d49a3ca9969b9a9352046e Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Thu, 12 Oct 2023 13:33:26 +0200 Subject: [PATCH] Security fix for CVE-2023-43804 Resolves: RHEL-12001 --- CVE-2023-43804.patch | 53 ++++++++++++++++++++++++++++++++++++++++++++ python-urllib3.spec | 16 ++++++++++++- 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-43804.patch diff --git a/CVE-2023-43804.patch b/CVE-2023-43804.patch new file mode 100644 index 0000000..e685755 --- /dev/null +++ b/CVE-2023-43804.patch @@ -0,0 +1,53 @@ +From 5fe72b64a10e9cb5c5e2b9de46401b6c7bb226e9 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Thu, 12 Oct 2023 14:27:36 +0200 +Subject: [PATCH] CVE-2023-43804 + +--- + src/urllib3/util/retry.py | 2 +- + test/test_retry.py | 2 +- + test/test_retry_deprecated.py | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py +index 180e82b..63c02ee 100644 +--- a/src/urllib3/util/retry.py ++++ b/src/urllib3/util/retry.py +@@ -217,7 +217,7 @@ class Retry(object): + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) + + #: Maximum backoff time. + BACKOFF_MAX = 120 +diff --git a/test/test_retry.py b/test/test_retry.py +index 3e71efe..e9270bb 100644 +--- a/test/test_retry.py ++++ b/test/test_retry.py +@@ -293,7 +293,7 @@ class TestRetry(object): + def test_retry_default_remove_headers_on_redirect(self): + retry = Retry() + +- assert list(retry.remove_headers_on_redirect) == ["authorization"] ++ assert retry.remove_headers_on_redirect == {"authorization", "cookie"} + + def test_retry_set_remove_headers_on_redirect(self): + retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) +diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py +index eafecc4..d18f94c 100644 +--- a/test/test_retry_deprecated.py ++++ b/test/test_retry_deprecated.py +@@ -295,7 +295,7 @@ class TestRetry(object): + def test_retry_default_remove_headers_on_redirect(self): + retry = Retry() + +- assert list(retry.remove_headers_on_redirect) == ["authorization"] ++ assert retry.remove_headers_on_redirect == {"authorization", "cookie"} + + def test_retry_set_remove_headers_on_redirect(self): + retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) +-- +2.41.0 + diff --git a/python-urllib3.spec b/python-urllib3.spec index 8e0e11d..fac5f50 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 1.26.5 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Python HTTP library with thread-safe connection pooling and file post License: MIT @@ -16,6 +16,16 @@ Source0: %{url}/archive/%{version}/%{srcname}-%{version}.tar.gz Source1: ssl_match_hostname_py3.py BuildArch: noarch +# CVE-2023-43804 +# Added the `Cookie` header to the list of headers to strip from +# requests when redirecting to a different host. As before, different headers +# can be set via `Retry.remove_headers_on_redirect`. +# Tests backported only partially as we don't use the whole part of +# testing with dummyserver. +# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2242493 +# Upstream fix: https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb +Patch1: CVE-2023-43804.patch + %description Python HTTP module with connection pooling and file POST abilities. @@ -118,6 +128,10 @@ ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.pyc \ %changelog +* Thu Oct 12 2023 Lumír Balhar - 1.26.5-4 +- Security fix for CVE-2023-43804 +Resolves: RHEL-12001 + * Tue Feb 08 2022 Tomáš Hrnčiar - 1.26.5-3 - Add automatically generated Obsoletes tag with the python39- prefix for smoother upgrade from RHEL8