Security fix for CVE-2023-43804

Resolves: RHEL-11993
This commit is contained in:
Lumir Balhar 2023-10-12 13:33:26 +02:00
parent 8e30851577
commit 5d5dbe09cd
2 changed files with 54 additions and 1 deletions

39
CVE-2023-43804.patch Normal file
View File

@ -0,0 +1,39 @@
From 24603488c43a7cbaffcff7e69a72ad9bb4604acf Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Thu, 12 Oct 2023 14:08:31 +0200
Subject: [PATCH] CVE-2023-43804
---
src/urllib3/util/retry.py | 2 +-
test/test_retry.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
index 02429ee..c4a687c 100644
--- a/src/urllib3/util/retry.py
+++ b/src/urllib3/util/retry.py
@@ -151,7 +151,7 @@ class Retry(object):
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
- DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Authorization'])
+ DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Cookie', 'Authorization'])
#: Maximum backoff time.
BACKOFF_MAX = 120
diff --git a/test/test_retry.py b/test/test_retry.py
index 7546c43..b6d52bf 100644
--- a/test/test_retry.py
+++ b/test/test_retry.py
@@ -253,7 +253,7 @@ class TestRetry(object):
def test_retry_default_remove_headers_on_redirect(self):
retry = Retry()
- assert list(retry.remove_headers_on_redirect) == ['authorization']
+ assert retry.remove_headers_on_redirect == {'authorization', 'cookie'}
def test_retry_set_remove_headers_on_redirect(self):
retry = Retry(remove_headers_on_redirect=['x-api-secret'])
--
2.41.0

View File

@ -4,7 +4,7 @@
Name: python-%{srcname}
Version: 1.24.2
Release: 3%{?dist}
Release: 4%{?dist}
Summary: Python HTTP library with thread-safe connection pooling and file post
License: MIT
@ -29,6 +29,15 @@ Patch1: CVE-2019-11236.patch
# Resolved upstream: https://github.com/urllib3/urllib3/pull/1800
Patch2: CVE-2020-26137.patch
# CVE-2023-43804
# Added the `Cookie` header to the list of headers to strip from
# requests when redirecting to a different host. As before, different headers
# can be set via `Retry.remove_headers_on_redirect`.
# Tests backported only partially as we don't use the whole part of
# testing with dummyserver.
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2242493
# Upstream fix: https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb
Patch3: CVE-2023-43804.patch
%description
Python HTTP module with connection pooling and file POST abilities.
@ -84,6 +93,7 @@ Python3 HTTP module with connection pooling and file POST abilities.
%patch1 -p1
%patch2 -p1
%patch3 -p1
# Drop the dummyserver tests in koji.
# These require tornado, a Web framework otherwise unused in the distro.
@ -188,6 +198,10 @@ py.test-3
%changelog
* Thu Oct 12 2023 Lumír Balhar <lbalhar@redhat.com> - 1.24.2-4
- Security fix for CVE-2023-43804
Resolves: RHEL-11993
* Thu Nov 12 2020 Tomas Orsava <torsava@redhat.com> - 1.24.2-3
- Update RECENT_DATE dynamically
Related: rhbz#1883890 rhbz#1761380