Security fix for CVE-2026-44431

Resolves: RHEL-184858
2026-06-03 11:40:20 +02:00 · 2026-06-03 11:40:20 +02:00 · 2c409f6e58
commit 2c409f6e58
parent 6c03591bd3
2 changed files with 51 additions and 1 deletions
--- a/CVE-2026-44431.patch
+++ b/CVE-2026-44431.patch
@ -0,0 +1,39 @@
+From 5ec0de499b9166ca71c65ab04f2a7e4eb0d66fcc Mon Sep 17 00:00:00 2001
+From: illia-v <illia-v@users.noreply.github.com>
+Subject: [PATCH] CVE-2026-44431: Remove sensitive headers in proxy pools too
+
+Sensitive headers (Authorization, Cookie, Proxy-Authorization) were
+already stripped when PoolManager handled cross-host redirects, but not
+when a pool obtained via ProxyManager.connection_from_url() handled
+redirects directly through connectionpool.urlopen(). This adds the same
+header-stripping logic to connectionpool.py.
+
+Upstream fix: https://github.com/urllib3/urllib3/commit/5ec0de49
+---
+ src/urllib3/connectionpool.py | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py
+index 5f66cd25..2b3a7f1c 100644
+--- a/src/urllib3/connectionpool.py
+++ b/src/urllib3/connectionpool.py
+@@ -690,6 +690,17 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
+                 body = None
+                 headers = HTTPHeaderDict(headers)._prepare_for_method_change()
+
+            # Strip headers marked as unsafe to forward to the redirected location.
+            # Check remove_headers_on_redirect to avoid a potential network call within
+            # self.is_same_host() which may use socket.gethostbyname() in the future.
+            if (retries.remove_headers_on_redirect
+                    and not self.is_same_host(redirect_location)):
+                if not isinstance(headers, HTTPHeaderDict):
+                    headers = HTTPHeaderDict(headers or {})
+                for header in list(six.iterkeys(headers)):
+                    if header.lower() in retries.remove_headers_on_redirect:
+                        headers.pop(header, None)
+
+             try:
+                 retries = retries.increment(method, url, response=response, _pool=self)
+             except MaxRetryError:
+--
+2.52.0
--- a/python-urllib3.spec
+++ b/python-urllib3.spec
@ -2,7 +2,7 @@

 Name:           python-%{srcname}
 Version:        1.24.2
-Release:        9%{?dist}
+Release:        10%{?dist}
 Summary:        Python HTTP library with thread-safe connection pooling and file post

 License:        MIT
@ -59,6 +59,13 @@ Patch7: CVE-2025-66471.patch
 Patch8: CVE-2025-66418.patch
 Patch9: CVE-2026-21441.patch

+# CVE-2026-44431
+# Sensitive headers were stripped on cross-host redirects by PoolManager but not
+# by pools obtained via ProxyManager.connection_from_url(), allowing headers such
+# as Authorization, Cookie and Proxy-Authorization to leak to the redirected host.
+# Upstream fix: https://github.com/urllib3/urllib3/commit/5ec0de49
+Patch10: CVE-2026-44431.patch
+
 %description
 Python HTTP module with connection pooling and file POST abilities.

@ -159,6 +166,10 @@ popd


 %changelog
+* Wed Jun 03 2026 Lumír Balhar <lbalhar@redhat.com> - 1.24.2-10
+- Security fix for CVE-2026-44431
+Resolves: RHEL-184858
+
 * Wed Dec 17 2025 Miro Hrončok <mhroncok@redhat.com> - 1.24.2-9
 - Security fix for CVE-2025-66471
 - Security fix for CVE-2025-66418