Security fix for CVE-2023-43804
Resolves: RHEL-11993
This commit is contained in:
		
							parent
							
								
									8e30851577
								
							
						
					
					
						commit
						5d5dbe09cd
					
				
							
								
								
									
										39
									
								
								CVE-2023-43804.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										39
									
								
								CVE-2023-43804.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,39 @@ | ||||
| From 24603488c43a7cbaffcff7e69a72ad9bb4604acf Mon Sep 17 00:00:00 2001 | ||||
| From: Lumir Balhar <lbalhar@redhat.com> | ||||
| Date: Thu, 12 Oct 2023 14:08:31 +0200 | ||||
| Subject: [PATCH] CVE-2023-43804 | ||||
| 
 | ||||
| ---
 | ||||
|  src/urllib3/util/retry.py | 2 +- | ||||
|  test/test_retry.py        | 2 +- | ||||
|  2 files changed, 2 insertions(+), 2 deletions(-) | ||||
| 
 | ||||
| diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
 | ||||
| index 02429ee..c4a687c 100644
 | ||||
| --- a/src/urllib3/util/retry.py
 | ||||
| +++ b/src/urllib3/util/retry.py
 | ||||
| @@ -151,7 +151,7 @@ class Retry(object):
 | ||||
|   | ||||
|      RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) | ||||
|   | ||||
| -    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Authorization'])
 | ||||
| +    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Cookie', 'Authorization'])
 | ||||
|   | ||||
|      #: Maximum backoff time. | ||||
|      BACKOFF_MAX = 120 | ||||
| diff --git a/test/test_retry.py b/test/test_retry.py
 | ||||
| index 7546c43..b6d52bf 100644
 | ||||
| --- a/test/test_retry.py
 | ||||
| +++ b/test/test_retry.py
 | ||||
| @@ -253,7 +253,7 @@ class TestRetry(object):
 | ||||
|      def test_retry_default_remove_headers_on_redirect(self): | ||||
|          retry = Retry() | ||||
|   | ||||
| -        assert list(retry.remove_headers_on_redirect) == ['authorization']
 | ||||
| +        assert retry.remove_headers_on_redirect == {'authorization', 'cookie'}
 | ||||
|   | ||||
|      def test_retry_set_remove_headers_on_redirect(self): | ||||
|          retry = Retry(remove_headers_on_redirect=['x-api-secret']) | ||||
| -- 
 | ||||
| 2.41.0 | ||||
| 
 | ||||
| @ -4,7 +4,7 @@ | ||||
| 
 | ||||
| Name:           python-%{srcname} | ||||
| Version:        1.24.2 | ||||
| Release:        3%{?dist} | ||||
| Release:        4%{?dist} | ||||
| Summary:        Python HTTP library with thread-safe connection pooling and file post | ||||
| 
 | ||||
| License:        MIT | ||||
| @ -29,6 +29,15 @@ Patch1:         CVE-2019-11236.patch | ||||
| # Resolved upstream: https://github.com/urllib3/urllib3/pull/1800 | ||||
| Patch2: CVE-2020-26137.patch | ||||
| 
 | ||||
| # CVE-2023-43804 | ||||
| # Added the `Cookie` header to the list of headers to strip from | ||||
| # requests when redirecting to a different host. As before, different headers | ||||
| # can be set via `Retry.remove_headers_on_redirect`. | ||||
| # Tests backported only partially as we don't use the whole part of | ||||
| # testing with dummyserver. | ||||
| # Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2242493 | ||||
| # Upstream fix: https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb | ||||
| Patch3: CVE-2023-43804.patch | ||||
| 
 | ||||
| %description | ||||
| Python HTTP module with connection pooling and file POST abilities. | ||||
| @ -84,6 +93,7 @@ Python3 HTTP module with connection pooling and file POST abilities. | ||||
| 
 | ||||
| %patch1 -p1 | ||||
| %patch2 -p1 | ||||
| %patch3 -p1 | ||||
| 
 | ||||
| # Drop the dummyserver tests in koji. | ||||
| # These require tornado, a Web framework otherwise unused in the distro. | ||||
| @ -188,6 +198,10 @@ py.test-3 | ||||
| 
 | ||||
| 
 | ||||
| %changelog | ||||
| * Thu Oct 12 2023 Lumír Balhar <lbalhar@redhat.com> - 1.24.2-4 | ||||
| - Security fix for CVE-2023-43804 | ||||
| Resolves: RHEL-11993 | ||||
| 
 | ||||
| * Thu Nov 12 2020 Tomas Orsava <torsava@redhat.com> - 1.24.2-3 | ||||
| - Update RECENT_DATE dynamically | ||||
| Related: rhbz#1883890 rhbz#1761380 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user